-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add icons
array to PE module
#957
base: master
Are you sure you want to change the base?
Conversation
Hey, great PR, we've found ourselves in the situation where we need exactly this. I just have a one thing that could potentially be improved. What about storing parsed icons in We don't want to compute hash if it's not used in the rules but we also don't want to reparse resources each time the hash computation function is called. Having these icons parsed and stored in I know that asking someone else to do something because you need it is not nice so we are also offering our help with providing you a patch that would do it. I would just like to ask you before we start with it, if you are willing to update your PR with the patch that would be provided. We would like to avoid creating another PR since you did the most of the work yourself. |
I'm merging this PR, but the So my question is, what's the primary use case for this feature? Is searching for some pattern inside the icon data? Or is searching for PE files that have a certain number of icons or icons with certain characteristics? |
Hi @plusvic. From my experience the primary case is to match PE files that use the same icon, but this is already possible if we use the import "pe"
import "hash"
rule malware {
condition:
hash.sha256(pe.resources[0].offset, pe.resources[0].length) == "587d7c591b7db831f378bf973c5f0e79f532c458e739ffd9e8d4d332c6007526"
} We can also use a loop if we don't know the exact position of the icon. |
@plusvic - by way of explanation... the rational since I happened to be the instigator of this patch at CB (though not the author). I am using yara as a metadata/feature extraction tool/library rather than as a detection engine. Yara rules provide a nice environment to detect and extract features of interest. In this case I'm seeking to build a data set of icons used by malware rather than directly detecting malware. Thus, the raw data field is important. |
Add a new
icons
field to the PE module to retrieve "displayable" icons in the PE file for hashing, matching, or another analysis. Icons are included in this list if they are considered as an 'application icon' by Windows Explorer (for example, when viewing the directory containing the file or displaying the file's properties page).Also:
yr_object_print_data
function to properly escape output of arbitrary binary strings