File format signatures. Signature blueprints: Do-it-yourself file analyzer and antivirus. Invisible type to the sector

Understand " Magic number» Programming may have three meanings:

• Danih signature
• Seen unique values ​​that are not responsible for the occurrence of other values ​​(for example, UUID)
• Poor programming practice.

Danih signature

Magic number, or signature, -- integer text constant , matched for unambiguous identification of data resource . Such a quantity by itself does not carry any sense and can viklikaty zdivuvannya, having become familiar with the code of the program without a specific context or commentary, with which you try to change it to something else, to go close to the meanings, you can bring it to absolutely inexpressive words. That is why similar numbers were ironically called magical. In this hour, the name of the mіtsno was fixed as a term. For example, any kind of compiling Java class starts with the sixteenth "magic number" 0xCAFEBABE . Another widely used example is a Microsoft Windows OS file with extensions. The default menu is the uninitialized indicator of Microsoft Visual C++ (since 2005 version of Microsoft Visual Studio), which can be set to address 0xDEADBEEF in debug mode.

For UNIX-like operating systems, the file type is assigned to the signature of the file regardless of the extension of its name. To interpret the signature to a file, they use the standard file utility.

Bad programming practice

Also, “magic numbers” are called the filthy practice of programming, as in the visible text the numerical values ​​​​are jumbled and it is not obvious what it means. For example, such a fragment, written in Java, will be filthy:

drawSprite(53, 320, 240);

final int SCREEN_WIDTH = 640; final int SCREEN_HEIGHT = 480; final int SCREEN_X_CENTER = SCREEN_WIDTH/2; final int SCREEN_Y_CENTER = SCREEN_HEIGHT/2; final int SPRITE_CROSSHAIR = 53; ... drawSprite(SPRITE_CROSSHAIR , SCREEN_X_CENTER , SCREEN_Y_CENTER );

Now it’s understood: to display the sprite at the center of the screen in this row - crossing the sight. For most programs, all values ​​that are victorious for such constants will be calculated at the compilation stage and submitted to the value of the variable. Therefore, such a change in the output text does not change the firmware code of the program.

In addition, magic numbers - potentially pardoned the program:

• If the same magic number is won in the program more than once (otherwise it can potentially be won), then you can change the number of edits of the skin input (replacement of one edit of the value of the named constant). How to correct not all entrances, there is only one pardon.
• As a minimum, in one of the entrances, a magical number can be written with a pardon on the back, and it’s worth it to do it gracefully.
• The magic number can lie in the implicit parameter of the greater magic number. If you don’t see it clearly, you won’t be satisfied, but only a pardon is the result.
• When modifying the entry of one magic number, you can change the number of times the magic number, independent, and also the numerical value.

Magic numbers and cross-platform

Some magic numbers are bad for cross-platform code. On the right, in Cі in 32- and 64-bit operating systems, the expansion of types char, short and long long is guaranteed, in that case, the expansion of int, long, size_t and ptrdiff_t can be changed (for the first two, In the remaining two - in fallow land due to the capacity of the system). In an old or unqualified written code, "magic numbers" can sound, which means the expansion of some kind of type - when you go to a car with a different rank, the stench can call for pardons, which is important to catch.

For example:

const size_t NUMBER_OF_ELEMENTS = 10; long a [NUMBER_OF_ELEMENTS]; memset(a, 0, 10 * 4); // wrong - to be on the wrong side, which is long for 4 bytes, the magical number of elements wins memset(a, 0, NUMBER_OF_ELEMENTS * 4); // wrong - messing around, which is long for 4 bytes memset(a, 0, NUMBER_OF_ELEMENTS * sizeof(long)); // We don't know correctly - duplicate the name of the type (to change the type, change it here too) memset(a, 0, NUMBER_OF_ELEMENTS * sizeof(a[0])); // Correct, optimal for dynamic arrays of non-zero size memset(a, 0, sizeof(a)); // Correct, optimal for static arrays

Numbers that are not magical

Not all numbers need to be transferred to constants. For example, the code for

It’s a little bit about such files, like rarjpeg "i. It’s a special kind of files, which is a glued jpeg-image and rar-archives. It’s a wonderful container for attaching the fact of transferring information. You can create rarjpeg with the help of the following commands:

UNIX: cat image1.jpg archive.rar > image2.jpg
WINDOWS: copy /b image1.jpg+archive.rar image2.jpg

But for the obviousness of the hex editor.

