YARA: XOR Strings
I did not notice this in August when YARA 3.8.0 was released, but a new string search feature was introduced: XOR searching.
Here is an example:
rule xor_test {
strings:
$a = "http://isc.sans.edu" xor
condition:
$a
}
By using string keyword "xor" with a string, the YARA engine will search for all byte sequences that match any 1-byte key XOR-encoded versions of this string (except for "key" 0x00).
In this example, file test-xor.txt contains a URL encoded with XOR key 0x41 (A).
With option -s, the encoded string is displayed:
String modifier "xor" can be used together with string modifiers "ascii", "wide" and "nocase".
It can not be used with regular expressions, although no error or warning is displayed:
rule xor_test_re {
strings:
$a = /http:\/\/[a-z]+\.com/ xor
condition:
$a
}
It does work if the regular expression is literal:
rule xor_test_re {
strings:
$a = /http:\/\/didierstevens\.com/ xor
condition:
$a
}
But I don't see the use case for this.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com
Comments
I guess something like this might be usefull:
rule xor_dll_injection_imports : feature obfuscation
{
meta:
author = "Michal Ambroz"
description = "Detects API used for DLL injection obfuscated by single-byte xor"
strings:
$api_01 = "OpenProcess" xor
$api_02 = "GetProcessAddress" xor
$api_03 = "VirtualAllocEx" xor
$api_04 = "WriteProcessMemory" xor
$api_05 = "GetModuleHandleA" xor
$api_06 = "LoadLibraryA" xor
$api_07 = "CreateRemoteThread" xor
$api_08 = "VirtualProtect" xor
$api_09 = "advapi32.dll" xor
condition:
//Contains all of the strings
any of them
}
Anonymous
Oct 6th 2018
5 years ago
It is just pity that the --print-strings displays only the match and not the original string.
For example:
$ cat win_obfuscated_calls.yara
rule xor_dll_injection_imports : feature obfuscation
{
meta:
author = "Michal Ambroz"
description = "Detects API used for DLL injection obfuscated by single-byte xor"
strings:
$api_01 = "OpenProcess" xor
$api_02 = "GetProcessAddress" xor
$api_03 = "VirtualAllocEx" xor
$api_04 = "WriteProcessMemory" xor
$api_05 = "GetModuleHandleA" xor
$api_06 = "LoadLibraryA" xor
$api_07 = "CreateRemoteThread" xor
$api_08 = "VirtualProtect" xor
$api_09 = "advapi32.dll" xor
condition:
//Contains any of the strings
any of them
}
$ yara -s win_obfuscated_calls.yara 8ac1a9d4a9b6f0fc23d481e0db29de18bf596071418611c52a0bd0942103776a
0x2bc34:$api_08: Lshno{vJhun\x7Fyn
0x2bd80:$api_08: Lshno{vJhun\x7Fyn
0x2c414:$api_08: Lshno{vJhun\x7Fyn
0x2c5e8:$api_08: Lshno{vJhun\x7Fyn
So as a practical hint - it is usefull to name the strings in yara with something meaningfull:
$ cat win_obfuscated_calls.yara
rule xor_dll_injection_imports : feature obfuscation
{
meta:
author = "Michal Ambroz"
description = "Detects API used for DLL injection obfuscated by single-byte xor"
strings:
$api_OpenProcess = "OpenProcess" xor
$api_GetProcessAddress = "GetProcessAddress" xor
$api_VirtualAllocEx = "VirtualAllocEx" xor
$api_WriteProcessMemory = "WriteProcessMemory" xor
$api_GerModuleHandleA = "GetModuleHandleA" xor
$api_LoadLibraryA = "LoadLibraryA" xor
$api_CreateRemoteThread = "CreateRemoteThread" xor
$api_VirtualProtect = "VirtualProtect" xor
$dll_advapi32_dll = "advapi32.dll" xor
condition:
//Contains any of the strings
any of them
}
$ yara -s win_obfuscated_calls.yara 8ac1a9d4a9b6f0fc23d481e0db29de18bf596071418611c52a0bd0942103776a
xor_dll_injection_imports 8ac1a9d4a9b6f0fc23d481e0db29de18bf596071418611c52a0bd0942103776a
0x2bc34:$api_VirtualProtect: Lshno{vJhun\x7Fyn
0x2bd80:$api_VirtualProtect: Lshno{vJhun\x7Fyn
0x2c414:$api_VirtualProtect: Lshno{vJhun\x7Fyn
0x2c5e8:$api_VirtualProtect: Lshno{vJhun\x7Fyn
Michal Ambroz
Anonymous
Oct 6th 2018
5 years ago
Anonymous
Oct 7th 2018
5 years ago
Anonymous
Oct 7th 2018
5 years ago
I've tried to do this before, and a lot of parameters have an impact. I'll try to summarize it in a diary entry.
Anonymous
Oct 7th 2018
5 years ago
The YARA documentation only mentions string modifier xor for strings, not for regular expressions.
Hence I expected an error message when I would use it with a regex, but that is not the case.
Anonymous
Oct 7th 2018
5 years ago