this talk
play

This talk Given a compiled YARA ruleset, how easy is it to - PowerPoint PPT Presentation

Jun 29, 2023 •40 likes •270 views

This talk Given a compiled YARA ruleset, how easy is it to reconstruct the individual rules? Strings/regular expressions seem easy. . . . . . but what about the condition syntax? Possible improvements to YARA itself Warning: Some C

  2. This talk • Given a compiled YARA ruleset, how easy is it to reconstruct the individual rules? • Strings/regular expressions seem easy. . . . . . but what about the condition syntax? • Possible improvements to YARA itself • Warning: Some C and assembly included

  3. Rule Compiler yarac -d filename="XXX" -d filepath="XXX" [...] \ apt_aa19_024a.yar apt_agent_btz.yar apt_alienspy_rat.yar [...] \ compiled.yac What happens inside the yr_compiler_add_* functions? • Single–pass compiler, driven directly from code in libyara/grammar.y • Builds a large data structure in memory that hangs off a YR_RULES struct. • Aho-Corasick automaton variant for string/regex/hex–pattern matching. • Rule names, meta information, tags, string names, external variables are stored as–is. • Conditions are compiled into a single bytecode program.

  4. Arena • Custom memory allocator, used to build up and store YR_RULES • Pointer relocation for data structures and some operands in the bytecode program • Used to load/save compiled from/to disk. . . . . . or any streaming reader/writer implementation.

  5. Scanning yara -d filename=cmd.exe [...] -C compiled.yac /path/to/cmd.exe What happens inside the yr_rules_scan_* or yr_scanner_scan_* functions? • Execute multi-pattern matcher, record matches, offsets • Interpret and run bytecode program. The bytecode program collects pattern match results and is responsible for marking rule matches. Without it, none of the string matches matter. • Read file or process memory via YR_ITERATOR • Possibly multiple times—once for pattern matching and on-demand by the bytecode program • May slow down process memory scanning considerably • Streaming operation (stdin or network streams) not possible without storing the stream

  6. Bytecode engine • Stack-based machine • 1 byte opcode • Operand: 0/4/8 bytes, depending on instruction • Distinct memory areas stack RW, holds operands, results for basic operations and function calls • run-time configurable: --stack-size • default: 16k * 64bit mem[] RW scratch memory • compile-time configurable, related to loop implementation • default: 20 * 64bit Arena RO code + static data input file RO • accessed via intXX and uintXX functions • backed by YR_ITERATOR • Giant switch statement, see libyara/exec.c:yr_execute_code

  7. Instruction set (1) • Arithmetic/logical operations for 64bit int, float values • String compare • Data conversions • Integer → Float • String → Boolean • Conditional jumps, relative addresses • Stack, mem[] access • Lookup of individual string matches, offsets, count • Counting, grouping string matches: OF , e.g. • 4 of $str_* • all of them

  8. Instruction set (2) • Module import, initialization • Iterators • Used in for...in expressions • Setup for array, dict, integer-range, integer-list access • Generic ITER_NEXT operation • Direct input file access • Objects: YR_OBJECT • Access external variables • Access code and data from modules • filesize • Mark rule matches • Check result from results • Halt instruction

  9. Bytecode engine: Examples Simple “truthy” rule rule t { condition: true } compiles to: 00000000: INIT_RULE 0x000000000000001b ; rule#0 <t>; next = 0000001b (+27) 00000009: PUSH 0x0000000000000001 00000012: MATCH_RULE 0x0000000000000000 ; rule#0 <t> 0000001b: HALT Simple “falsy” rule rule f { condition: false } compiles to: 00000000: INIT_RULE 0x000000000000001b ; rule#0 <f>; next = 0000001b (+27) 00000009: PUSH 0x0000000000000000 00000012: MATCH_RULE 0x0000000000000000 ; rule#0 <f> 0000001b: HALT

