this talk
play

This talk Given a compiled YARA ruleset, how easy is it to - PowerPoint PPT Presentation

Jun 29, 2023 •40 likes •270 views

This talk Given a compiled YARA ruleset, how easy is it to reconstruct the individual rules? Strings/regular expressions seem easy. . . . . . but what about the condition syntax? Possible improvements to YARA itself Warning: Some C

  2. This talk • Given a compiled YARA ruleset, how easy is it to reconstruct the individual rules? • Strings/regular expressions seem easy. . . . . . but what about the condition syntax? • Possible improvements to YARA itself • Warning: Some C and assembly included

  3. Rule Compiler yarac -d filename="XXX" -d filepath="XXX" [...] \ apt_aa19_024a.yar apt_agent_btz.yar apt_alienspy_rat.yar [...] \ compiled.yac What happens inside the yr_compiler_add_* functions? • Single–pass compiler, driven directly from code in libyara/grammar.y • Builds a large data structure in memory that hangs off a YR_RULES struct. • Aho-Corasick automaton variant for string/regex/hex–pattern matching. • Rule names, meta information, tags, string names, external variables are stored as–is. • Conditions are compiled into a single bytecode program.

  4. Arena • Custom memory allocator, used to build up and store YR_RULES • Pointer relocation for data structures and some operands in the bytecode program • Used to load/save compiled from/to disk. . . . . . or any streaming reader/writer implementation.

  5. Scanning yara -d filename=cmd.exe [...] -C compiled.yac /path/to/cmd.exe What happens inside the yr_rules_scan_* or yr_scanner_scan_* functions? • Execute multi-pattern matcher, record matches, offsets • Interpret and run bytecode program. The bytecode program collects pattern match results and is responsible for marking rule matches. Without it, none of the string matches matter. • Read file or process memory via YR_ITERATOR • Possibly multiple times—once for pattern matching and on-demand by the bytecode program • May slow down process memory scanning considerably • Streaming operation (stdin or network streams) not possible without storing the stream

  6. Bytecode engine • Stack-based machine • 1 byte opcode • Operand: 0/4/8 bytes, depending on instruction • Distinct memory areas stack RW, holds operands, results for basic operations and function calls • run-time configurable: --stack-size • default: 16k * 64bit mem[] RW scratch memory • compile-time configurable, related to loop implementation • default: 20 * 64bit Arena RO code + static data input file RO • accessed via intXX and uintXX functions • backed by YR_ITERATOR • Giant switch statement, see libyara/exec.c:yr_execute_code

  7. Instruction set (1) • Arithmetic/logical operations for 64bit int, float values • String compare • Data conversions • Integer → Float • String → Boolean • Conditional jumps, relative addresses • Stack, mem[] access • Lookup of individual string matches, offsets, count • Counting, grouping string matches: OF , e.g. • 4 of $str_* • all of them

  8. Instruction set (2) • Module import, initialization • Iterators • Used in for...in expressions • Setup for array, dict, integer-range, integer-list access • Generic ITER_NEXT operation • Direct input file access • Objects: YR_OBJECT • Access external variables • Access code and data from modules • filesize • Mark rule matches • Check result from results • Halt instruction

  9. Bytecode engine: Examples Simple “truthy” rule rule t { condition: true } compiles to: 00000000: INIT_RULE 0x000000000000001b ; rule#0 <t>; next = 0000001b (+27) 00000009: PUSH 0x0000000000000001 00000012: MATCH_RULE 0x0000000000000000 ; rule#0 <t> 0000001b: HALT Simple “falsy” rule rule f { condition: false } compiles to: 00000000: INIT_RULE 0x000000000000001b ; rule#0 <f>; next = 0000001b (+27) 00000009: PUSH 0x0000000000000000 00000012: MATCH_RULE 0x0000000000000000 ; rule#0 <f> 0000001b: HALT

  10. Bytecode engine: Examples String match: “any of” rule s_any { strings: $a = "foo" $b = /(bar|baz|quux)/ condition: any of them } compiles to: 00000000: INIT_RULE 0x0000000000000037 ; rule#0 <s_any>; next = 00000037 (+55) 00000009: PUSH 0x0000000000000001 00000012: PUSH 0xfffabadafabadaff ; undefined 0000001b: PUSH 0x00007f53c2218010 ; string <rule#0 s_any>.$a 00000024: PUSH 0x00007f53c2218048 ; string <rule#0 s_any>.$b 0000002d: OF 0000002e: MATCH_RULE 0x0000000000000000 ; rule#0 <s_any> 00000037: HALT

