Day 1 of 100 Discontiguous Days of YARA
Improving YARA writing skills by writing more YARA rules.
Summary
Partaking in Greg’s #100DaysOfYARA, but to be honest it’s more likely to be #100DiscontiguousDaysOfYARA for me - if I make it that far.
I doubt that the rules shared these 100 days will contain any truly original ideas, but I’d still like to share what I’ve learned.
Day 1
import "pe"
import "time"
rule cert_expired {
meta:
author = "xorhex"
description = "Find PE files whose code signing certificate is expired as of current date"
HundredDaysOfYara = "Day 1"
condition:
for any s in pe.signatures: (
s.not_after < time.now()
)
}
This rule loops through all of the signatures found in a PE file and compares the not_after date with the current time to see if it’s expired.
Update Note
The original version of the rule looked like this
import "pe"
import "time"
rule cert_expired {
meta:
author = "xorhex"
description = "Find PE files whose code signing certificate is expired as of current date"
HundredDaysOfYara = "Day 1"
condition:
for any s in (0..pe.number_of_signatures) : (
pe.signatures[s].not_after < time.now()
)
}
@wxs kindly pointed out that iterators should be used instead.
Use iterators: for any s in pe.signatures: (s.not_after < https://t.co/PA7QSpwVX2())
— Wesley Shields (@wxs) January 1, 2022
Iterators are nice as they make the rule easier to read along with us not having to worry about if the index is zero or one based.