Understandably, in order to attach the fact of transmission, you can win not only the JPEG format, but also a lot of others. The leather format has its own peculiarities, the zipper may be suitable for the role of the container. I will describe how you can find glued files in the most popular formats or indicate the fact of gluing.

Methods for detecting glued files can be divided into three groups:

1. The method of reverification of the area after the EOF marker. A lot of popular file formats can be called the marker of the end of the file, which is confirmed for the necessary data. For example, programs for reviewing photographs read all bytes right up to the first marker, but the area after the new one is ignored. This method is ideal for formats: JPEG, PNG, GIF, ZIP, RAR, PDF.
2. Method for re-verification of the file. The structure of some formats (audio and video containers) allows you to calculate the real size of the file and compare it with the external size. Format: AVI, WAV, MP4, MOV.
3. Method for re-verifying CFB files. CFB or Compound File Binary Format is a format for documents, fragmentation from Microsoft, which is a container with a master file system. This method is based on the revealed anomalies in the file.

What is life after the file is completed?

JPEG

After the signature, the service information is found, optionally the image icon, nareshti, the image itself. In this format, the end of the image is indicated by the double-byte signature 0xFF 0xD9.

PNG

RAR

Table of formats for those signatures:
The algorithm for converting to gluing in these formats is extremely simple:

1. Know the cob signature;
2. Know kіntsevu signature;
3. As if there were no signatures from the end - your file is clean and don't delete the deposit! Otherwise, it is necessary to shukati after the final signature in other formats.

GIF and PDF

1. Item 1 is repeated from the front of the algorithm.
2. Item 2 is repeated from the front of the algorithm.
3. With the knowledge of the kіntsevoї signature, remember the її roztashuvannya and shukati far away;
4. How did it go to the rest of the EOF marker - the file is clean.
5. If the file does not end with a final signature - there is no remaining known final signature.

ZIP

To check the ZIP-archive, it is necessary to know the last signature of the central directory, skip 18 bytes of that signature of the other formats near the comment area. The great commentary is also about the fact of gluing.

Rozmir May Meaning

AVI

An example of the calculation of the rozmіru:

WAV

MP4

Let's look at an example. The expansion of the first block is set to zero offset, and vіn dorіvnyuє 28 (0000001C, Big Endian byte order); vіn vkazuє on zsuv, de znahoditsya rozmіr another data block. On the 28th sound, the advancing expansion of the equal block 8 (0000088) is known. In order to know the upcoming expansion of the block, it is necessary to fold the expansions of the known forward blocks. In this order, the size of the file is calculated:

MOV

The method of rechecking a group of formats for the presence of "glued" files is based on the calculation of the size of the tasks by the rules of that match with the size of the file that is being rechecked. For example, the streaming expansion of the file is richer than the calculated one, which indicates the fact of gluing. When converting AVI-files, it is allowed that the charges may be smaller than the file due to adding zeros for checking the cordon. In such a case, it is necessary to recheck zero after the calculated size of the file.

Verify Compound File Binary Format

The CFB file is composed of a 512-byte header and the same sectors that store data streams or service information. The skin of the sector may be a powerful non-negative number, to make special numbers: "-1" - numbering the free sector, "-2" - numbering the sector, which blinks the lance. Sector langs are assigned to the FAT-table.

Let's assume that the attacker modified the doc-file and pasted another file into it. There are a few different ways to detect or report an anomaly in the document.

Abnormal file size

(FileSize - 512) mod SectorSize = 0

Since the equality is not victorious, it is possible to point out the fact of gluing the files. However, this method may be of little value. Since the attacker knows the size of the sector, he can paste his file and n more bytes, so that the size of the glued data is a multiple of the sector size.

Invisible type to the sector

Significantly jealousy:

FileSize = 512 + CountReal * SectorSize, where FileSize is the file size, SectorSize is the sector size, CountReal is the number of sectors.

Significantly, the following changes:

1. CountFat - number of FAT sectors. Be located on 44 zmіschennі vіd kob file (4 bytes);
2. CountMiniFAT - number of MiniFAT sectors. Be located on 64 zsuvі vіd cob file (4 bytes);
3. CountDIFAT – number of DIFAT sectors. Be located on 72 zmіschennі vіd vіd kob file (4 bytes);
4. CountDE - number of sectors in the Directory Entry. To know the meaning of change, it is necessary to know the first sector DE, which is located on 48 shifts. Then it is necessary to take into account the appearance of DE and FAT and to check the number of DE-sectors;
5. CountStreams – number of sectors from data streams;
6. CountFree - the number of free sectors;
7. CountClassified – number of sectors with sing type;

It is obvious that if CountClassified and CountReal are uneven, it is possible to spawn visnovs about the possibility of gluing files together.

