yara-normalize 0.1.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. checksums.yaml +7 -0
  2. data/LICENSE.txt +0 -0
  3. data/README.rdoc +1 -1
  4. data/bin/yaratool +14 -18
  5. data/lib/yara-normalize/yara-normalize.rb +15 -13
  6. data/lib/yara-normalize.rb +0 -0
  7. metadata +104 -135
  8. data/.document +0 -5
  9. data/Gemfile +0 -14
  10. data/Gemfile.lock +0 -35
  11. data/Rakefile +0 -54
  12. data/VERSION +0 -1
  13. data/ruby_results.txt +0 -24
  14. data/test/helper.rb +0 -18
  15. data/test/test_yara-normalize.rb +0 -112
  16. data/yara-normalize.gemspec +0 -70
  17. data.tar.gz.sig +0 -0
  18. metadata.gz.sig +0 -3
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: 3a345a64cbb92b8600dbed3abe6c92219d60a0d27bd04a49bc60f9e141023369
4
+ data.tar.gz: a7ee233ae22e1260789397a71ad1926f60d65e86714662b2b1e5a65e2ca27cb0
5
+ SHA512:
6
+ metadata.gz: a8cb5ab7710807545d146ac7c8d16928296b74dffce0be7963ea815247c8ab3671290c8b236d015ded9dd287eb3b008c8ca4c626279f32440c12b80716b4c9fd
7
+ data.tar.gz: b82a45e72917d4132aa0e6edaa2fac91b162660f8deb88140a05356efbf42ff8e531c786dd674ec31c96231317bef5d9f30c0bd4f1abed7143851b698bf167f9
data/LICENSE.txt CHANGED
File without changes
data/README.rdoc CHANGED
@@ -7,7 +7,7 @@ This modules takes just the strings from the strings section, sorts them, then g
7
7
  Then, in the conditions section, reorder the boolean expression to make groups first and then replace all variables
8
8
  with $a $b $c, etc. Then hash the result of this.
9
9
 
10
- Then, the signature ID is the concatenation of the sha1 sum of the sorted strings and the sha1 sum of the normalized conditions.
10
+ Then, the signature ID is the concatenation of the truncated md5 sum of the sorted strings and the truncated md5 sum of the normalized conditions. E.g., yn01:488085c947cb22ed:d936fceffe.
11
11
 
12
12
  == Usage
13
13
 
data/bin/yaratool CHANGED
@@ -2,22 +2,18 @@
2
2
  require 'rubygems'
3
3
  require 'yara-normalize'
4
4
 
5
- if __FILE__ == $0
6
- count = duplicates = 0
7
- hashes = {}
8
- ARGV.each do |file|
9
- buf = open(file).read
10
- YaraTools::Splitter.split(buf).each do |rule|
11
- count += 1
12
- #puts rule.normalize
13
- hash = rule.hash
14
- puts "#{rule.name} #{hash} #{rule.normalized_strings.join("%")}"
15
- if hashes[hash]
16
- duplicate += 1
17
- end
18
- hashes[hash] = rule
19
- end
20
- end
21
- puts "Count: #{count}, Duplicates: #{duplicates}"
5
+ count = duplicates = 0
6
+ hashes = {}
7
+ ARGV.each do |file|
8
+ buf = open(file).read
9
+ YaraTools::Splitter.split(buf).each do |rule|
10
+ count += 1
11
+ hash = rule.hash
12
+ puts "#{rule.name} #{hash} #{rule.normalized_strings.join("%")}"
13
+ if hashes[hash]
14
+ duplicates += 1
15
+ end
16
+ hashes[hash] = rule
17
+ end
22
18
  end
23
-
19
+ puts "Count: #{count}, Duplicates: #{duplicates}"
data/lib/yara-normalize/yara-normalize.rb CHANGED
@@ -8,19 +8,21 @@ module YaraTools
8
8
  ruletext = ruletext.gsub(/[\r\n]+/,"\n").gsub(/^\s*\/\/.*$/,'')
9
9
  @original = ruletext
10
10
  @lookup_table = {}
11
- @next_replacement = 'a'
11
+ @next_replacement = 0
12
12
 
13
- if ruletext =~ /rule\s+([\w\_\-]+)(\s*:\s*(\w[\w\s]+\w))?\s*\{\s*(meta:\s*(.*?))?strings:\s*(.*?)\s*condition:\s*(.*?)\s*\}/m
14
- name,_,tags,ifmeta,meta,strings,condition = $~.captures
13
+ if ruletext =~ /rule\s+([\w\-]+)(\s*:\s*(\w[\w\s]+\w))?\s*\{\s*(meta:\s*(.*?))?strings:\s*(.*?)\s*condition:\s*(.*?)\s*\}/m
14
+ name,_,tags,_,meta,strings,condition = $~.captures
15
15
  @name = name
16
16
  @tags = tags.strip.split(/[,\s]+/) if tags
17
17
  @meta = {}
18
- meta.split(/\n/).each do |m|
19
- k,v = m.strip.split(/\s*=\s*/,2)
20
- if v
21
- @meta[k] = v
22
- end
23
- end
18
+ if meta
19
+ meta.split(/\n/).each do |m|
20
+ k,v = m.strip.split(/\s*=\s*/,2)
21
+ if v
22
+ @meta[k] = v
23
+ end
24
+ end
25
+ end
24
26
  @normalized_strings = []