  10. Bytecode engine: Examples String match: “any of” rule s_any { strings: $a = "foo" $b = /(bar|baz|quux)/ condition: any of them } compiles to: 00000000: INIT_RULE 0x0000000000000037 ; rule#0 <s_any>; next = 00000037 (+55) 00000009: PUSH 0x0000000000000001 00000012: PUSH 0xfffabadafabadaff ; undefined 0000001b: PUSH 0x00007f53c2218010 ; string <rule#0 s_any>.$a 00000024: PUSH 0x00007f53c2218048 ; string <rule#0 s_any>.$b 0000002d: OF 0000002e: MATCH_RULE 0x0000000000000000 ; rule#0 <s_any> 00000037: HALT

  11. Bytecode engine: Examples String match: “all of” rule s_all { strings: $a = "foo" $b = /(bar|baz|quux)/ condition: all of them } compiles to: 00000000: INIT_RULE 0x0000000000000037 ; rule#0 <s_all>; next = 00000037 (+55) 00000009: PUSH 0xfffabadafabadaff ; undefined 00000012: PUSH 0xfffabadafabadaff ; undefined 0000001b: PUSH 0x00007fad1f3a7010 ; string <rule#0 s_all>.$a 00000024: PUSH 0x00007fad1f3a7048 ; string <rule#0 s_all>.$b 0000002d: OF 0000002e: MATCH_RULE 0x0000000000000000 ; rule#0 <s_all> 00000037: HALT

  12. Bytecode engine: Examples Modules import "tests" rule tc { condition: tests.constants.one < tests.constants.two } compiles to: 00000000: IMPORT 0x00007fc895815011 ; "tests" 00000009: INIT_RULE 0x000000000000004b ; rule#0 <tc>; next = 00000054 (+75) 00000012: OBJ_LOAD 0x00007fc89581501a ; "tests" 0000001b: OBJ_FIELD 0x00007fc895815020 ; "constants" 00000024: OBJ_FIELD 0x00007fc89581502a ; "one" 0000002d: OBJ_VALUE 0000002e: OBJ_LOAD 0x00007fc89581502e ; "tests" 00000037: OBJ_FIELD 0x00007fc895815034 ; "constants" 00000040: OBJ_FIELD 0x00007fc89581503e ; "two" 00000049: OBJ_VALUE 0000004a: INT_LT 0000004b: MATCH_RULE 0x0000000000000000 ; rule#0 <tc> 00000054: HALT

  13. Bytecode engine: Examples External variables: rule fn { condition: filename == "explorer.exe" or filename == "cmd.exe" } 00000000: INIT_RULE 0x0000000000000040 ; rule#0 <fn>; next = 00000040 (+64) 00000009: OBJ_LOAD 0x00007f695b227025 ; "filename" 00000012: OBJ_VALUE 00000013: PUSH 0x00007f695b22702e 0000001c: STR_EQ 0000001d: JTRUE 0x0000001a ; -> 00000037 (+26) 00000022: OBJ_LOAD 0x00007f695b227046 ; "filename" 0000002b: OBJ_VALUE 0000002c: PUSH 0x00007f695b22704f 00000035: STR_EQ 00000036: OR 00000037: MATCH_RULE 0x0000000000000000 ; rule#0 <fn> 00000040: HALT

