用yara实现分析恶意样本_yara恶意软件检测简介

用yara实现分析恶意样本

Have you ever wondered how malware is detected? How do malware scanners work? How does Gmail know that the suspicious attachment you got was “dangerous”?

您是否想过如何检测恶意软件？ 恶意软件扫描程序如何工作？ Gmail如何知道您收到的可疑附件是“危险的”？

After all, malware comes in all shapes and sizes, and there is no one characteristic that tells you whether a file can cause harm or not.

毕竟，恶意软件具有各种形状和大小，并且没有任何特征可以告诉您文件是否会造成损害。

如何检测到恶意软件？ (How is Malware Detected?)

Malware detection is often done through the identification of certain features of known malicious files.

恶意软件检测通常是通过识别已知恶意文件的某些功能来完成的。

One way of detecting malware is to calculate a hash of the suspected file and compare it to the hashes of known malware.

检测恶意软件的一种方法是计算可疑文件的哈希值，并将其与已知恶意软件的哈希值进行比较。

Sometimes, antivirus software scans for a particular string in a file that identifies particular strains or entire families of malware. Antivirus software might also search for a sequence of bytes that are typical of a specific virus or trojan.

有时，防病毒软件会扫描文件中的特定字符串，以识别特定的病毒株或整个恶意软件家族。 防病毒软件可能还会搜索特定病毒或木马的典型字节序列。

The tool that we are going to talk about today, YARA, takes this latter approach. Let’s dive into how YARA detects malware files, how you can install and use YARA, and how to author your own YARA rules for customized malware detection!

我们今天要讨论的工具YARA采用了后一种方法。 让我们深入了解YARA如何检测恶意软件文件，如何安装和使用YARA以及如何编写自己的YARA规则以进行自定义恶意软件检测！

什么是YARA？ (What is YARA?)

YARA is a tool that identifies malware by creating descriptions that look for certain characteristics. Each description can be either a text or a binary pattern. These descriptions are called “rules”. And by using rules that specify regex patterns, YARA enables the detection of specific patterns in files that might indicate that the file is malicious.

YARA是一种通过创建查找某些特征的描述来识别恶意软件的工具。 每个描述可以是文本或二进制模式。 这些描述称为“规则”。 通过使用指定正则表达式模式的规则，YARA可以检测文件中可能表明该文件为恶意文件的特定模式。

By using hex patterns, plain text patterns, wild-cards, case-insensitive strings, and special operators, YARA rules can be incredibly diverse and effective at detecting a wide range of malware signatures.

通过使用十六进制模式，纯文本模式，通配符，不区分大小写的字符串和特殊运算符，YARA规则可以非常多样化，并且可以有效地检测各种恶意软件签名。

Let’s take a look at the below example. (Example is taken from YARA’s official documentation here: https://yara.readthedocs.io/en/latest/)

让我们看下面的例子。 (示例摘自YARA的官方文档， 网址为 ： https : //yara.readthedocs.io/en/latest/ )

rule silent_banker : banker
{
       
    meta:
        description = "This is just an example"
        threat_level =