25
27
  @strings = strings.split(/\n/).map do |s|
26
28
  # strip off the spaces from the edges and then replace the first = with ' = '.
@@ -33,7 +35,7 @@ module YaraTools
33
35
  hexstr = $1.gsub(/\s+/,'').downcase.scan(/../).join(" ")
34
36
  s = s.gsub(/= \{([0-9a-fA-F\s]+)\}/, "= { #{hexstr} }")
35
37
  end
36
- key, val = s.split(/ = /,2)
38
+ _, val = s.split(/ = /,2)
37
39
  if val
38
40
  @normalized_strings << val
39
41
  else
@@ -51,8 +53,8 @@ module YaraTools
51
53
  condition.gsub(/[\$\#]\w+/) do |x|
52
54
  key = x[1,1000]
53
55
  if not @lookup_table[key]
54
- @lookup_table[key] = @next_replacement
55
- @next_replacement = (@next_replacement[0] + 1).chr
56
+ @lookup_table[key] = @next_replacement.to_s
57
+ @next_replacement += 1
56
58
  end
57
59
  x[0].chr+@lookup_table[key]
58
60
  end
@@ -100,7 +102,7 @@ module YaraTools
100
102
 
101
103
  class Splitter
102
104
  def Splitter.split(ruleset)
103
- rules = ruleset.gsub(/[\r\n]+/,"\n").gsub(/^\s*\/\/.*$/,'').scan(/(rule\s+([\w\_\-]+)(\s*:\s*(\w[\w\s]+\w))?\s*\{\s*(meta:\s*(.*?))?strings:\s*(.*?)\s*condition:\s*(.*?)\s*\})/m).map do |rule|
105
+ ruleset.gsub(/[\r\n]+/,"\n").gsub(/^\s*\/\/.*$/,'').scan(/(rule\s+([\w\-]+)(\s*:\s*(\w[\w\s]+\w))?\s*\{\s*(meta:\s*(.*?))?strings:\s*(.*?)\s*condition:\s*(.*?)\s*\})/m).map do |rule|
104
106
  YaraRule.new(rule[0])
105
107
  end
106
108
  end
data/lib/yara-normalize.rb CHANGED
File without changes
metadata CHANGED
@@ -1,162 +1,131 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: yara-normalize
3
- version: !ruby/object:Gem::Version
4
- prerelease: false
5
- segments:
6
- - 0
7
- - 1
8
- - 0
9
- version: 0.1.0
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.4.0
10
5
  platform: ruby
11
- authors:
12
- - chrislee35
13
- autorequire:
6
+ authors:
7
+ - Chris Lee
14
8
  bindir: bin
15
- cert_chain:
16
- - |
17
- -----BEGIN CERTIFICATE-----
18
- MIIDYjCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQUFADBXMREwDwYDVQQDDAhydWJ5
19
- Z2VtczEYMBYGCgmSJomT8ixkARkWCGNocmlzbGVlMRMwEQYKCZImiZPyLGQBGRYD
20
- ZGhzMRMwEQYKCZImiZPyLGQBGRYDb3JnMB4XDTExMDIyNzE1MzAxOVoXDTEyMDIy
21
- NzE1MzAxOVowVzERMA8GA1UEAwwIcnVieWdlbXMxGDAWBgoJkiaJk/IsZAEZFghj
22
- aHJpc2xlZTETMBEGCgmSJomT8ixkARkWA2RoczETMBEGCgmSJomT8ixkARkWA29y
23
- ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNM1Hjs6q58sf7Jp64A
24
- vEY2cnRWDdFpD8UWpwaJK5kgSHOVgs+0mtszn+YlYjmx8kpmuYpyU4g9mNMImMQe
25
- ow8pVsL4QBBK/1Ozgdxrsptk3IiTozMYA+g2I/+WvZSEDu9uHkKe8pvMBEMrg7RJ
26
- IN7+jWaPnSzg3DbFwxwOdi+QRw33DjK7oFWcOaaBqWTUpI4epdi/c/FE1I6UWULJ
27
- ZF/Uso0Sc2Pp/YuVhuMHGrUbn7zrWWo76nnK4DTLfXFDbZF5lIXT1w6BtIiN6Ho9
28
- Rdr/W6663hYUo3WMsUSa3I5+PJXEBKmGHIZ2TNFnoFIRHha2fmm1HC9+BTaKwcO9
29
- PLcCAwEAAaM5MDcwCQYDVR0TBAIwADAdBgNVHQ4EFgQURzsNkZo2rv86Ftc+hVww
30
- RNICMrwwCwYDVR0PBAQDAgSwMA0GCSqGSIb3DQEBBQUAA4IBAQBRRw/iNA/PdnvW
31
- OBoNCSr/IiHOGZqMHgPJwyWs68FhThnLc2EyIkuLTQf98ms1/D3p0XX9JsxazvKT
32
- W/in8Mm/R2fkVziSdzqChtw/4Z4bW3c+RF7TgX6SP5cKxNAfKmAPuItcs2Y+7bdS
33
- hr/FktVtT2iAmISRnlEbdaTpfl6N2ZWNT83khV6iOs5xRkX/+0e+GgAv9mE6nqr1
34
- AkuDXMhposxcnFZUrZ3UtMPEe/JnyP7Vv6pvr3qtZm8FidFZU91+rX/fwdyBU8RP
35
- /5l8uLWXXNt1wEbtu4N1I66LwTK2iRrQZE8XtlgZGbxYDFUkiurq3OafF2YwRs6W
36
- 6yhklP75
37
- -----END CERTIFICATE-----
38
-
39
- date: 2012-10-29 00:00:00 -04:00
40
- default_executable: yaratool
41
- dependencies:
42
- - !ruby/object:Gem::Dependency
43
- prerelease: false
9
+ cert_chain: []
10
+ date: 1980-01-02 00:00:00.000000000 Z
11
+ dependencies:
12
