RonnieColemanYARAParser
This script is named after Ronnie Coleman, and peforms bulk lifts on arbitary file features using YARA console logging.
Requirements
- Fresh compile of YARA 4.2.0-rc1 (https://yara.readthedocs.io/en/stable/gettingstarted.html)
- Bunch of python crap
Notes
This was really designed for me to bulk build an on-demand table for file features I wanted, and to see the values I specified using YARA's own technology. This allows me to quickly view, stack, organize the "surface area" of a file so I can turn around with the ones I want and create YARA rules. This is a terrible script and bad python, does basically no input checking and no error handling, so beware that it will get jacked up if you try to do crazy things.
- Start with PE features, things from modules, and top-level (non array) things that are easily parsed out by YARA.
- hash.md5 - this is the only hashing thing I included, it would probably be better not to do this at all, but c'est la vie
- If something doesnt work because of your terminal or whatever, maybe try putting it in quotes so argparse can do its thing
- Things I like: hash.md5, filesize, pe.timestamp pe.dll_name, pe.export_timestamp, pe.pdb_path, etc
- Go shop around in the manual for more good ones (https://yara.readthedocs.io/en/stable/modules/pe.html)
Usage Examples
ronnie.py -t hash.md5 filesize pe.timestamp pe.dll_name -p ~/yarafiddling/samps -s pe.dll_name
ronnie.py -t hash.md5 filesize pe.timestamp pe.entry_point --path ~/yarafiddling/samps
ronnie.py -t hash.md5 filesize pe.timestamp "uint16be(0)" --path ~/yarafiddling/samps --sort pe.timestamp
Full Output Example
CTO-MBP\steve >> % python3 ronnie.py -t hash.md5 "uint16be(60)" filesize pe.timestamp pe.dll_name --path ~/yarafiddling/samps --sort pe.timestamp
[Bleep Blop Directory] Folder scanned: /Users/steve/yarafiddling/samps
[:great-job:] LIGHT WEIGHT! Heres the sorted table:
+----------------------------------+----------------+----------+----------------------------------+--------------------------+
| hash.md5 | uint16be(60) | filesize | pe.timestamp | pe.dll_name |
+----------------------------------+----------------+----------+----------------------------------+--------------------------+
| 0d7cefb89b6d31ab784bd4e0b0f0eaad | 0x1700 (5888) | 6427399 | | |
| 3a5a7ced739923f929234beefcef82b5 | 0xe00 (3584) | 10608640 | | |
| 77c73b8b1846652307862dd66ec09ebf | 0xf800 (63488) | 509952 | | |
| 5bd5605725ec34984efbe81f8d39507a | 0x1 (1) | 102912 | 1999-10-21 00:49:30 (940481370) | |
| 802a7c343f0d58052800dd64e0c911cf | 0xe800 (59392) | 36528 | 2011-01-13 12:33:11 (1294939991) | |
| 91456bf6edbf9a24a1423bcbd6c7a5fe | 0xe800 (59392) | 35014 | 2011-01-16 08:28:36 (1295184516) | |
| c2d07d954f6e6126a784e7770ad32643 | 0xf000 (61440) | 914600 | 2018-11-07 04:59:27 (1541584767) | QuickSearchFile.dll |
| 3ecfc67294923acdf6bd018a73f6c590 | 0xe000 (57344) | 71168 | 2020-04-12 16:57:49 (1586725069) | |
| 837ed1ac9dbae2d8ec134c28481e4a10 | 0x8000 (32768) | 56320 | 2021-03-19 08:17:39 (1616156259) | |
| e9d7ea2dd867d6f6de4a69aead9312e9 | 0x801 (2049) | 241664 | 2021-04-30 13:10:02 (1619802602) | codecpacks.webp.exe |
| c6e1e2b2ed1c962e82239dfcd81999f7 | 0xf000 (61440) | 601088 | 2070-05-29 07:31:01 (3168588661) | EnterpriseAppMgmtSvc.dll |
| 2689c5357ddcc8434dd03d99a3341873 | 0xf000 (61440) | 474112 | 2086-08-04 04:03:21 (3679286601) | FfuProvider.DLL |
+----------------------------------+----------------+----------+----------------------------------+--------------------------+
TO DO
- Make it so you can see the file name of the matched file
- Better error handling etc.
2 Oct 27, 2022
130 Dec 15, 2022
129 Dec 21, 2022
0 Nov 06, 2021
1 Feb 14, 2022
589 Dec 30, 2022
259 Dec 31, 2022
87 Dec 29, 2021
2 Jun 19, 2022
5 Aug 15, 2022
14 Nov 11, 2022
9 May 01, 2022
633 Dec 30, 2022
5 Mar 21, 2022
73 Jan 01, 2023
153 Dec 20, 2022
1 Jan 06, 2022
112 Dec 01, 2022
19 Nov 18, 2022
4 Nov 06, 2021