  14. Bytecode engine: Examples 00000000: INIT_RULE 0x000000000000001b ; rule#0 <t>; next = 0000001b (+27) 00000009: PUSH 0x0000000000000001 00000012: MATCH_RULE 0x0000000000000000 ; rule#0 <t> 0000001b: INIT_RULE 0x000000010000001b ; rule#1 <f>; next = 00000036 (+27) 00000024: PUSH 0x0000000000000000 0000002d: MATCH_RULE 0x0000000000000001 ; rule#1 <f> 00000036: IMPORT 0x00007f81a215f015 ; "tests" 0000003f: INIT_RULE 0x000000020000004b ; rule#2 <tc>; next = 0000008a (+75) 00000048: OBJ_LOAD 0x00007f81a215f01e ; "tests" 00000051: OBJ_FIELD 0x00007f81a215f024 ; "constants" 0000005a: OBJ_FIELD 0x00007f81a215f02e ; "one" 00000063: OBJ_VALUE 00000064: OBJ_LOAD 0x00007f81a215f032 ; "tests" 0000006d: OBJ_FIELD 0x00007f81a215f038 ; "constants" 00000076: OBJ_FIELD 0x00007f81a215f042 ; "two" 0000007f: OBJ_VALUE 00000080: INT_LT 00000081: MATCH_RULE 0x0000000000000002 ; rule#2 <tc> 0000008a: INIT_RULE 0x0000000300000037 ; rule#3 <s_any>; next = 000000c1 (+55) 00000093: PUSH 0x0000000000000001 0000009c: PUSH 0xfffabadafabadaff ; undefined 000000a5: PUSH 0x00007f81a1e5c010 ; string <rule#3 s_any>.$a 000000ae: PUSH 0x00007f81a1e5c048 ; string <rule#3 s_any>.$b 000000b7: OF 000000b8: MATCH_RULE 0x0000000000000003 ; rule#3 <s_any> 000000c1: HALT

  15. Real-world rulesets • signature-base ruleset curated by Florian Roth • Combined YARA ruleset • 3422 individual rules • 17241 “strings” patterns • 67730 instructions, 429,053 bytes • file size: 7,537,707 bytes • Possible optimizations • Deduplicate strings • Optionally strip meta information • Optionally strip string pattern names • Introduce instruction variants with smaller operand sizes

  16. General computation? • No indirect addressing mode • No primitives to build proper arrays or strings • No CALL/RETURN . . . but we could build something similar based on jump-tables in code • Input/Output • We can use the file that is given to YARA as input. • Output is harder: Signal via OP_MATCH_RULE for one bit per rule. It is practical to output some numbers at best

  17. Output A putchar function: import "tests" rule output { condition: tests.putchar(0x41) and tests.putchar(0x42) and tests.putchar(0x43) and tests.putchar(0x44) and tests.putchar(0x0a) and true // <- Signal match } $ ./yara output.yar /dev/null ABCD output /dev/null

  18. IMPORT str_tests OBJ_LOAD str_tests OBJ_FIELD str_putchar SET_M 0 ; save address PUSH 0x41 ; "A" CALL str_i POP ; ignore return value PUSH_M 0 PUSH 0x42 CALL str_i POP PUSH_M 0 PUSH 0x43 CALL str_i POP PUSH_M 0 PUSH 0x44 CALL str_i POP PUSH_M 0 PUSH 0x0a CALL str_i POP HALT str_tests: DATA "tests" str_putchar: DATA "putchar" str_i: DATA "i"

  19. Porting C code? main(k){float i,j,r,x,y=-16;while(puts(""),y++<15)for(x =0;x++<84;putchar(" .:-;!/>)|&IH%*#"[k&15]))for(i=k=r=0; j=r*r-i*i-2+x/25,i=2*r*i+y/10,j*j+i*i<11&&k++<111;r=j);}

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most

Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most

Leadership and Your Inner Monologue: Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most powerful influence. When did you wake up thinking like this? Change is a Dirty Word for women. 1. Think

673 views • 21 slides
Athenians talk like this, but Thessalians talk like this: What the Attic plays tell us about

Athenians talk like this, but Thessalians talk like this: What the Attic plays tell us about

Athenians talk like this, but Thessalians talk like this: What the Attic plays tell us about sociolinguistics in Ancient Greek discourse Phillip Barnett &amp; Taha Husain University of Kentucky Introduction As drama is intended to represent

440 views • 7 slides
minimize use of terminology Structuring Your Talk use pictures/examples/props if possible

minimize use of terminology Structuring Your Talk use pictures/examples/props if possible

Why Are We Here? For your work to have significant impact, it is How to Give a Good Research Talk essential that you can convey results to your community Your technical reputation depends on colleagues reaction to your talk

905 views • 6 slides
My presentation AB123C Outline Talk about giving a talk A tool to plan and hold

My presentation AB123C Outline Talk about giving a talk A tool to plan and hold

My presentation AB123C Outline Talk about giving a talk A tool to plan and hold presentations: AB123C The blackboard vs. slides The talk A mathematical talk is a presentation of your results in oral form Very different from

320 views • 21 slides
Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health.

Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health.

Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health. h. ROADMAP FOR TODAY - How Illinois Outpatient Laws Can (and Should) Break Our Inpatient Cycles - Incorporating Advance Directives Into

608 views • 35 slides
Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the standard of holiness established by God and evidenced by Jesus. We can never live deeply until we Walk the talk. deal with our sin. The ethical test

662 views • 26 slides
A Talk about How to Give a Talk Part II Bertram Fronhfer International Center for

A Talk about How to Give a Talk Part II Bertram Fronhfer International Center for

A Talk about How to Give a Talk Part II Bertram Fronhfer International Center for Computational Logic Technische Universitt Dresden Germany Bertram Fronhfer A Talk about How to Give a Talk Part II 1 Overview Part I How to

549 views • 21 slides
Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more

Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more

Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more detail The experience of a coding sprint Unsupervised acoustic unit discovery for speech synthesis using discrete latent-variable neural

1.74k views • 110 slides
Repair and Lining in the 21 st Century What we talk about when we talk about lining CUPA

Repair and Lining in the 21 st Century What we talk about when we talk about lining CUPA

Repair and Lining in the 21 st Century What we talk about when we talk about lining CUPA Conference 2018 Tom Henderson Engineering Geologist State Water Resources Control Board UST Leak Prevention Unit February 2018 Why Should You Care?

1.2k views • 52 slides
Why Talk to Customers? Nick Kolobutin Why Talk to Customers? What is a Startup? A temporary

Why Talk to Customers? Nick Kolobutin Why Talk to Customers? What is a Startup? A temporary

Why Talk to Customers? Nick Kolobutin Why Talk to Customers? What is a Startup? A temporary organization in search of a scalable, repeatable, profitable business model Startups are Risky Greater than 90% of products fail today

979 views • 54 slides
Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me Drupal; Using Drupal to power a Voice App You should be able to follow along by visiting the link below. If you have an Echo device, please mute the

1.67k views • 87 slides
Plan of the talk Plan of the talk The geometry of the hot X-ray corona Strong gravity and

Plan of the talk Plan of the talk The geometry of the hot X-ray corona Strong gravity and

The X-ray polarimetric view of the AGN central engine Giorgio Matt (Universit Roma Tre, Italy) Plan of the talk Plan of the talk The geometry of the hot X-ray corona Strong gravity and the BH spin The orientation of the torus

462 views • 17 slides
Aleksander Mdry What will this talk be about? At a

Aleksander Mdry What will this talk be about? At a

Interior-point Methods and the Maximum Flow Problem Aleksander Mdry What will this talk be about? At a first glance: It is just a talk

708 views • 45 slides
More advanced application techniques, using Swift about this talk Talk about project that I

More advanced application techniques, using Swift about this talk Talk about project that I

More advanced application techniques, using Swift about this talk Talk about project that I spend most of my time working on: Swift Use that to introduce some more general concepts in describing applications and in executing

1.61k views • 64 slides
Standardization Kate Mueller, Director of Product Development What we talk about when we talk

Standardization Kate Mueller, Director of Product Development What we talk about when we talk

Standardization Kate Mueller, Director of Product Development What we talk about when we talk about standard- ization Dont try to 8ix a people/ process problem with a technical solution. Treat it like any other project.

559 views • 4 slides
talk lk listen take part Communication is is at the heart of all ll we do The Talking

talk lk listen take part Communication is is at the heart of all ll we do The Talking

talk lk listen take part Communication is is at the heart of all ll we do The Talking Journey But learning to talk doesnt happen by accident it needs you to make this happen. Talk Together Comments not questions Give them

708 views • 22 slides
Presentation of sPring 2014 grants and scholarshiPs Marquette county coMMunity foundation sPring

Presentation of sPring 2014 grants and scholarshiPs Marquette county coMMunity foundation sPring

Presentation of sPring 2014 grants and scholarshiPs Marquette county coMMunity foundation sPring 2014 grants and scholarshiPs PrograM Monday, May 12 th , 2014 7 p.m. Kaufman Auditorium, Graveraet School 611 N Front St., Marquette oPening Music

398 views • 4 slides
Corporate Presentation by White Cloud Insurance Management Team White Cloud Insurance is an

Corporate Presentation by White Cloud Insurance Management Team White Cloud Insurance is an

Corporate Presentation by White Cloud Insurance Management Team White Cloud Insurance is an Independent Insurance Agency Franchise Model. It is based on the best practices and outstanding results gathered from the experience of our affiliate Sky

395 views • 12 slides
Enabling students to achieve academic, career, personal, and social success. HISTORY OF JOBS FOR

Enabling students to achieve academic, career, personal, and social success. HISTORY OF JOBS FOR

Enabling students to achieve academic, career, personal, and social success. HISTORY OF JOBS FOR DELAWARE GRADUATES (JDG) 2018 JDG launched C.O.R.E. Internship Program &amp; celebrates 40 years of helping students achieve success. 2020 JDG

481 views • 24 slides
Leadership Council Meeting December 9, 2019 Agenda George Eastman Circle Program Update

Leadership Council Meeting December 9, 2019 Agenda George Eastman Circle Program Update

New York Cit ity Leadership Council Meeting December 9, 2019 Agenda George Eastman Circle Program Update FY20 Program Goals George Eastman Circle Regional Snapshot NYC George Eastman Circle Focus 2 George Eastman Circle Program

390 views • 8 slides
C H A M P A I G N C O U N T Y F Y 2 0 1 9 B U D G E T Presented by Tami Ogden , Deputy County

C H A M P A I G N C O U N T Y F Y 2 0 1 9 B U D G E T Presented by Tami Ogden , Deputy County

C H A M P A I G N C O U N T Y F Y 2 0 1 9 B U D G E T Presented by Tami Ogden , Deputy County Administrator / Finance C H A M P A I G N C O U N T Y F Y 2 0 1 9 B U D G E T Champaign County Board Legislative Budget Hearings A U G U S T 2 7 S P E C I

552 views • 40 slides
BOSTON STUDENT ADVISORY COUNCIL (BSAC) Presentation To Boston School Committee May 21, 2014

BOSTON STUDENT ADVISORY COUNCIL (BSAC) Presentation To Boston School Committee May 21, 2014

BOSTON STUDENT ADVISORY COUNCIL (BSAC) Presentation To Boston School Committee May 21, 2014 MISSION BSAC advocates for and protects the voices of students in BPS by empowering the student body to express their opinions regarding education

447 views • 16 slides
Ricardo Mourinho Flix Economics and Researach Department Banco de Portugal DSGE modelling at

Ricardo Mourinho Flix Economics and Researach Department Banco de Portugal DSGE modelling at

M A -L L I , O I P R D E W O M O - S , O P D W P AC CR RO IN NK KA AG GE ES IL L RI IC CE ES S A AN ND D EF FL LA AT TI IO ON N OR RK KS SH HO OP J A 6 9 9, , 20 00 09 9 J 6 2 AN NU UA AR

668 views • 49 slides
Santa Clara Santa Clara Santa Clara Challenge Team January 11, 2017 The Center of Whats

Santa Clara Santa Clara Santa Clara Challenge Team January 11, 2017 The Center of Whats

City of City of Santa Clara Santa Clara Santa Clara Challenge Team January 11, 2017 The Center of Whats Possible The Mission City Incorporated in 1852 Charter City Council/Manager Form of Government Park and

383 views • 15 slides

More recommend