+ - !ruby/object:Gem::Dependency
13
+ name: test-unit
14
+ requirement: !ruby/object:Gem::Requirement
15
+ requirements:
16
+ - - "~>"
17
+ - !ruby/object:Gem::Version
18
+ version: '3.6'
44
19
  type: :development
20
+ prerelease: false
21
+ version_requirements: !ruby/object:Gem::Requirement
22
+ requirements:
23
+ - - "~>"
24
+ - !ruby/object:Gem::Version
25
+ version: '3.6'
26
+ - !ruby/object:Gem::Dependency
45
27
  name: shoulda
46
- version_requirements: &id001 !ruby/object:Gem::Requirement
47
- requirements:
48
- - - ">="
49
- - !ruby/object:Gem::Version
50
- segments:
51
- - 0
52
- version: "0"
53
- requirement: *id001
54
- - !ruby/object:Gem::Dependency
28
+ requirement: !ruby/object:Gem::Requirement
29
+ requirements:
30
+ - - "~>"
31
+ - !ruby/object:Gem::Version
32
+ version: '4'
33
+ type: :development
55
34
  prerelease: false
35
+ version_requirements: !ruby/object:Gem::Requirement
36
+ requirements:
37
+ - - "~>"
38
+ - !ruby/object:Gem::Version
39
+ version: '4'
40
+ - !ruby/object:Gem::Dependency
41
+ name: rspec
42
+ requirement: !ruby/object:Gem::Requirement
43
+ requirements:
44
+ - - "~>"
45
+ - !ruby/object:Gem::Version
46
+ version: '3.12'
56
47
  type: :development
57
- name: rdoc
58
- version_requirements: &id002 !ruby/object:Gem::Requirement
59
- requirements:
60
- - - ~>
61
- - !ruby/object:Gem::Version
62
- segments:
63
- - 3
64
- - 12
65
- version: "3.12"
66
- requirement: *id002
67
- - !ruby/object:Gem::Dependency
68
48
  prerelease: false
49
+ version_requirements: !ruby/object:Gem::Requirement
50
+ requirements:
51
+ - - "~>"
52
+ - !ruby/object:Gem::Version
53
+ version: '3.12'
54
+ - !ruby/object:Gem::Dependency
55
+ name: rake
56
+ requirement: !ruby/object:Gem::Requirement
57
+ requirements:
58
+ - - "~>"
59
+ - !ruby/object:Gem::Version
60
+ version: '13.3'
69
61
  type: :development
70
- name: bundler
71
- version_requirements: &id003 !ruby/object:Gem::Requirement
72
- requirements:
73
- - - ~>
74
- - !ruby/object:Gem::Version
75
- segments:
76
- - 1
77
- - 1
78
- - 5
79
- version: 1.1.5
80
- requirement: *id003
81
- - !ruby/object:Gem::Dependency
82
62
  prerelease: false
63
+ version_requirements: !ruby/object:Gem::Requirement
64
+ requirements:
65
+ - - "~>"
66
+ - !ruby/object:Gem::Version
67
+ version: '13.3'
68
+ - !ruby/object:Gem::Dependency
69
+ name: bundler
70
+ requirement: !ruby/object:Gem::Requirement
71
+ requirements:
72
+ - - "~>"
73
+ - !ruby/object:Gem::Version
74
+ version: '2.7'
83
75
  type: :development
84
- name: jeweler
85
- version_requirements: &id004 !ruby/object:Gem::Requirement
86
- requirements:
87
- - - ~>
88
- - !ruby/object:Gem::Version
89
- segments:
90
- - 1
91
- - 8
92
- - 4
93
- version: 1.8.4
94
- requirement: *id004
95
- - !ruby/object:Gem::Dependency
96
76
  prerelease: false
77
+ version_requirements: !ruby/object:Gem::Requirement
78
+ requirements:
79
+ - - "~>"
80
+ - !ruby/object:Gem::Version
81
+ version: '2.7'
82
+ - !ruby/object:Gem::Dependency
83
+ name: rdoc
84
+ requirement: !ruby/object:Gem::Requirement
85
+ requirements:
86
+ - - "~>"
87
+ - !ruby/object:Gem::Version
88
+ version: '6.6'
97
89
  type: :development
98
- name: rcov
99
- version_requirements: &id005 !ruby/object:Gem::Requirement
100
- requirements:
101
- - - ">="
102
- - !ruby/object:Gem::Version
103
- segments:
104
- - 0
105
- version: "0"
106
- requirement: *id005
107
- description: To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.
108
- email: rubygems@chrislee.dhs.org
109
- executables:
90
+ prerelease: false
91
+ version_requirements: !ruby/object:Gem::Requirement
92
+ requirements:
93
+ - - "~>"
94
+ - !ruby/object:Gem::Version
95
+ version: '6.6'
96
+ description: Provides normalization and hashing utilities for Yara rule comparisons.
97
+ email:
98
+ - rubygems@chrislee.dhs.org
99
+ executables:
110
100
  - yaratool
111
101
  extensions: []
112
-
113
- extra_rdoc_files:
114
- - LICENSE.txt
115
- - README.rdoc
116
- files:
117
- - .document
118
- - Gemfile
119
- - Gemfile.lock
102
+ extra_rdoc_files: []
103
+ files:
120
104
  - LICENSE.txt
121
105
  - README.rdoc
122
- - Rakefile
123
- - VERSION
124
106
  - bin/yaratool
125
107
  - lib/yara-normalize.rb
126
108
  - lib/yara-normalize/yara-normalize.rb
127
- - ruby_results.txt
128
- - test/helper.rb
129
- - test/test_yara-normalize.rb
130
- - yara-normalize.gemspec
131
- has_rdoc: true
132
- homepage: http://github.com/chrislee35/yara-normalize
133
- licenses:
109
+ homepage: https://github.com/chrislee35/yara-normalize
110
+ licenses:
134
111
  - MIT
135
- post_install_message:
112
+ metadata: {}
136
113
  rdoc_options: []
137
-
138
- require_paths:
114
+ require_paths:
139
115
  - lib
140
- required_ruby_version: !ruby/object:Gem::Requirement
141
- requirements:
116
+ required_ruby_version: !ruby/object:Gem::Requirement
117
+ requirements:
142
118
  - - ">="
143
- - !ruby/object:Gem::Version
144
- segments:
145
- - 0
146
- version: "0"
147
- required_rubygems_version: !ruby/object:Gem::Requirement
148
- requirements:
119
+ - !ruby/object:Gem::Version
120
+ version: '3.0'
121
+ required_rubygems_version: !ruby/object:Gem::Requirement
122
+ requirements:
149
123
  - - ">="
150
- - !ruby/object:Gem::Version
151
- segments:
152
- - 0
153
- version: "0"
124
+ - !ruby/object:Gem::Version
125
+ version: '0'
154
126
  requirements: []
155
-
156
- rubyforge_project:
157
- rubygems_version: 1.3.6
158
- signing_key:
159
- specification_version: 3
160
- summary: Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made
127
+ rubygems_version: 3.7.2
128
+ specification_version: 4
129
+ summary: Normalizes Yara signatures into a repeatable hash even when non-transforming
130
+ changes are made.
161
131
  test_files: []
162
-
data/.document DELETED
@@ -1,5 +0,0 @@
1
- lib/**/*.rb
2
- bin/*
3
- -
4
- features/**/*.feature
5
- LICENSE.txt
data/Gemfile DELETED
@@ -1,14 +0,0 @@
1
- source "http://rubygems.org"
2
- # Add dependencies required to use your gem here.
3
- # Example:
4
- # gem "activesupport", ">= 2.3.5"
5
-
6
- # Add dependencies to develop your gem here.
7
- # Include everything needed to run rake, tests, features, etc.
8
- group :development do
9
- gem "shoulda", ">= 0"
10
- gem "rdoc", "~> 3.12"
11
- gem "bundler", "~> 1.1.5"
12
- gem "jeweler", "~> 1.8.4"
13
- gem "rcov", ">= 0"
14
- end
data/Gemfile.lock DELETED
@@ -1,35 +0,0 @@
1
- GEM
2
- remote: http://rubygems.org/
3
- specs:
4
- activesupport (3.2.8)
5
- i18n (~> 0.6)
6
- multi_json (~> 1.0)
7
- git (1.2.5)
8
- i18n (0.6.0)
9
- jeweler (1.8.4)
10
- bundler (~> 1.0)
11
- git (>= 1.2.5)
12
- rake
13
- rdoc
14
- json (1.7.5)
15
- multi_json (1.3.6)
16
- rake (0.9.2.2)
17
- rcov (1.0.0)
18
- rdoc (3.12)
19
- json (~> 1.4)
20
- shoulda (3.1.1)
21
- shoulda-context (~> 1.0)
22
- shoulda-matchers (~> 1.2)
23
- shoulda-context (1.0.0)
24
- shoulda-matchers (1.2.0)
25
- activesupport (>= 3.0.0)
26
-
27
- PLATFORMS
28
- ruby
29
-
30
- DEPENDENCIES
31
- bundler (~> 1.1.5)
32
- jeweler (~> 1.8.4)
33
- rcov
34
- rdoc (~> 3.12)
35
- shoulda
data/Rakefile DELETED
@@ -1,54 +0,0 @@
1
- # encoding: utf-8
2
-
3
- require 'rubygems'
4
- require 'bundler'
5
- begin
6
- Bundler.setup(:default, :development)
7
- rescue Bundler::BundlerError => e
8
- $stderr.puts e.message
9