The function code (FC) in telegram is changed for telegram type, like Request telegram (Request or Send/Request) and Acknowledgment or Response telegram (Acknowledgment frame, Response frame). The code function has the actual transmission function and manages the information that is forwarded and duplication of messages, and the station type FDL status .

1) this value is in the last version of the standard not defined anymore but only reserved

Frame Count Bit Frame Count bit FCB (b5) remind about pridbannya podomlenya or povodomlenya or vodpovidnyh stantsіy (vіdpovіd) і be-yakoy baiduzhy for promo (іnіtіator). Excluded from this are requests with acknowledgment (SDN) and FDL Status, Ident and LSAP Status requests.

For the host sequence, the initiator is responsible for the FCB for each responder. If Request telegram (Request or Send/Request) is sent to a respond for the first time, or if it is re-sent to a respond The initiator achieves this in a Request telegram with FCV=0 and FCB=1. Get a great rating on the telegram of the first baby as the first category of support and savings FCB=1 together with the address initiator (SA) (see following table). This message cycle will not be repeated by the initiator. For subsequent Request telegrams to the same respond, the initiator must set FCV=1 and change the FCB with each new Request telegram. Any responder who receives a Request telegram addressed to it with FCV=1 must evaluate the FCB. Likewise, FCB changes, if the faults are in the remaining Request telegram in the form of the same initiative (same SA), the purpose is valid confirmation, so that the cyclic message is repeated properly. If Request telegram originates from a different initiator (different SA), the FCB score is no longer necessary. In case of failure, the participant is responsible for the security of the FCB with the SA dzherelom until the receipt of new telegram addressed to it. In case of loss of either innocuous recognition or response to telegrams, FCB cannot but be changed in terms of viability for the sake of it: it will be an assessment of whether the cycle was faulty in advance. If you have a request telegram with FCV=1 and the same FCB as the last Request telegram from the same initiator (same SA), this will be set in the request retry. Turn retransmit the acknowledgment or response telegram held in readiness. Beforehand, it is set to confirm or remove telegrams from different addresses (SA or DA), which should not appear (Send Data with No Acknowledge, SDN), to alert about a pardon, to remove the remaining sign or to cancel telegrams in readiness for any kind of reaction . In case of Request telegrams, if not known and Request FDL Status, Ident, and LSAP Status, FCV=0 and FCB=0; evaluation by the responder is no longer necessary.

FCBM stored FCB in memory SAM stored SA in memory

Scanning files of various types (or, as it often seems, searching files by signatures) is one of the most effective ones that are found in the R-Studio data discovery utility. The variation of the given signature allows to recognize files of the same type in that case, if it is often or more than once a day (poshkodzhen) information about the directory structure and file names.

Call for the selection of the file expansion table of disk partitions. If you separate a disk from a book, then the table of distributions will be similar to її zmіstu. When scanning, R-Studio searches for files of different types in the disk partition table for the same task signatures. We can only think that the skin type of the file can have a unique signature or a data template. File signatures are found in the first place on the cob of the file and in the rich folders as well as on the other hand of the file. When scanning, R-Studio detects data from the signatures of files of various types, which allows them to be identified and rediscovered.

With the help of scanning technology for files of various types, R-Studio allows you to redo data from disks, as if reformatting and rewriting tables of distributions. More than that, I have divided the disc of overwriting, poshkodzheniya or deletion, scanning files in any type, we can only do it.

But practically start and in the end your own shortfalls, and files of other types, which are victorious in R-Studio, are blamed. So, when scanning files of all types, R-Studio allows only a few non-fragmented files to be retrieved, but, as it was said, in most of the remaining possible methods.

Signatures of the largest file types are already included in the R-Studio warehouse (you can look at the full list of files of each type in the R-Studio Online Distribution Tips.)

If you need a copy, you can add new types of files to the R-Studio warehouse. For example, if you need to know the files, whether of a unique type, or if the file has been broken down after the last release of R-Studio, you can add files to the warehouse of all types of signatures. The whole process will be looked at further.

Koristuvalnytskyi Files V_domih Types
The corresponding signatures of files of all types are taken from the XML file specified in the Setup dialog box. Additional signature is made up of two parts:

1. The designation of the file signature, which is located on the cob of the file and for the presence in the end of the file.
2. Created an XML file to retrieve the file signature and other information about the file type.

