Day 3 of 100 Discontiguous Days of YARA
Improving YARA writing skills by writing more YARA rules.
Summary
Partaking in Greg’s #100DaysOfYARA, but to be honest it’s more likely to be #100DiscontiguousDaysOfYARA for me - if I make it that far.
I doubt that the rules shared these 100 days will contain any truly original ideas, but I’d still like to share what I’ve learned.
Day 3
rule no_mz_sig__no_pe_sig__but_could_be_a_pe_file {
meta:
author = "xorhex"
description = "Identifies PE files whose MZ sig and PE sig are wiped by inspecting the machine type value at the expected offset"
warning = "Further tweaking maybe required to lessen the FP rate"
HundredDaysOfYARA = "Day 3"
condition:
uint16be(0) != 0x4d5a
and
uint32(uint32(0x3C)) != 0x00004550
and
(
uint16(uint32(0x3c) + 4 ) == 0x014c
or
uint16(uint32(0x3c) + 4) == 0x8664
)
}
Sometimes adversaries will remove the MZ and PE signatures from their malware in the hopes that the malware will be lost in a sea of files. Making use of the PE file format, we can start hunting for these files by keying off other fields in the headers like the machine type.
Starting at the MS-DOS Stub, we read in the value at 0x3c. This offset points us to the PE Signature. Moving 4 byte further into the file, we arrive at the COFF File Header. The first value stored in the File Header is the machine type. We can target x86 and x64 machines by looking at the expected value list for:
| Constant | Value | Description |
|---|---|---|
| IMAGE_FILE_MACHINE_AMD64 | 0x8664 | x64 |
| IMAGE_FILE_MACHINE_I386 | 0x14c | Intel 386 or later processors and compatible processors |
Here is a crude visual of what we are targeting.