- $stderr.puts "Run `bundle install` to install missing gems"
10
- exit e.status_code
11
- end
12
- require 'rake'
13
-
14
- require 'jeweler'
15
- Jeweler::Tasks.new do |gem|
16
- # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
17
- gem.name = "yara-normalize"
18
- gem.homepage = "http://github.com/chrislee35/yara-normalize"
19
- gem.license = "MIT"
20
- gem.summary = %Q{Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made}
21
- gem.description = %Q{To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.}
22
- gem.email = "rubygems@chrislee.dhs.org"
23
- gem.authors = ["chrislee35"]
24
- gem.signing_key = "#{File.dirname(__FILE__)}/../gem-private_key.pem"
25
- gem.cert_chain = ["#{File.dirname(__FILE__)}/../gem-public_cert.pem"]
26
- end
27
- Jeweler::RubygemsDotOrgTasks.new
28
-
29
- require 'rake/testtask'
30
- Rake::TestTask.new(:test) do |test|
31
- test.libs << 'lib' << 'test'
32
- test.pattern = 'test/**/test_*.rb'
33
- test.verbose = true
34
- end
35
-
36
- require 'rcov/rcovtask'
37
- Rcov::RcovTask.new do |test|
38
- test.libs << 'test'
39
- test.pattern = 'test/**/test_*.rb'
40
- test.verbose = true
41
- test.rcov_opts << '--exclude "gems/*"'
42
- end
43
-
44
- task :default => :test
45
-
46
- require 'rdoc/task'
47
- Rake::RDocTask.new do |rdoc|
48
- version = File.exist?('VERSION') ? File.read('VERSION') : ""
49
-
50
- rdoc.rdoc_dir = 'rdoc'
51
- rdoc.title = "yara-normalize #{version}"
52
- rdoc.rdoc_files.include('README*')
53
- rdoc.rdoc_files.include('lib/**/*.rb')
54
- end
data/VERSION DELETED
@@ -1 +0,0 @@
1
- 0.1.0
data/ruby_results.txt DELETED
@@ -1,24 +0,0 @@
1
- CF_DOC_CVE_2012_1535_original yn01:06420b6c243181e8:a7e7b4fe3a { 45 78 61 6d 70 6c 65 0b 63 72 65 61 74 65 4c 69 6e 65 73 09 68 65 61 70 53 70 72 61 79 08 68 65 78 54 6f 42 69 6e 07 6d 78 2e 63 6f 72 65 0a 49 46 6c 65 78 41 73 73 65 74 09 46 6f 6e 74 41 73 73 65 74 0a 66 6c 61 73 68 2e 74 65 78 74 } /*Example.createLines.heapSpray.hexToBin.mx.core.IFlexAsset.FontAsset.flash.text*/%{ 4d 61 69 6e 2f 70 72 69 76 61 74 65 3a } /*Main/private:*/%{ 53 00 69 00 6d 00 53 00 75 00 6e 00 } /*S.i.m.S.u.n*/%{ 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 } /*Word.Document.8*/%{ 66 6c 61 73 68 2e 64 69 73 70 6c 61 79 06 53 70 72 69 74 65 06 4f 62 6a 65 63 74 0f 45 76 65 6e 74 44 69 73 70 61 74 63 68 65 72 0d 44 69 73 70 6c 61 79 4f 62 6a 65 63 74 } /*flash.display.Sprite.Object.EventDispatcher.DisplayObject*/%{ 68 69 6a 6b 6c 6d 6e 6f } /*hijklmno strings */
2
- CF_DOC_CVE_2012_1535_shellcode yn01:aed85d99267c6173:4be571de0b "9090909090E947010000C28F36D8A0DF16D5B5F0DE78D00589E91B28BF56BEF71ED697165FFAA1665256D0541988A5D913E98E3A172B9BB28253A2E362577E574F52444C2E746D7000"
3
- CVE_2012_1535_SWF yn01:d0b0e41fbb90ee63:0c2737ef53 "Edit the world in hex"%"FontAsset"%"PSpop"%"createTextLine"%"heapSpray"%"hexToBin"%{ 46 57 53 }
4
- cf_exe_dropper_sfx yn01:32c758a1635b4d6e:9534ef77f9 ";The comment below contains SFX script commands"%"Setup=" ascii wide%"Silent=1" ascii wide%"WinRAR" ascii wide
5
- cf_hlp_malicious_help_file yn01:22be215570105ad6:2edd241969 "CreateThread" nocase%/RR\(.KERNEL32.DLL.,/ nocase%{ 3f 5f 03 00 }%{ 4c 4e 02 00 }
6
- cf_html_IE8_CVE_2012_4969 yn01:18d1ab9564026f79:a7e7b4fe3a "YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH"%"document.execCommand(\\"
7
- cf_ie_cve_2012_1526 yn01:791760cc1bb44202:fa3fd96df1 /\.getElements?By/ nocase%/\.removeChild\(/ nocase%/document\..*?= ?null/ nocase%/mailto\:.{2000,}/ nocase fullword
8
- CF_JAVA_system_cmds yn01:9369881e5d91ae88:23497b0a75 "/bin/sh"%"Math.random"%"chmod"%"cmd.exe"%"indexOf" //usually used to get result of $fingerprint2%/(os.name|java.io.tmpdir)/%/* Payload */%/* System commands */%/get(Property|env)/%{ ca fe ba be }
9