You can do everything for the help of R-Studio. If you don’t need to be a fakhivtsy at the edge of the fold (editing) of XML documents, but in the field of sixteenth edition editing - at your helper (statt), oriented at the core of the cob itself, all stages of the process will be looked at in detail.

Butt: Add signature for MP4 file (XDCam-EX Codec)
Let's take a look at adding a file signature to the .MP4 file, created with the help of Sony XDCAM-EX. It can be used, for example, in times of need for SD cards for , as they have not yet managed to save on the hard drive of the computer.

First Stage: File Signature Designation
To designate a file signature, consider attaching files of the same format.

Give me some video files from Sony XDCAM-EX:
ZRV-3364_01.MP4
ZRV-3365_01.MP4
ZRV-3366_01.MP4
ZRV-3367_01.MP4

For the sake of transparency, let me have files of a small size. Files of a larger size are easier to look at in the sixteenth form.

1. View files from R-Studio. For this, click on the skin file with the right mouse button and select the View/Edit item of the context menu.

2. Porіvnyаєmo files. Shukatimemo one and the same template that is used in all four files. Wine and future file signature. As a rule, file signatures are located on the cob of the file, but also elsewhere and for example.

3. Significantly file signature on the file cob. Our butt has it on the very top of the file. Remember that this is not the case - often the file signature is on the cob of the file, but not in the first row (shift).

By hovering below, the image is clear, that instead of all the files in a different way, but all stinks start with the same file signature.


Click on the image for yoga enhancement

Click on the image for yoga enhancement

Click on the image for yoga enhancement

Click on the image for yoga enhancement

The area on the images is seen as a file signature of the file type. Vaughn is presented both in the text and in the sixteenth one.

In a textual file signature, it may look like this:
....ftypmp42....mp42........free

Dots (“.”) denote symbols that can be represented in the text view. Therefore, it is also necessary to set the sixteenth form of the file signature:
00 00 00 18 66 74 79 6D 70 34 32 00 00 00 00 6D 70 34 32 00 00 00 00 00 00 00 08 66 72 65 65

4. In the same way, the signature of the file is significant, but in the very end of the file. You may or may not have the file signature otherwise.

On hovering the images below, you can see the file signature in the end of the file:


Click on the image for yoga enhancement

Click on the image for yoga enhancement

Click on the image for yoga enhancement

Click on the image for yoga enhancement

Give respect to the area you have seen (file signature), all files have the same one and the same. This is technical information, as it is not a file signature, but to talk about those that all the pictures (files) were created for an additional one camera with the same parameters. Sound out the templates that are used, with technical information like a file signature. In our example, in the rest of the row, up to the top of the file signature, we often have the text 'RecordingMode type=”normal”', which clearly speaks of those that are a parameter to the file, and not a signature. Be sure to pay special attention to this row, so as not to include technical information before the file signature warehouse.

Our file signature has an advancing text:
...
Guessing that the dots represent symbols, which cannot be represented by the text viewer.

A sixteenth-digit look-a-file signature may look like this:
3N 2F 4E 6F 6E 52 65 61 6N 54 69 6A 65 4A 65 74 61 3E 0D 0A 00
Caution: For example, do not leave the signature on the file.

Other Step: Create an XML file that describes the V_domy File Type
Now, having defined the file signature, you can create an XML file and enable the default file type to the R-Studio warehouse. It can be done in two ways:

2.1 The graphical editor of file signatures:
Select the Settings item of the Tools menu, next to the Settings dialog that appears, click on the Known Files Types tab and then click the Edit User’s File Types button.

Click on the image for yoga enhancement

Press the Create File Type button on the Edit User's File Types dialog box.
Enter the following parameters:

• Id – unique digital identifier. This number will be collected enough; Alone, it is not guilty of spivpadati with a digital identifier of another file type.
• Group Description - group in which files will be found in R-Studio. You can either set a new group, or choose one of the quiet ones, which is already there. We will have a group “Multimedia Video (Multimedia: Video)”.
• Description - a short description of the file type. At the butt, you can tag, for example, "Sony cam video, XDCam-EX".
• Extension – file extension for this type. Our vipad has mp4.

The parameter of Power (Features) is neobov'yazkovy, in times we do not need to yogo vicory.

Click on the image for yoga enhancement

Next, you need to enter the mail and end file signature. For which one, select the Begin (Begin) and give the command Add Signature in the context menu.

Click on the image for yoga enhancement

Potim double click on the field<пустая сигнатура> () and enter a valid text.

