xorhex logo

xorhex

Focus on Threat Research through malware reverse engineering

Day 3 of 100 Discontiguous Days of YARA

Improving YARA writing skills by writing more YARA rules.

xorhex

2-Minute Read

#100DaysOfDiscontiguousDaysOfYARA

Summary

Partaking in Greg’s #100DaysOfYARA, but to be honest it’s more likely to be #100DiscontiguousDaysOfYARA for me - if I make it that far.

I doubt that the rules shared these 100 days will contain any truly original ideas, but I’d still like to share what I’ve learned.

Day 3

rule no_mz_sig__no_pe_sig__but_could_be_a_pe_file {

  meta:
    author = "xorhex"
    description = "Identifies PE files whose MZ sig and PE sig are wiped by inspecting the machine type value at the expected offset"
    warning = "Further tweaking maybe required to lessen the FP rate"
    HundredDaysOfYARA = "Day 3"

  condition:
      uint16be(0) != 0x4d5a
    and
      uint32(uint32(0x3C)) != 0x00004550
    and
      (
          uint16(uint32(0x3c) + 4 ) == 0x014c
        or
          uint16(uint32(0x3c) + 4) == 0x8664
      )
}

Sometimes adversaries will remove the MZ and PE signatures from their malware in the hopes that the malware will be lost in a sea of files. Making use of the PE file format, we can start hunting for these files by keying off other fields in the headers like the machine type.

Starting at the MS-DOS Stub, we read in the value at 0x3c. This offset points us to the PE Signature. Moving 4 byte further into the file, we arrive at the COFF File Header. The first value stored in the File Header is the machine type. We can target x86 and x64 machines by looking at the expected value list for:

ConstantValueDescription
IMAGE_FILE_MACHINE_AMD640x8664x64
IMAGE_FILE_MACHINE_I3860x14cIntel 386 or later processors and compatible processors


Here is a crude visual of what we are targeting.

Diagram

Recent Posts

Categories

About

Hosting my custom tools, threat research, and general reverse engineering notes.