- CF_JAVA_network_connectivity yn01:7c4e5171925f60dc:4ffbde1efc "ServerSocket"%"URLConnection" //URL class can also be used to access files in the local file system%"getMbeanServer" //used with MarshallObject%"host"%"lport"%"openConnection"%/* Network indicators */%/get(Input|Output)Stream/%/socket(lhost, lport)/%{ ca fe ba be }
10
- CF_JAVA_changing_security yn01:cf8a3ae054b77a6d:f6b1a6926b %"AccessController.doPrivileged"%"AllPermission"%"PrivilegedActionException"%"ProtectionDomain"%"file://"%/* Modifying local security : a class that allows applications to implement a security policy */%/[sg]etSecurityManager/%{ ca fe ba be }
11
- CF_JAVA_execute_write yn01:47d6a8c1cd7ca988:595f5c08f4 %%%"ArrayOfByte"%"Exception.printStackTrace"%"FileOutputStream" /*contains a byte stream with the serialized representation of an object given to its constructor*/%"HexDecode"%"InputStream"%"MarshalledObject"%"ObjectInputStream"%"OutputStreamWriter"%"Runtime.getRuntime"%"StringtoBytes"%"exec"%"getResourceAsStream"%"toByteArray"%"writeObject"%/* Exploit */%/* Loader indicators */%/* Local execution */%/arrayOf(Byte|String)/%/l(port|host)/%{ ca fe ba be }
12
- CF_JAVA_possible_exploit yn01:b58561333df5354e:e51d8cdbd7 %"ByteArrayInputStream"%"Character.digit"%"ProtectionDomain"%"String.charAt"%"StringBuilder"%"arrayOfByte"%"localPermissions"%"printStackTrace"%{ ca fe ba be }
13
- CF_PDF_CVE_2007_5659 yn01:ada07a590bb9b5b8:a7e7b4fe3a { 25 50 44 46 2d }%{ 65 70 61 63 73 65 6e 75 }%{ 6e 6f 69 74 63 6e 75 66 }%{ 79 61 72 70 73 }%{ 79 61 72 72 41 }
14
- CF_PDF_obfuscated_alphabetic_char_blackhole yn01:78654b53f1b3a0d3:c453df481f "%PDF-"%/[a-zA-Z]&#10[0-9];/%/[a-zA-Z]&#11[0-9];/%/[a-zA-Z]&#12[012];/%/[a-zA-Z]&#9[789];/
15
- CF_PDF_suspicious_js yn01:360cd6b36773334c:e0bbde6bd2 "%PDF-"%/(\(|\[)(.{1,4}(,|-)){64}/
16
- CF_RTF_ACTOR_CVE_2012_0158_tnauthor_John_Doe yn01:e82aa6a75f86469c:78c8a3f51c { 07 74 6e 61 75 74 68 6f 72 20 4a 6f 68 6e 20 44 6f 65 7d } /* tnauthor John Doe}*/
17
- CF_RTF_CVE_2012_1856 yn01:0bffc7a0c3656c46:aea71fc2f5 "0CF11E0A1B" nocase%"4d53436f6d63746c4c69622e546162537472697" nocase%"9665fb1e7c85d111b16a00c0f0283628" nocase%"D0CF11E0A1B11AE1" nocase%"D\x0a0\x0aC\x0aF" nocase%"MSComctlLib.TabStrip"%"{\\rt"%"}0105000002000000"%/objdata[[:space:].]{1,20}01.{0,1}05.{0,1}00.{0,1}00.{0,1}02.{0,1}00.{0,1}00.{0,1}00/
18
- CF_RTF_CVE_2010_3333 yn01:5d18fb7b42dfd5c0:3873ea4382 "\\shp " nocase%"\\shp\\" nocase%"\\sp \\" nocase%"\\sp\\" nocase%"pFragments" nocase%"{\\rt" /* RTF specs */ nocase
19
- CF_RTF_CVE_2010_3333_rare_ge_type yn01:5bbb6168467e0386:3873ea4382 "\\shp " nocase%"\\shp\\" nocase%"\\sp \\" nocase%"\\sp\\" nocase%"pFragments" nocase%"{\\ge" /* RTF specs */ nocase
20
- CF_RTF_CVE_2012_0158_var1_objocx yn01:dd9b4fb8c95de7f6:c32f773f84 "\\object" nocase%"\\objemb" nocase%"\\objocx" nocase%"{\\rt" /* RTF specs */ nocase%{ d0 cf 11 e0 a1 b1 1a e1 }
21
- CF_RTF_CVE_2012_0158_var2_MSComctlLib yn01:cbf14eb4327aae3e:19df01f1b8 "4C697374566965774374726C" nocase%"4D53436F6D63746C4C69622E" nocase%"54726565566965774374726C" nocase
22
- CF_RTF_CVE_2012_0158_var3_fchars yn01:5a65c8be3acd5373:a7e7b4fe3a /(\\\'[a-f0-9]{2}){30}/%{ 5c 2a 5c 66 63 68 61 72 73 }%{ 7b 5c 72 74 }
23
- CF_XDP_embedded_PDF yn01:d3a748381610c2e1:bd721f6929 "%PDF"%"</pdf>"%"<chunk>"%"<pdf xmlns="%"JVBERi0"
24
- Count: 23, Duplicates: 0
data/test/helper.rb DELETED
@@ -1,18 +0,0 @@
1
- require 'rubygems'
2
- require 'bundler'
3
- begin
4
- Bundler.setup(:default, :development)
5
- rescue Bundler::BundlerError => e
6
- $stderr.puts e.message
7
- $stderr.puts "Run `bundle install` to install missing gems"
8
- exit e.status_code
9
- end
10
- require 'test/unit'
11
- require 'shoulda'
12
-
13
- $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
14
- $LOAD_PATH.unshift(File.dirname(__FILE__))
15
- require 'yara-normalize'
16
-
17
- class Test::Unit::TestCase
18
- end
data/test/test_yara-normalize.rb DELETED
@@ -1,112 +0,0 @@
1
- require 'helper'
2
- require 'pp'
3
-
4
- class TestYaraNormalize < Test::Unit::TestCase
5
- should "normalize a simple signature" do
6
- sig =<<EOS
7
- rule newIE0daymshtmlExec
8
- {
9
- meta:
10
- author = "redacted @ gmail.com"
11
- ref = "http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/"
12
- description = "Internet Explorer CMshtmlEd::Exec() 0day"
13
- cve = "CVE-2012-XXXX"
14
- version = "1"
15
- impact = 4
16
- hide = false
17
- strings:
18
- $mshtmlExec_1 = /document\.execCommand\(['"]selectAll['"]\)/ nocase fullword
19
- $mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword
20
- $mshtmlExec_3 = /\<body\son(load|select)=['"]\w*?\(\)\;['"]\son(load|select)=['"]\w*?\(\)['"]/ nocase
21
- $mshtmlExec_4 = /var\s\w{1,}\s=\snew\sArray\(\)/ nocase
22
- $mshtmlExec_5 = /window\.document\.createElement\(['"]img['"]\)/ nocase
23
- $mshtmlExec_6 = /\w{1,}\[0\]\[['"]src['"]\]\s\=\s['"]\w{1,}['"]/ nocase
24
- $mshtmlExec_7 = /\<iframe\ssrc=['"].*?['"]/ nocase
25
- condition:
26
- ($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))
27
- }
28
- EOS
29
- yn = YaraTools::YaraRule.new(sig)
30
- assert_equal("yn01:3c0de1ad64681376:3ff75e9945", yn.hash)
31
- assert_equal("newIE0daymshtmlExec", yn.name)
32
- assert_equal("\"redacted @ gmail.com\"", yn.meta['author'])
33
- assert_equal(["$mshtmlExec_1 = /document.execCommand(['\"]selectAll['\"])/ nocase fullword",
34
- "$mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword",
35
- "$mshtmlExec_3 = /<body on(load|select)=['\"]w*?();['\"] on(load|select)=['\"]w*?()['\"]/ nocase",
36
- "$mshtmlExec_4 = /var w{1,} = new Array()/ nocase",
37
- "$mshtmlExec_5 = /window.document.createElement(['\"]img['\"])/ nocase",
38
- "$mshtmlExec_6 = /w{1,}[0][['\"]src['\"]] = ['\"]w{1,}['\"]/ nocase",
39
- "$mshtmlExec_7 = /<iframe src=['\"].*?['\"]/ nocase"], yn.strings)
40
- assert_equal(
41
- ["($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))"],
42
- yn.condition
43
- )
44
- hash1 = yn.hash
45
- sig =<<EOS
46
- rule newIE0daymshtmlExec : tag1 tag2 tag3
47
- {
48
- meta:
49
- author = "redacted @ gmail.com"
50
- ref = "http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/"
51
- description = "Internet Explorer CMshtmlEd::Exec() 0day"
52
- cve = "CVE-2012-XXXX"
53
- version = "1"
54
- impact = 4
55
- hide = false
56
- strings:
57
- $mshtmlExec_1 = /document\.execCommand\(['"]selectAll['"]\)/ nocase fullword
58
- $mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword
59
- $mshtmlExec_3 = /\<body\son(load|select)=['"]\w*?\(\)\;['"]\son(load|select)=['"]\w*?\(\)['"]/ nocase
60
- $mshtmlExec_4 = /var\s\w{1,}\s=\snew\sArray\(\)/ nocase
61
- $mshtmlExec_5 = /window\.document\.createElement\(['"]img['"]\)/ nocase
62
- $mshtmlExec_6 = /\w{1,}\[0\]\[['"]src['"]\]\s\=\s['"]\w{1,}['"]/ nocase
63
- $mshtmlExec_7 = /\<iframe\ssrc=['"].*?['"]/ nocase
64
- condition:
65
- ($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))
66
- }
67
- EOS
68
- yn = YaraTools::YaraRule.new(sig)
69
- assert_equal(hash1, yn.hash)
70
- assert_equal("newIE0daymshtmlExec", yn.name)
71
- assert_equal(["tag1","tag2","tag3"], yn.tags)
72
- assert_equal("\"redacted @ gmail.com\"", yn.meta['author'])
73
- assert_equal(["$mshtmlExec_1 = /document.execCommand(['\"]selectAll['\"])/ nocase fullword",
74
- "$mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword",
75
- "$mshtmlExec_3 = /<body on(load|select)=['\"]w*?();['\"] on(load|select)=['\"]w*?()['\"]/ nocase",
76
- "$mshtmlExec_4 = /var w{1,} = new Array()/ nocase",
77
- "$mshtmlExec_5 = /window.document.createElement(['\"]img['\"])/ nocase",
78
- "$mshtmlExec_6 = /w{1,}[0][['\"]src['\"]] = ['\"]w{1,}['\"]/ nocase",
79
- "$mshtmlExec_7 = /<iframe src=['\"].*?['\"]/ nocase"], yn.strings)
80
- assert_equal(
81
- ["($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))"],
82
- yn.condition
83
- )
84
- end
85
-
86
- should "normalize a simple signature that has a condition of 'any of them'" do
87
- sig =<<EOS
88
- rule DataConversion__wide : IntegerParsing DataConversion {
89
- meta:
90
- weight = 1
91
- strings:
92
- $ = "wtoi" nocase
93
- $ = "wtol" nocase
94
- $ = "wtof" nocase
95
- $ = "wtodb" nocase
96
- condition:
97
- any of them
98
- }
99
- EOS
100
- yn = YaraTools::YaraRule.new(sig)
101
- assert_equal("yn01:488085c947cb22ed:d936fceffe", yn.hash)
102
- assert_equal("1", yn.meta['weight'])
103
- assert_equal("DataConversion__wide", yn.name)
104
- assert_equal(["IntegerParsing", "DataConversion"], yn.tags)
105
- assert_equal(["$ = \"wtoi\" nocase",
106
- "$ = \"wtol\" nocase",
107
- "$ = \"wtof\" nocase",
108
- "$ = \"wtodb\" nocase"], yn.strings)
109
- assert_equal(["any of them"], yn.condition)
110
- end
111
- end
112
-
data/yara-normalize.gemspec DELETED
@@ -1,70 +0,0 @@
1
- # Generated by jeweler
2
- # DO NOT EDIT THIS FILE DIRECTLY
3
- # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
4
- # -*- encoding: utf-8 -*-
5
-
6
- Gem::Specification.new do |s|
7
- s.name = %q{yara-normalize}
8
- s.version = "0.1.0"
9
-
10
- s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
- s.authors = ["chrislee35"]
12
- s.cert_chain = ["/Users/chris/Documents/projects/rubygems/yara-normalize/../gem-public_cert.pem"]
13
- s.date = %q{2012-10-29}
14
- s.default_executable = %q{yaratool}
15
- s.description = %q{To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.}
16
- s.email = %q{rubygems@chrislee.dhs.org}
17
- s.executables = ["yaratool"]
18
- s.extra_rdoc_files = [
19
- "LICENSE.txt",
20
- "README.rdoc"
21
- ]
22
- s.files = [
23
- ".document",
24
- "Gemfile",
25
- "Gemfile.lock",
26
- "LICENSE.txt",
27
- "README.rdoc",
28
- "Rakefile",
29
- "VERSION",
30
- "bin/yaratool",
31
- "lib/yara-normalize.rb",
32
- "lib/yara-normalize/yara-normalize.rb",
33
- "ruby_results.txt",
34
- "test/helper.rb",
35
- "test/test_yara-normalize.rb",
36
- "yara-normalize.gemspec"
37
- ]
38
- s.homepage = %q{http://github.com/chrislee35/yara-normalize}
39
- s.licenses = ["MIT"]
40
- s.require_paths = ["lib"]
41
- s.rubygems_version = %q{1.3.6}
42
- s.signing_key = %q{/Users/chris/Documents/projects/rubygems/yara-normalize/../gem-private_key.pem}
43
- s.summary = %q{Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made}
44
-
45
- if s.respond_to? :specification_version then
46
- current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
47
- s.specification_version = 3
48
-
49
- if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
50
- s.add_development_dependency(%q<shoulda>, [">= 0"])
51
- s.add_development_dependency(%q<rdoc>, ["~> 3.12"])
52
- s.add_development_dependency(%q<bundler>, ["~> 1.1.5"])
53
- s.add_development_dependency(%q<jeweler>, ["~> 1.8.4"])
54
- s.add_development_dependency(%q<rcov>, [">= 0"])
55
- else
56
- s.add_dependency(%q<shoulda>, [">= 0"])
57
- s.add_dependency(%q<rdoc>, ["~> 3.12"])
58
- s.add_dependency(%q<bundler>, ["~> 1.1.5"])
59
- s.add_dependency(%q<jeweler>, ["~> 1.8.4"])
60
- s.add_dependency(%q<rcov>, [">= 0"])
61
- end
62
- else
63
- s.add_dependency(%q<shoulda>, [">= 0"])
64
- s.add_dependency(%q<rdoc>, ["~> 3.12"])
65
- s.add_dependency(%q<bundler>, ["~> 1.1.5"])
66
- s.add_dependency(%q<jeweler>, ["~> 1.8.4"])
67
- s.add_dependency(%q<rcov>, [">= 0"])
68
- end
69
- end
70
-
data.tar.gz.sig DELETED
Binary file
metadata.gz.sig DELETED
@@ -1,3 +0,0 @@
1
- ����:V��Cm�A�X��2�!�X&�[���F�UY�,�W�lDG���)D�5����iM؃�x��ا�pm{PE��ftX(p>��p u���Q�}�}�
2
- �Jr8[�٠ ;�q̮zE��W�&@�K@�}�����ؐ�t��ӊ{D�osϷ>�:��D��f�>+�Y�ʾ.e�M~՝��+'���3� �6����Ł*�@�Xsp����?������3��5�m�c*�n޻�_��6�
3
- ι�c�"�f�7�4���.�.z��