Click on the image for yoga enhancement

Let's create a file signature. Don't forget to enter 21 at the From field.

Click on the image for yoga enhancement

You have created a file signature of the given type.

Now it is necessary to save. There are two ways: you can either save the file for locking tasks on the Main tab of the Settings dialog box by pressing the Save button. Or press the Save As... button and save the signature to another file.

2.2 Creating an XML file that describes the V_domy File Type, manually:
To create a file, it will be converted to XML version 1.0 and UTF-8 encoding. Don't fall for it, because you don't know what it is - just open a text editor (for example, Notepad.exe) and enter the following text in the first row:

Let's create an XML tag that assigns a file type (FileType). With the improvements described earlier, the XML attributes of the tag would look like this:

Let's insert yoga into the next post

Given a meaningful file signature (tag ). Cob signature (on the cob file), will be rebuy in the middle of the tag without any attributes. Vicoristavouemo textual form of the signature, but in case of replacing it with sixteen characters, it cannot be represented in the textual form. Insert "\x" before the skin symbol of sixteen. In this order, the tag With a file signature, you will look like this:

In case of presence, it is also necessary to assign a final signature (for example, to a file). For which tag is selected the same tag, followed by the "from" element and the "end" attribute. You will look like this:

Guess that there were no non-text symbols in the final file signature, but there were those three-stringed bows. To avoid the swindle and forgiveness of the XML syntax, we will replace the symbols "/", " in the signature<" и ">їх sixteen values.

In the end of the last file signatures, the language names include the FileType and FileTypeList tags:

In this way, the entire file is guilty of looking like this:


\x00\x00\x00\x18ftypmp42\x00\x00\x00\x00mp42\x00\x00\x00\x00\x00\x00\x00\x08free
\x3C\x2FNonRealTimeMeta\x3E\x0D\x0A\x00

Remember: XML syntax is case sensitive, so the correct tag would be , but not .

Save the file in text format with .xml extensions. For example: SonyCam.xml.

We have created an authoritative file signature for a given type. The Danish butt is sufficient for understanding the basic principles of the creation of the file type of the koristuvach. Confirmed proofreaders can proofread XML version 2.0. You can read the report about it at the R-Studio online distribution.

Step 3: Rechecking the Appending File That Describes the V_domy File Type
At the next stage, you need to add (import) your R-Studio XML file. With this yoga, it will be automatically reverberated.

Prefabricated in R-Studio creations at the front stage is an XML file. For which, select the Settings item of the Tools menu. In the User's file types area of ​​the Main tab of the Settings dialog box, we will add an XML file (SonyCam.xml) created by us. Press the Apply button.

Click on the image for yoga enhancement

2. Verify Yes (Yes) to request a new type of files.

Click on the image for yoga enhancement

3. To check which file type is successful, click the Known File Types tab of the Settings dialog box. Guess who added the file type to the Multimedia Video group (Multimedia: Video). Having opened this group (folder), we can add an element from the description, we will set the time of creation of the XML file: Sony cam video, XDCam-EX (.mp4).

Click on the image for yoga enhancement

Click on the image for yoga enhancement

As in the syntax of the file, if there is a pardon, you should ask for a reminder:

Click on the image for yoga enhancement

In some way, turn your XML file to show pardons. Beware: the XML syntax is case-sensitive and for a skin tag in the text box, it's the tag that the curvature is in.

Step 4: Testing a file that describes V_domy File Type
In order to check the correctness of the file type created by us, we will try to know our .mp4 files on a portable USB flash drive.

1. Under Windows Vista or Windows 7, it is possible to completely (not flash) format the disk, or it can be speeded up by a disk space cleaning utility (for example, R-Wipe & Clean) for a complete removal of all data on the disk. Bring a USB drive formatted to FAT32 (file size, joking, do not move 2 GB).

2. Copy the test files to disk and restart the computer so that the cache is saved on disk. You can also unplug the current disk and plug it in again.

3. In the OS, the disk will be assigned, like, for example, the logical drive F:\.

4. Launch R-Studio. Select our drive (F:\) and press the Scan button

Click on the image for yoga enhancement

5. Click the Change... button on the Scan dialog box in the File System area and change all the settings. In this way, we turn on the search for file systems and files, the distribution table.
Click on the image for yoga enhancement

6. Install ensign Dodatkovo Shukati Vіdomi Typei Fileіv (Extra Search for Known File Types). Do not allow R-Studio to scan all types of files for an hour.

