xorhex logo

xorhex

Focus on Threat Research through malware reverse engineering

Day 5 of 100 Discontiguous Days of YARA

Improving YARA writing skills by writing more YARA rules.

xorhex

2-Minute Read

#100DaysOfDiscontiguousDaysOfYARA

Summary

Partaking in Greg’s #100DaysOfYARA, but to be honest it’s more likely to be #100DiscontiguousDaysOfYARA for me - if I make it that far.

I doubt that the rules shared these 100 days will contain any truly original ideas, but I’d still like to share what I’ve learned.

Day 5

First, credit for this goes to @wxs who has patiently helped me more than once with my rules over the years.

math.min is your friend!

Straight from the documentation, math.min is defined as:

math.min

Why should I care about that?

Take this dummy rule for example:

rule test {
  strings:
    $op1 = { 33 ?? 33 ?? }
    $op2 = { 68 ?? ?? ?? ?? e8 }

  condition:
    for 10 i in (1..#op1) : (
          @op1[i] > @op2
        and
          @op1[i] + 200 < @op2
    )
}   

This contrived rule checks to see if 10 instances of $op1 are within 200 bytes before the first instance of $op2.

Yes, this rule also throws warning: may slow down scanning errors. For performance reasons, we shouldn’t allow this, but this is just a simple rule to showcase math.min usage. Please don’t use this rule in any production system - I just made it up.

Depending on the number of hits on $op1, this could take some time. We don’t know how many instances of $op1 could be found in some random file. To keep the number of loop iterations down, we can cap the total number of times the loop cycles through $op1 using math.min.

import "math"

rule test {
  strings:
    $op1 = { 33 ?? 33 ?? }
    $op2 = { 68 ?? ?? ?? ?? e8 }

  condition:
    for 10 i in (1..math.min(500, #op1)) : (
          @op1[i] > @op2
        and
          @op1[i] + 200 < @op2
    )
}   

Notice the use of math.min(500, #op1). This caps the number of iterations at 500 whenever the number of #op1 is greater than 500, else it just iterates through the loop #op1 number of times. When iterating over something that could return a high number of results, strive to make use of math.min to keep the number of iterations to a reasonable number.

What’s a reasonable number? Excellent question that I wish I had a good answer for outside of one of these:

  1. A number that keeps the kind folks at VT from reaching out
  2. Saves the kittens

Recent Posts

Categories

About

Hosting my custom tools, threat research, and general reverse engineering notes.