yara 1.5.0 → 1.6.0
Sign up to get free protection for your applications and to get access to all the features.
- data/History.txt +6 -1
- data/VERSION +1 -1
- data/ext/yara_native/Match.c +3 -0
- data/ext/yara_native/Match.h +1 -1
- data/samples/flashfinder +70 -0
- metadata +11 -19
data/History.txt
CHANGED
|
@@ -1,7 +1,12 @@
|
|
|
1
|
+
== 1.6.0 /2011-08-26
|
|
2
|
+
* Version 1.6.0 supports yara 1.6 - (backward compatible with yara v1.5)
|
|
3
|
+
* Note: Nothing actually changed in the API for yara 1.6, we are just keeping
|
|
4
|
+
step with yara's version numbers.
|
|
5
|
+
|
|
1
6
|
== 1.5.0 /2011-04-18
|
|
2
7
|
* Version 1.5.0 supports yara 1.5 - it is not backward compatible
|
|
3
8
|
|
|
4
|
-
== 1.4.
|
|
9
|
+
== 1.4.4 / 2011-04-11
|
|
5
10
|
* Support optional namespaces when calling compile_file or compile_string
|
|
6
11
|
* Better yardoc tags
|
|
7
12
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.6.0
|
data/ext/yara_native/Match.c
CHANGED
data/ext/yara_native/Match.h
CHANGED
data/samples/flashfinder
ADDED
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
#!/usr/bin/env ruby
|
|
2
|
+
# Simple yara-ruby script to extract SWF files from raw blobs
|
|
3
|
+
#
|
|
4
|
+
# yara-ruby - Ruby bindings for the yara malware analysis library.
|
|
5
|
+
# Eric Monti
|
|
6
|
+
# Copyright (C) 2011 Trustwave Holdings
|
|
7
|
+
#
|
|
8
|
+
# This program is free software: you can redistribute it and/or modify it
|
|
9
|
+
# under the terms of the GNU General Public License as published by the
|
|
10
|
+
# Free Software Foundation, either version 3 of the License, or (at your
|
|
11
|
+
# option) any later version.
|
|
12
|
+
#
|
|
13
|
+
# This program is distributed in the hope that it will be useful, but
|
|
14
|
+
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
15
|
+
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
16
|
+
# for more details.
|
|
17
|
+
#
|
|
18
|
+
# You should have received a copy of the GNU General Public License along
|
|
19
|
+
# with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
20
|
+
#
|
|
21
|
+
$: << File.join(File.dirname(__FILE__), '..', 'lib')
|
|
22
|
+
require 'yara'
|
|
23
|
+
require 'pp'
|
|
24
|
+
|
|
25
|
+
ctx = Yara::Rules.new
|
|
26
|
+
ctx.compile_string <<_EOF_
|
|
27
|
+
rule fws
|
|
28
|
+
{
|
|
29
|
+
meta:
|
|
30
|
+
desc = "SWF file"
|
|
31
|
+
ext = "swf"
|
|
32
|
+
strings: $a = { 46 57 53 }
|
|
33
|
+
condition: $a
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
rule cws
|
|
37
|
+
{
|
|
38
|
+
meta:
|
|
39
|
+
desc = "Compressed SWF file"
|
|
40
|
+
ext = "swf"
|
|
41
|
+
strings: $a = { 43 57 53 }
|
|
42
|
+
condition: $a
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
_EOF_
|
|
46
|
+
|
|
47
|
+
|
|
48
|
+
ARGV.each do |fname|
|
|
49
|
+
begin
|
|
50
|
+
file = File.new(fname, 'rb')
|
|
51
|
+
ctx.scan_file(fname).each do |match|
|
|
52
|
+
match.strings.each do |string|
|
|
53
|
+
file.pos = string.offset
|
|
54
|
+
hdr = file.read(8)
|
|
55
|
+
|
|
56
|
+
magic, vers, len = hdr.unpack("A3CV")
|
|
57
|
+
|
|
58
|
+
outf = "#{fname}_%0.8x.#{match.meta['ext']}" % string.offset
|
|
59
|
+
STDERR.puts "Found #{match.meta['desc']} version #{vers} in #{fname.inspect} @0x#{string.offset.to_s(16)} - writing to #{outf.inspect}"
|
|
60
|
+
|
|
61
|
+
File.open(outf, 'wb') do |out|
|
|
62
|
+
out.write hdr
|
|
63
|
+
out.write file.read(len-8)
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
ensure
|
|
68
|
+
file.close if file
|
|
69
|
+
end
|
|
70
|
+
end
|
metadata
CHANGED
|
@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
|
|
|
4
4
|
prerelease: false
|
|
5
5
|
segments:
|
|
6
6
|
- 1
|
|
7
|
-
-
|
|
7
|
+
- 6
|
|
8
8
|
- 0
|
|
9
|
-
version: 1.