  11. Bytecode engine: Examples String match: “all of” rule s_all { strings: $a = "foo" $b = /(bar|baz|quux)/ condition: all of them } compiles to: 00000000: INIT_RULE 0x0000000000000037 ; rule#0 <s_all>; next = 00000037 (+55) 00000009: PUSH 0xfffabadafabadaff ; undefined 00000012: PUSH 0xfffabadafabadaff ; undefined 0000001b: PUSH 0x00007fad1f3a7010 ; string <rule#0 s_all>.$a 00000024: PUSH 0x00007fad1f3a7048 ; string <rule#0 s_all>.$b 0000002d: OF 0000002e: MATCH_RULE 0x0000000000000000 ; rule#0 <s_all> 00000037: HALT

  12. Bytecode engine: Examples Modules import "tests" rule tc { condition: tests.constants.one < tests.constants.two } compiles to: 00000000: IMPORT 0x00007fc895815011 ; "tests" 00000009: INIT_RULE 0x000000000000004b ; rule#0 <tc>; next = 00000054 (+75) 00000012: OBJ_LOAD 0x00007fc89581501a ; "tests" 0000001b: OBJ_FIELD 0x00007fc895815020 ; "constants" 00000024: OBJ_FIELD 0x00007fc89581502a ; "one" 0000002d: OBJ_VALUE 0000002e: OBJ_LOAD 0x00007fc89581502e ; "tests" 00000037: OBJ_FIELD 0x00007fc895815034 ; "constants" 00000040: OBJ_FIELD 0x00007fc89581503e ; "two" 00000049: OBJ_VALUE 0000004a: INT_LT 0000004b: MATCH_RULE 0x0000000000000000 ; rule#0 <tc> 00000054: HALT

  13. Bytecode engine: Examples External variables: rule fn { condition: filename == "explorer.exe" or filename == "cmd.exe" } 00000000: INIT_RULE 0x0000000000000040 ; rule#0 <fn>; next = 00000040 (+64) 00000009: OBJ_LOAD 0x00007f695b227025 ; "filename" 00000012: OBJ_VALUE 00000013: PUSH 0x00007f695b22702e 0000001c: STR_EQ 0000001d: JTRUE 0x0000001a ; -> 00000037 (+26) 00000022: OBJ_LOAD 0x00007f695b227046 ; "filename" 0000002b: OBJ_VALUE 0000002c: PUSH 0x00007f695b22704f 00000035: STR_EQ 00000036: OR 00000037: MATCH_RULE 0x0000000000000000 ; rule#0 <fn> 00000040: HALT

  14. Bytecode engine: Examples 00000000: INIT_RULE 0x000000000000001b ; rule#0 <t>; next = 0000001b (+27) 00000009: PUSH 0x0000000000000001 00000012: MATCH_RULE 0x0000000000000000 ; rule#0 <t> 0000001b: INIT_RULE 0x000000010000001b ; rule#1 <f>; next = 00000036 (+27) 00000024: PUSH 0x0000000000000000 0000002d: MATCH_RULE 0x0000000000000001 ; rule#1 <f> 00000036: IMPORT 0x00007f81a215f015 ; "tests" 0000003f: INIT_RULE 0x000000020000004b ; rule#2 <tc>; next = 0000008a (+75) 00000048: OBJ_LOAD 0x00007f81a215f01e ; "tests" 00000051: OBJ_FIELD 0x00007f81a215f024 ; "constants" 0000005a: OBJ_FIELD 0x00007f81a215f02e ; "one" 00000063: OBJ_VALUE 00000064: OBJ_LOAD 0x00007f81a215f032 ; "tests" 0000006d: OBJ_FIELD 0x00007f81a215f038 ; "constants" 00000076: OBJ_FIELD 0x00007f81a215f042 ; "two" 0000007f: OBJ_VALUE 00000080: INT_LT 00000081: MATCH_RULE 0x0000000000000002 ; rule#2 <tc> 0000008a: INIT_RULE 0x0000000300000037 ; rule#3 <s_any>; next = 000000c1 (+55) 00000093: PUSH 0x0000000000000001 0000009c: PUSH 0xfffabadafabadaff ; undefined 000000a5: PUSH 0x00007f81a1e5c010 ; string <rule#3 s_any>.$a 000000ae: PUSH 0x00007f81a1e5c048 ; string <rule#3 s_any>.$b 000000b7: OF 000000b8: MATCH_RULE 0x0000000000000003 ; rule#3 <s_any> 000000c1: HALT

  15. Real-world rulesets • signature-base ruleset curated by Florian Roth • Combined YARA ruleset • 3422 individual rules • 17241 “strings” patterns • 67730 instructions, 429,053 bytes • file size: 7,537,707 bytes • Possible optimizations • Deduplicate strings • Optionally strip meta information • Optionally strip string pattern names • Introduce instruction variants with smaller operand sizes

