An experimental script to perform bulk parsing of arbitrary file features with YARA and console logging.

Last update: Dec 13, 2022

Overview

RonnieColemanYARAParser

This script is named after Ronnie Coleman, and peforms bulk lifts on arbitary file features using YARA console logging.

Requirements

Fresh compile of YARA 4.2.0-rc1 (https://yara.readthedocs.io/en/stable/gettingstarted.html)
Bunch of python crap

Notes

This was really designed for me to bulk build an on-demand table for file features I wanted, and to see the values I specified using YARA's own technology. This allows me to quickly view, stack, organize the "surface area" of a file so I can turn around with the ones I want and create YARA rules. This is a terrible script and bad python, does basically no input checking and no error handling, so beware that it will get jacked up if you try to do crazy things.

Start with PE features, things from modules, and top-level (non array) things that are easily parsed out by YARA.
hash.md5 - this is the only hashing thing I included, it would probably be better not to do this at all, but c'est la vie
If something doesnt work because of your terminal or whatever, maybe try putting it in quotes so argparse can do its thing
Things I like: hash.md5, filesize, pe.timestamp pe.dll_name, pe.export_timestamp, pe.pdb_path, etc
Go shop around in the manual for more good ones (https://yara.readthedocs.io/en/stable/modules/pe.html)

Usage Examples

ronnie.py -t hash.md5 filesize pe.timestamp pe.dll_name  -p ~/yarafiddling/samps -s pe.dll_name

ronnie.py -t hash.md5 filesize pe.timestamp pe.entry_point --path ~/yarafiddling/samps

ronnie.py -t hash.md5 filesize pe.timestamp "uint16be(0)" --path ~/yarafiddling/samps --sort pe.timestamp

Full Output Example

CTO-MBP\steve >> % python3 ronnie.py -t hash.md5 "uint16be(60)" filesize pe.timestamp pe.dll_name  --path ~/yarafiddling/samps --sort pe.timestamp                   

[Bleep Blop Directory] Folder scanned: /Users/steve/yarafiddling/samps

[:great-job:] LIGHT WEIGHT! Heres the sorted table:

+----------------------------------+----------------+----------+----------------------------------+--------------------------+
| hash.md5                         | uint16be(60)   | filesize | pe.timestamp                     | pe.dll_name              |
+----------------------------------+----------------+----------+----------------------------------+--------------------------+
| 0d7cefb89b6d31ab784bd4e0b0f0eaad | 0x1700 (5888)  | 6427399  |                                  |                          |
| 3a5a7ced739923f929234beefcef82b5 | 0xe00 (3584)   | 10608640 |                                  |                          |
| 77c73b8b1846652307862dd66ec09ebf | 0xf800 (63488) | 509952   |                                  |                          |
| 5bd5605725ec34984efbe81f8d39507a | 0x1 (1)        | 102912   | 1999-10-21 00:49:30 (940481370)  |                          |
| 802a7c343f0d58052800dd64e0c911cf | 0xe800 (59392) | 36528    | 2011-01-13 12:33:11 (1294939991) |                          |
| 91456bf6edbf9a24a1423bcbd6c7a5fe | 0xe800 (59392) | 35014    | 2011-01-16 08:28:36 (1295184516) |                          |
| c2d07d954f6e6126a784e7770ad32643 | 0xf000 (61440) | 914600   | 2018-11-07 04:59:27 (1541584767) | QuickSearchFile.dll      |
| 3ecfc67294923acdf6bd018a73f6c590 | 0xe000 (57344) | 71168    | 2020-04-12 16:57:49 (1586725069) |                          |
| 837ed1ac9dbae2d8ec134c28481e4a10 | 0x8000 (32768) | 56320    | 2021-03-19 08:17:39 (1616156259) |                          |
| e9d7ea2dd867d6f6de4a69aead9312e9 | 0x801 (2049)   | 241664   | 2021-04-30 13:10:02 (1619802602) | codecpacks.webp.exe      |
| c6e1e2b2ed1c962e82239dfcd81999f7 | 0xf000 (61440) | 601088   | 2070-05-29 07:31:01 (3168588661) | EnterpriseAppMgmtSvc.dll |
| 2689c5357ddcc8434dd03d99a3341873 | 0xf000 (61440) | 474112   | 2086-08-04 04:03:21 (3679286601) | FfuProvider.DLL          |
+----------------------------------+----------------+----------+----------------------------------+--------------------------+

TO DO

Make it so you can see the file name of the matched file
Better error handling etc.

An experimental script to perform bulk parsing of arbitrary file features with YARA and console logging.

Related tags

Overview

RonnieColemanYARAParser

Requirements

Notes

Usage Examples

Full Output Example

TO DO

Owner

Steve

2022-bridge - Example code belonging to the Bridge pattern video

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

test application for the licence key web app.

Generate malicious files using recently published bidi-attack (CVE-2021-42574)

Anti Supercookie - Confusing the ISP & Escaping the Supercookie

Some Attacks of Exchange SSRF ProxyLogon&ProxyShell

This python script will automate the testing for the Log4J vulnerability for HTTP and HTTPS connections.

Backdoor is a term that refers to the access of the software or hardware of a computer system without being detected.

Docker Compose based system for running remote browsers (including Flash and Java support) connected to web archives

This repo is about steps to create a effective custom wordlist in a few clicks/

一款Web在线自动免杀工具

Remote control your Greenbone Vulnerability Manager (GVM)

这次是可可萝病毒！

A web-app helping to create strong passwords that are easy to remember.

A tool to find good RCE From my series: A powerful Burp extension to make bounties rain

High level cheatsheet that was designed to make checks on the OSCP more manageable

Check for breached passwords with k-anonymity

MozDef: Mozilla Enterprise Defense Platform

Cryptick is a stock ticker for cryptocurrency tokens, and a physical NFT.

orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner