Quickie: Generating a YARA Rule to Detect Obfuscated Strings, (Sun, Sep 10th)

Category :

SANS Full Feed

Posted On :

In diary entry “Creating a YARA Rule to Detect Obfuscated Strings” I explain how to tune a YARA rule with regular expressions for performance.

I’m sharing here a Python script I wrote to generate regular expressions. The script takes one argument: the string to BASE64 encode and generate regexes for (string “ActiveMime” in my previous diary entry):

import base64
import itertools
import sys

def GenerateRegex(word):
strings = []
whitespace = [‘ ‘, ‘\t’, ‘\r’, ‘\n’]
detect = word[:len(word) // 3 * 3]
print(f’String to search: {word}’)
print(f’String to search (* 3): {detect}’)
detectBASE64 = base64.standard_b64encode(detect.encode(‘utf8’)).decode(‘latin’)
print(f’BASE64 string to search: {detectBASE64}’)
whitespaceregex = ‘[‘ + ”.join(whitespace) + ‘]*’
print(f’Whitespace characters: {whitespaceregex}’)

detectBASE64 = [char for char in detectBASE64]


for ws in itertools.product(whitespace, whitespace):
strings.append(detectBASE64[0] + ”.join(ws) + whitespaceregex.join([”] + detectBASE64[1:]))

for ws1 in whitespace:
strings.append(”.join(detectBASE64[0:2]) + ws1 + whitespaceregex.join([”] + detectBASE64[2:]))

strings.append(”.join(detectBASE64[0:3]) + whitespaceregex.join([”] + detectBASE64[3:]))

return strings, detect

def Main():
regexStrings, detect = GenerateRegex(sys.argv[1])

print(‘ $base64_%s%d = /%s/’ % (detect, 0, regexStrings[0]))
for index, regex in enumerate(regexStrings[1:]):
print(‘ $base64_%s%d = /%s/’ % (detect, index + 1, regex))

if __name__ == ‘__main__’:

Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.