  16. General computation? • No indirect addressing mode • No primitives to build proper arrays or strings • No CALL/RETURN . . . but we could build something similar based on jump-tables in code • Input/Output • We can use the file that is given to YARA as input. • Output is harder: Signal via OP_MATCH_RULE for one bit per rule. It is practical to output some numbers at best

  17. Output A putchar function: import "tests" rule output { condition: tests.putchar(0x41) and tests.putchar(0x42) and tests.putchar(0x43) and tests.putchar(0x44) and tests.putchar(0x0a) and true // <- Signal match } $ ./yara output.yar /dev/null ABCD output /dev/null

  18. IMPORT str_tests OBJ_LOAD str_tests OBJ_FIELD str_putchar SET_M 0 ; save address PUSH 0x41 ; "A" CALL str_i POP ; ignore return value PUSH_M 0 PUSH 0x42 CALL str_i POP PUSH_M 0 PUSH 0x43 CALL str_i POP PUSH_M 0 PUSH 0x44 CALL str_i POP PUSH_M 0 PUSH 0x0a CALL str_i POP HALT str_tests: DATA "tests" str_putchar: DATA "putchar" str_i: DATA "i"

  19. Porting C code? main(k){float i,j,r,x,y=-16;while(puts(""),y++<15)for(x =0;x++<84;putchar(" .:-;!/>)|&IH%*#"[k&15]))for(i=k=r=0; j=r*r-i*i-2+x/25,i=2*r*i+y/10,j*j+i*i<11&&k++<111;r=j);}

Recommend

Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most

Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most

Leadership and Your Inner Monologue: Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most powerful influence. When did you wake up thinking like this? Change is a Dirty Word for women. 1. Think

673 views • 21 slides
Athenians talk like this, but Thessalians talk like this: What the Attic plays tell us about

Athenians talk like this, but Thessalians talk like this: What the Attic plays tell us about

Athenians talk like this, but Thessalians talk like this: What the Attic plays tell us about sociolinguistics in Ancient Greek discourse Phillip Barnett &amp; Taha Husain University of Kentucky Introduction As drama is intended to represent

440 views • 7 slides
minimize use of terminology Structuring Your Talk use pictures/examples/props if possible

minimize use of terminology Structuring Your Talk use pictures/examples/props if possible

Why Are We Here? For your work to have significant impact, it is How to Give a Good Research Talk essential that you can convey results to your community Your technical reputation depends on colleagues reaction to your talk

905 views • 6 slides
My presentation AB123C Outline Talk about giving a talk A tool to plan and hold

My presentation AB123C Outline Talk about giving a talk A tool to plan and hold

My presentation AB123C Outline Talk about giving a talk A tool to plan and hold presentations: AB123C The blackboard vs. slides The talk A mathematical talk is a presentation of your results in oral form Very different from

320 views • 21 slides
Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health.

Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health.

Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health. h. ROADMAP FOR TODAY - How Illinois Outpatient Laws Can (and Should) Break Our Inpatient Cycles - Incorporating Advance Directives Into

608 views • 35 slides
Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the standard of holiness established by God and evidenced by Jesus. We can never live deeply until we Walk the talk. deal with our sin. The ethical test

662 views • 26 slides
A Talk about How to Give a Talk Part II Bertram Fronhfer International Center for

A Talk about How to Give a Talk Part II Bertram Fronhfer International Center for

A Talk about How to Give a Talk Part II Bertram Fronhfer International Center for Computational Logic Technische Universitt Dresden Germany Bertram Fronhfer A Talk about How to Give a Talk Part II 1 Overview Part I How to

549 views • 21 slides
Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more

Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more

Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more detail The experience of a coding sprint Unsupervised acoustic unit discovery for speech synthesis using discrete latent-variable neural

1.74k views • 110 slides
Repair and Lining in the 21 st Century What we talk about when we talk about lining CUPA

Repair and Lining in the 21 st Century What we talk about when we talk about lining CUPA

Repair and Lining in the 21 st Century What we talk about when we talk about lining CUPA Conference 2018 Tom Henderson Engineering Geologist State Water Resources Control Board UST Leak Prevention Unit February 2018 Why Should You Care?