|
|
9
|
+
version: 1.6.0
|
|
10
10
|
platform: ruby
|
|
11
11
|
authors:
|
|
12
12
|
- Eric Monti
|
|
@@ -14,13 +14,13 @@ autorequire:
|
|
|
14
14
|
bindir: bin
|
|
15
15
|
cert_chain: []
|
|
16
16
|
|
|
17
|
-
date: 2011-
|
|
17
|
+
date: 2011-08-26 00:00:00 -05:00
|
|
18
18
|
default_executable:
|
|
19
19
|
dependencies:
|
|
20
20
|
- !ruby/object:Gem::Dependency
|
|
21
21
|
name: rspec
|
|
22
|
+
prerelease: false
|
|
22
23
|
requirement: &id001 !ruby/object:Gem::Requirement
|
|
23
|
-
none: false
|
|
24
24
|
requirements:
|
|
25
25
|
- - ~>
|
|
26
26
|
- !ruby/object:Gem::Version
|
|
@@ -30,12 +30,11 @@ dependencies:
|
|
|
30
30
|
- 0
|
|
31
31
|
version: 2.3.0
|
|
32
32
|
type: :development
|
|
33
|
-
prerelease: false
|
|
34
33
|
version_requirements: *id001
|
|
35
34
|
- !ruby/object:Gem::Dependency
|
|
36
35
|
name: yard
|
|
36
|
+
prerelease: false
|
|
37
37
|
requirement: &id002 !ruby/object:Gem::Requirement
|
|
38
|
-
none: false
|
|
39
38
|
requirements:
|
|
40
39
|
- - ~>
|
|
41
40
|
- !ruby/object:Gem::Version
|
|
@@ -45,12 +44,11 @@ dependencies:
|
|
|
45
44
|
- 0
|
|
46
45
|
version: 0.6.0
|
|
47
46
|
type: :development
|
|
48
|
-
prerelease: false
|
|
49
47
|
version_requirements: *id002
|
|
50
48
|
- !ruby/object:Gem::Dependency
|
|
51
49
|
name: bundler
|
|
50
|
+
prerelease: false
|
|
52
51
|
requirement: &id003 !ruby/object:Gem::Requirement
|
|
53
|
-
none: false
|
|
54
52
|
requirements:
|
|
55
53
|
- - ~>
|
|
56
54
|
- !ruby/object:Gem::Version
|
|
@@ -60,12 +58,11 @@ dependencies:
|
|
|
60
58
|
- 0
|
|
61
59
|
version: 1.0.0
|
|
62
60
|
type: :development
|
|
63
|
-
prerelease: false
|
|
64
61
|
version_requirements: *id003
|
|
65
62
|
- !ruby/object:Gem::Dependency
|
|
66
63
|
name: jeweler
|
|
64
|
+
prerelease: false
|
|
67
65
|
requirement: &id004 !ruby/object:Gem::Requirement
|
|
68
|
-
none: false
|
|
69
66
|
requirements:
|
|
70
67
|
- - ~>
|
|
71
68
|
- !ruby/object:Gem::Version
|
|
@@ -75,12 +72,11 @@ dependencies:
|
|
|
75
72
|
- 2
|
|
76
73
|
version: 1.5.2
|
|
77
74
|
type: :development
|
|
78
|
-
prerelease: false
|
|
79
75
|
version_requirements: *id004
|
|
80
76
|
- !ruby/object:Gem::Dependency
|
|
81
77
|
name: rcov
|
|
78
|
+
prerelease: false
|
|
82
79
|
requirement: &id005 !ruby/object:Gem::Requirement
|
|
83
|
-
none: false
|
|
84
80
|
requirements:
|
|
85
81
|
- - ">="
|
|
86
82
|
- !ruby/object:Gem::Version
|
|
@@ -88,12 +84,11 @@ dependencies:
|
|
|
88
84
|
- 0
|
|
89
85
|
version: "0"
|
|
90
86
|
type: :development
|
|
91
|
-
prerelease: false
|
|
92
87
|
version_requirements: *id005
|
|
93
88
|
- !ruby/object:Gem::Dependency
|
|
94
89
|
name: rake-compiler
|
|
90
|
+
prerelease: false
|
|
95
91
|
requirement: &id006 !ruby/object:Gem::Requirement
|
|
96
|
-
none: false
|
|
97
92
|
requirements:
|
|
98
93
|
- - ">="
|
|
99
94
|
- !ruby/object:Gem::Version
|
|
@@ -101,7 +96,6 @@ dependencies:
|
|
|
101
96
|
- 0
|
|
102
97
|
version: "0"
|
|
103
98
|
type: :development
|
|
104
|
-
prerelease: false
|
|
105
99
|
version_requirements: *id006
|
|
106
100
|
description: Ruby bindings for the yara malware analysis library
|
|
107
101
|
email: emonti@trustwave.com
|
|
@@ -132,6 +126,7 @@ files:
|
|
|
132
126
|
- ext/yara_native/Yara_native.h
|
|
133
127
|
- ext/yara_native/extconf.rb
|
|
134
128
|
- lib/yara.rb
|
|
129
|
+
- samples/flashfinder
|
|
135
130
|
- samples/ispe.rb
|
|
136
131
|
- samples/sslkeyfinder
|
|
137
132
|
- samples/upx.rb
|
|
@@ -151,16 +146,13 @@ rdoc_options: []
|
|
|
151
146
|
require_paths:
|
|
152
147
|
- lib
|
|
153
148
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
154
|
-
none: false
|
|
155
149
|
requirements:
|
|
156
150
|
- - ">="
|
|
157
151
|
- !ruby/object:Gem::Version
|
|
158
|
-
hash: -9224945978915744
|
|
159
152
|
segments:
|
|
160
153
|
- 0
|
|
161
154
|
version: "0"
|
|
162
155
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
163
|
-
none: false
|
|
164
156
|
requirements:
|
|
165
157
|
- - ">="
|
|
166
158
|
- !ruby/object:Gem::Version
|
|
@@ -170,7 +162,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
170
162
|
requirements: []
|
|
171
163
|
|
|
172
164
|
rubyforge_project:
|
|
173
|
-
rubygems_version: 1.3.
|
|
165
|
+
rubygems_version: 1.3.6
|
|
174
166
|
signing_key:
|
|
175
167
|
specification_version: 3
|
|
176
168
|
summary: Ruby bindings for libyara
|