7. To start scanning, press the Scan button.

8. Check while R-Studio scans the disk. On the Scan Information tab, the progress of the scan (progress) is displayed.


Click on the image for yoga enhancement

9. After the scan is completed, select the element Dodatkovo Found Files (Extra Found Files) and double click on the mouse.


Click on the image for yoga enhancement

10. Our test files will be located in the folder Sony cam video, XDCam-EX folder (or in the folder under another name, as it matches the description of the file type specified in the Other Stage).


Click on the image for yoga enhancement

Be sure that the file names, dates, and layout (folders) have not been updated, and the shards of this information are collected from the file system. Therefore, R-Studio will automatically render the file with new names.

However, it is clear that the files are not scrambled. Shchab perekonatisya, vіdkriєmo їх at vіdpovіdnіy programs, for example VLC media player.


Click on the image for yoga enhancement

Visnovok
The ability of R-Studio to scan and search files of any type allows you to restore data from the disk, which files system or overwrite. You can efficiently search for files with victorious signatures, which is especially appropriate in that case, as you definitely know the type of files that are inspired, like, for example, in our butt. The ability to create file types allows you to add to the list of files of any type any file that can have the same file signature.

The authorities put me to finish the job. Using the terminology, write an analyzer of hacked files, which, behind the signatures of minds, knows the bodies of viruses and identifies the packer / cryptor. Ready prototype z'yavivsya already for a couple of years.

Author's word

Signature analysis

A search for a shkidlivy object for signatures - all those that can be an anti-virus. At the same time, the signature is a formalized description of the deyakyh signs, which can be used to indicate that the file is scanned - ce virus and virus as a whole.

There are different methods here. As a variant - to create a signature, I will put together N bytes of a shkidly object. With this, it is possible to work not stupidly, but according to the effective weight (such as shukati byte EB ?? CD 13). Abo put dodatkovі umovi on kshtalt "such bytes are responsible for knowing the point of entry into the program" and so on. The signature of the malware itself is ce zocrema.

This is how the signs themselves are described, which can be used to indicate that the packaging file is wrapped by another cryptor or packer (for example, the banal ASPack). If you respectfully read our journal, then it’s definitely about such a tool like PEiD, I’ll designate the widest packages, cryptory and compilers (there are a large number of signatures in the database) for the transferred PE-file. Unfortunately, new versions of the program have not been released for a long time, and recently on the official website there was an announcement that the project would not have a further development. It's a pity that the feasibility of PEiD (especially the plugin system) could appear to be less similar. After a short analysis, it became clear that this was not an option. Ale, after digging in the English blogs, I quickly revealed those that I thought. YARA project (code.google.com/p/yara-project).

What is YARA?

I'm from the very cob of perekonaniya, scho here at Merezh already є vіdkrit razrobki, yakі would have taken upon themselves the task of declaring the viability between the deaky signature and the final file. If I knew such a project, it would be easy to put web add-ons on the rails, add different signatures and take care of those that seemed to me. The plan became even more realistic when I read the description of the YARA project.

The retailers themselves are positioned as a tool to help older malware in identifying and classifying random samples. The researcher can create descriptions for different types of malware, vicarious texts or binary patterns, in which the formalized signs of malware are described. Signatures look like this. As a matter of fact, the skin description is formed from a set of rows and a certain logical pattern, on the basis of which the logic of the analyzer's application is determined.

As for the final file, one of the rules is written, the wine is assigned the highest rank (for example, a worm). A simple example of the rule, to understand, about what to go about:

rule silent_banker: banker
{
meta:
description = "Tim є just an example"
thread_level = 3
in_the_wild = true
strings:
$a = (6A 40 68 00 30 00 00 6A 14 8D 91)
$b = (8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9)
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}

We say YARA, whichever file, which one wants to revenge, one of the rows of samples described in the changed $a, $b, $c, is guilty of classifying as a silent_banker trojan. І tse even simpler rule. In fact, the steering wheels can be richly folded (we'll talk about it below).
About the authority of the YARA project, we can already talk about the list of projects that can be won, but:

• VirusTotal Malware Intelligence Services (vt-mis.com);
• jsunpack-n (jsunpack.jeek.org);
• We Watch Your Website (wewatchyourwebsite.com).

All the writing code in Python, moreover, it is shown as a module for typing in its own distributions, so the file that is written, so that YARA can be used as an independent addendum. As part of my work, I chose the first option, but for simplicity, the analyzer is just like a console program.

After digging around for a bit, I figured out how to write rules for YARA, as well as how to screw up a new signature of viruses in a non-copyable aver and a packer in PEiD. Let's start with the installation.

