Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Retdec's YARA compiler doesn't support "dotnet" module #747

Closed
ladislav-zezula opened this issue Apr 20, 2020 · 2 comments
Closed

Retdec's YARA compiler doesn't support "dotnet" module #747

ladislav-zezula opened this issue Apr 20, 2020 · 2 comments
Assignees
@PeterMatula
Labels
C-yara enhancement

Comments

@ladislav-zezula
Copy link
Contributor

ladislav-zezula commented Apr 20, 2020
edited
Loading

It is possible to use the pe module in YARA rules used by retdec-fileinfo.exe, but the same does not apply to the dotnet module.

Would it be possible to add support of dotnet module to the retdec's YARA compiler?
@s3rvac s3rvac mentioned this issue Apr 20, 2020
Merged
@s3rvac
Copy link
Member

s3rvac commented Apr 21, 2020

When this gets resolved, we should uncomment the following YARA rule:

retdec/support/yara_patterns/tools/pe/x86/packers.yara

Line 122 in 06793db

// TODO: When retdec's YARAC will be of a newer version

When uncommeting the code, do not forget to add import "dotnet" to the top of the file.

PeterMatula added a commit that referenced this issue Apr 22, 2020
@PeterMatula
deps/yara: #747, enable .NET module
1709aec
PeterMatula added a commit that referenced this issue Apr 23, 2020
@PeterMatula
Add support for using the 'dotnet' module in YARA rules (#749)
dfc58a6 
* deps/yara: #747, enable .NET module

* support/yara_patterns/tools/pe/x86/packers: use .NET module

* cpdetect: refactor formating - mosty long lines

* cpdetect/raw_data: fix typo

* cpdetect: refactor Signatures

* cpdetect: remove version solver module

* cpdetect: refactor

* cpdetect: do not use new and delete

* cpdetect: use YARA rules without matches as heuristic detections

* cpdetect: refactor YARA signature files selection

* cpdetect: fix doxygen
@PeterMatula
Copy link
Collaborator

Fixed by #749.

Changes:

  • Refactored cpdetect - much cleaner and simpler code.
  • YARA is built with dotnet module.
  • Replaced an old rule with a new one using YARA dotnet module in support/yara_patterns/tools/pe/x86/packers.yara
  • x64 binaries are using both x64 and x86 YARA rules. This is the only architecture that does this - i.e. x86 sis currently not using x64, arm64 is not using arm, etc. If some of these should be doing so, let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PeterMatula PeterMatula

Labels
C-yara enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ladislav-zezula @s3rvac @PeterMatula