1.2k views • 52 slides
Why Talk to Customers? Nick Kolobutin Why Talk to Customers? What is a Startup? A temporary

Why Talk to Customers? Nick Kolobutin Why Talk to Customers? What is a Startup? A temporary

Why Talk to Customers? Nick Kolobutin Why Talk to Customers? What is a Startup? A temporary organization in search of a scalable, repeatable, profitable business model Startups are Risky Greater than 90% of products fail today

979 views • 54 slides
Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me Drupal; Using Drupal to power a Voice App You should be able to follow along by visiting the link below. If you have an Echo device, please mute the

1.67k views • 87 slides
Plan of the talk Plan of the talk The geometry of the hot X-ray corona Strong gravity and

Plan of the talk Plan of the talk The geometry of the hot X-ray corona Strong gravity and

The X-ray polarimetric view of the AGN central engine Giorgio Matt (Universit Roma Tre, Italy) Plan of the talk Plan of the talk The geometry of the hot X-ray corona Strong gravity and the BH spin The orientation of the torus

462 views • 17 slides
Aleksander Mdry What will this talk be about? At a

Aleksander Mdry What will this talk be about? At a

Interior-point Methods and the Maximum Flow Problem Aleksander Mdry What will this talk be about? At a first glance: It is just a talk

708 views • 45 slides
More advanced application techniques, using Swift about this talk Talk about project that I

More advanced application techniques, using Swift about this talk Talk about project that I

More advanced application techniques, using Swift about this talk Talk about project that I spend most of my time working on: Swift Use that to introduce some more general concepts in describing applications and in executing

1.61k views • 64 slides
Standardization Kate Mueller, Director of Product Development What we talk about when we talk

Standardization Kate Mueller, Director of Product Development What we talk about when we talk

Standardization Kate Mueller, Director of Product Development What we talk about when we talk about standard- ization Dont try to 8ix a people/ process problem with a technical solution. Treat it like any other project.

559 views • 4 slides
talk lk listen take part Communication is is at the heart of all ll we do The Talking

talk lk listen take part Communication is is at the heart of all ll we do The Talking

talk lk listen take part Communication is is at the heart of all ll we do The Talking Journey But learning to talk doesnt happen by accident it needs you to make this happen. Talk Together Comments not questions Give them

708 views • 22 slides
What we talk about when we talk about Learning in many-body physics Stories Zi Yang Meng

What we talk about when we talk about Learning in many-body physics Stories Zi Yang Meng

What we talk about when we talk about Learning in many-body physics Stories Zi Yang Meng Raymond Carver Anton Chekhov of American literature I was going to tell you about something. I mean, I was going to prove a point. You

784 views • 54 slides
Why to give an academic talk? You have a good work, and want others to know about it

Why to give an academic talk? You have a good work, and want others to know about it

Why to give an academic talk? You have a good work, and want others to know about it Leveraging academic talks to increase the impact of your research, e.g., conference presentations You have to give a talk A talk is necessary in a

674 views • 40 slides
How to Give a Bad Talk How to Give a Bad Talk Professor David A. Patterson Computer Science 152

How to Give a Bad Talk How to Give a Bad Talk Professor David A. Patterson Computer Science 152

Lecture 20: How to Give a Bad Talk How to Give a Bad Talk Professor David A. Patterson Computer Science 152 Fall 1997 Cs252.1 CS 152: Remaining Schedule Whats Left: Thursday 12/4: Oral Presentations, Noon to 7PM, 6thfloor

242 views • 5 slides
Jan Mller Co-founder, CTO Chainalysis How Does Bitcoin Actually Work? This talk is not

Jan Mller Co-founder, CTO Chainalysis How Does Bitcoin Actually Work? This talk is not

Jan Mller Co-founder, CTO Chainalysis How Does Bitcoin Actually Work? This talk is not about the poli:cal or economical impact of Bitcoin. This talk is not about how to buy, sell, spend, or secure your bitcoins. This talk is about

1.14k views • 41 slides
Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Hello My Name Is Frank

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Hello My Name Is Frank

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Hello My Name Is Frank Hello My Name Is Frank I am a Christian, Father, and Technology Enthusiast. Online my name is frob (IRC, d.o, github) On Twitter I am @frobdfas My Blog

616 views • 44 slides
Learn self-care Express your feelings Tell Someone Someone loves you Talk Ask Listen Keep

Learn self-care Express your feelings Tell Someone Someone loves you Talk Ask Listen Keep

Overview of LETS TALK presentations Learn self-care Express your feelings Tell Someone Someone loves you Talk Ask Listen Keep Talking Background LETS TALK is a community driven initiative that arose in response to the rising death

311 views • 4 slides
University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs

University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs

(Or Living Between a Rock and a Hard Place) Nigel Smart University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs Theory and Practice A key problem is someones theory is someone elses practice,

1.66k views • 68 slides
Topic of this talk Topic of this talk From E- -Relevance Relevance From E to W- -Relevance

Topic of this talk Topic of this talk From E- -Relevance Relevance From E to W- -Relevance

Topic of this talk Topic of this talk From E- -Relevance Relevance From E to W- -Relevance Relevance to W What is relevance in Mobile Personal Information Retrieval? P. Coppola, V. Della Mea, L. Di Gaspero, S. Mizzaro What is

65 views • 6 slides

More recommend