Installed

Like I said before, the project is written in Python, which can be easily installed on Linux, on Windows, and on Mac. You can just take a binary. If you want to call a program in the console, then you will need to run the rules.

$yara
usage: yara ... ... FILE | PID

This is the format of the next program start: search for the name of the program, then the list of options, after which the file is specified according to the rules, and for example - the name of the last file (either the directory where the files should be deleted), or the identifier of the process. At once, in a good way, explain how these rules are formed, but I don’t want to give you a dry theory. Therefore, we blame it in a different way and in a similar way to someone else's signatures, so that YARA could win one of the tasks set by us - the full designation of virus signatures.

Your antivirus

Naygolovnіshe nutrition: where to take the basis of the signatures of all viruses? Anti-virus companies actively share such bases among themselves (some are more generous, some are less). Honestly, apparently, I'm a little bit doubtful that here at Merezha there was something like this. Ale, as it appeared, these are good people. The virus database of the popular anti-virus ClamAV is available to everyone (clamav.net/lang/en). At the "Latest Stable Release" distribution, you can find a license for the remaining version of the anti-virus product, as well as a package for the acquisition of ClamAV virus databases. We need to check the main.cvd (db.local.clamav.net/main.cvd) and daily.cvd (db.local.clamav.net/daily.cvd) files.

The first one is to sweep the main database of signatures, the other one - to the most recent database with various additions. For the delivery, I would like to download daily.cvd, from which I have collected over 100,000 downloads of malware. However, the ClamAV base is not the YARA base, so we need to convert it into the required format. Hello yak? Ajee mi still doesn't know anything about the ClamAV format, nor about the Yara format. This problem was already mentioned to us, having prepared a small script that converts the ClamAV virus signature database to a set of YARA rules. The script is called clamav_to_yara.py and written by Matthew Richard (bit.ly/ij5HVs). Capture the script and convert the base:

$ python clamav_to_yara.py -f daily.cvd -o clamav.yara

As a result, the clamav.yara file will take away the signature base, as soon as it will be ready before the trial. Let's try now the combination of YARA and the base of ClamAV in dії. Scanning folders with signatures of signatures is scanned with one single command:

$ yara -r clamav.yara /pentest/msf3/data

The -r option tells you to scan recursively through all subfolders of the stream folder. Although in the folder /pentest/msf3/data there is a body of viruses (take it quiet, it is in the ClamAV database), YARA is negligent about it. In principle, the signature scanner is already ready. For greater clarity, I have written a simple script, which rewrites the ClamAV database update, uploads new signatures and converts them to the YARA format. Ale tse already details. One part of the task of vikonan, now you can proceed to the laying down of the rules for the designation of packers / cryptors. Alya for whom had a chance to grow up with them.

Gra for the rules

Again, the rule is the main mechanism of the program, which allows you to zarahuvat tasks file to any category. The rules are described in an okrema file (or files) and seem to guess the construction struct () from C / C ++.

rule Bad Boy
{
strings:
$a = "win.exe"
$b = "http://foo.com/badfile1.exe"
$c = "http://bar.com/badfile2.exe"
condition:
$a and ($b or $c)
}

There are no rules for the principle of anything coherent in writing. Within the framework of this article, I have touched on less than the main points, and you know the details in the manual. So far, the ten most important points are:

1. A skin rule starts with the rule keyword, after some rule identifier. Identifiers can also have names, such as changing C/C++, so that they consist of letters and digits, and the first character cannot be a digit. The maximum length of the identifier name is 128 characters.

2. The rules are composed of two sections: the assignment section (strings) and the mind section (condition). The strings section is given data, on the basis of which the condition section is used to make a decision that satisfies the tasks of the file to the minds of the mind.

3. The leather row at the razdіlі strings may have its own identifier, which starts from the $ sign - in a slur, as if the change was made in php. YARA adds sizable rows, stacked at the foot (“ ”) and sixteen rows, stacked at the curly bow (()), as well as regular swirls:

$my_text_string = "text here"
$ my_hex_string = ( E2 34 A1 C8 23 FB )

4. The condition section has all the logic of the rule. This section is guilty of mischief logical viraz, which means that the file process satisfies the rule. Sound at this section to go to the early rows. And the row identifier looks like a logical change, like it turns true, like a row of knowledge in the file or memory of the process, and false in a different way. The higher-order rule determines that files and processes that sweep the win.exe row and one of two URLs can be brought up to the BadBoy category (on the name of the rule).

5. Sixteen rows allow you to twist three designs to make them more flexible: wildcards, jumps, and alternatives. Substations - tse mіstsya in a row, yakі nevіdomі, and in the їkhny mіstsі may be of significance. They are denoted by the symbol "?":

$hex_string = ( E2 34 ?? C8 A? FB )

Such a pіdhіd аrе аlѕο аrе аnу given rows, dоvzhina hіѕ vіdoma, аnd аt аmіst саn change. Like a part of a row, you can use different lengths, manually vikoristovuvat range:

$hex_string = ( F4 23 62 B4 )

This entry means that in the middle of the row there can be 4 to 6 different bytes. You can also implement an alternative choice:

$hex_string = ( F4 23 (62 B4 | 56) 45 )

Tse means that in the space of the third byte there can be 62 B4 or 56, such a record is indicated by rows F42362B445 or F4235645.

6. In order to reconsider that the tasks are in a row behind the file shift or the address space of the process, the at operator is used:

$a at 100 and $b at 200

If a row can be found in the boundaries of a single address range, the in operator wins:

$a in (0..100) and $b in (100..fi lesize)

Sometimes they blame the situation, if it is necessary to indicate that the file is guilty of revenge on the same number from the given set. Rush for the help of the operator of:

rule Of Example1
{
strings:
$foo1 = "dummy1"
$foo2 = "dummy2"
$foo3 = "dummy3"
condition:
2 of ($foo1,$foo2,$foo3)
}

Move the rule to change the file to be two rows of multiples ($foo1, $foo2, $foo3). Instead of specifying a specific number of rows in a file, you can change any (if you want one row from a given multiplier) and all (arrange a row from a given multiplier).

7. Well, and stop the cicava mozhlivist, yak need to look - zastosuvannya odnієї razum to rich rows. This possibility is already similar to the of operator, only a little harder - the for..of operator:

for expression of string_set: (boolean_expression)

This record needs to be read like this: rows, tasks in string_set, taking expression pieces can be satisfied with boolean_expression mindset. Otherwise, the boolean_expression is calculated for the skin row with a string_set, and the expression must turn the value True. Let's take a look at this design on a specific butt.

Robimo PEiD

Later, if everything became less clear with the rules, we can proceed to the implementation of the packer and cryptor detector in our project. As a source of material on the first pores, I took into account the signatures of the other packs from the same PEiD. The plugins folder has a userdb.txt file, which will avenge those that we need. My database showed 1850 signatures.

A lot, in order to import more of them, write some kind of script for the raja. The format of the simple base is to create a unique text file, in which records are saved in the form:

signature = 50 E8 ?? ?? ?? ?? 58 25 ?? F0 FF FF 8B C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3
ep_only=true

The first row sets the name of the packer, as it should be in PEiD, but for us it will be the rule identifier. The friend is the signature itself. The third one is the ep_only ensign, which indicates, why search this row only for the address of the entry point, or for the whole file.

Well, what can we try to create a rule, say, for ASPack? As it turned out, there was nothing foldable for him. Let's create a file for saving the rules, which is called yogo, for example, packers.yara. Let's look at the signatures in the PEiD database, in the name of some ASPack figures, that is portable to the rule:

rule ASPack
{
strings:
$ = ( 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? (43 | 44) ?? B8 ?? ?? (43 | 44) ?? 03 C5 )
$ = ( 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 )
[.. spelled out..]
$ = ( 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 )
condition:
for any of them: ($ at entrypoint)
}

All known records have ep_only flags set to true, so that rows can be changed to the address of the entry point. To that we write this mindset: "for any of them: ($ at entrypoint)".

In this way, the presence of one of the tasks in the row after the address of the entry point means that the package file is ASPack. Respectfully, in this rule, all rows are given simply for the help of the $ sign, without an identifier. It's possible, because in the condition-section we don't get to some of the specific ones, but the whole set.

In order to reverse the procedure of the removed system, it is enough to type in the console command:

$ yara -r packers.yara somefi le.exe

Having created a couple of add-ons there, packed with ASPack, I changed my mind, that everything works!

Ready prototype

YARA appears as an over-the-top razumilim and a clear-cut tool. It didn't matter to me to write a new webadmin and make the robot work like a web service. Trohi of creativity and dry results of the analyzer are already littered with different colors, indicating the degree of danger of the detected malware. The base is not large, and a short description is available for rich cryptocurrencies, and sometimes you can find instructions for unpacking. The prototype has been created and miraculously worked, and the authorities are dancing in the wake of the slaughter!