An experimental script to perform bulk parsing of arbitrary file features with YARA and console logging.

Last update: Dec 13, 2022

Overview

RonnieColemanYARAParser

This script is named after Ronnie Coleman, and peforms bulk lifts on arbitary file features using YARA console logging.

Requirements

Fresh compile of YARA 4.2.0-rc1 (https://yara.readthedocs.io/en/stable/gettingstarted.html)
Bunch of python crap

Notes

This was really designed for me to bulk build an on-demand table for file features I wanted, and to see the values I specified using YARA's own technology. This allows me to quickly view, stack, organize the "surface area" of a file so I can turn around with the ones I want and create YARA rules. This is a terrible script and bad python, does basically no input checking and no error handling, so beware that it will get jacked up if you try to do crazy things.

Start with PE features, things from modules, and top-level (non array) things that are easily parsed out by YARA.
hash.md5 - this is the only hashing thing I included, it would probably be better not to do this at all, but c'est la vie
If something doesnt work because of your terminal or whatever, maybe try putting it in quotes so argparse can do its thing
Things I like: hash.md5, filesize, pe.timestamp pe.dll_name, pe.export_timestamp, pe.pdb_path, etc
Go shop around in the manual for more good ones (https://yara.readthedocs.io/en/stable/modules/pe.html)

Usage Examples

ronnie.py -t hash.md5 filesize pe.timestamp pe.dll_name  -p ~/yarafiddling/samps -s pe.dll_name

ronnie.py -t hash.md5 filesize pe.timestamp pe.entry_point --path ~/yarafiddling/samps

ronnie.py -t hash.md5 filesize pe.timestamp "uint16be(0)" --path ~/yarafiddling/samps --sort pe.timestamp

Full Output Example

CTO-MBP\steve >> % python3 ronnie.py -t hash.md5 "uint16be(60)" filesize pe.timestamp pe.dll_name  --path ~/yarafiddling/samps --sort pe.timestamp                   

[Bleep Blop Directory] Folder scanned: /Users/steve/yarafiddling/samps

[:great-job:] LIGHT WEIGHT! Heres the sorted table:

+----------------------------------+----------------+----------+----------------------------------+--------------------------+
| hash.md5                         | uint16be(60)   | filesize | pe.timestamp                     | pe.dll_name              |
+----------------------------------+----------------+----------+----------------------------------+--------------------------+
| 0d7cefb89b6d31ab784bd4e0b0f0eaad | 0x1700 (5888)  | 6427399  |                                  |                          |
| 3a5a7ced739923f929234beefcef82b5 | 0xe00 (3584)   | 10608640 |                                  |                          |
| 77c73b8b1846652307862dd66ec09ebf | 0xf800 (63488) | 509952   |                                  |                          |
| 5bd5605725ec34984efbe81f8d39507a | 0x1 (1)        | 102912   | 1999-10-21 00:49:30 (940481370)  |                          |
| 802a7c343f0d58052800dd64e0c911cf | 0xe800 (59392) | 36528    | 2011-01-13 12:33:11 (1294939991) |                          |
| 91456bf6edbf9a24a1423bcbd6c7a5fe | 0xe800 (59392) | 35014    | 2011-01-16 08:28:36 (1295184516) |                          |
| c2d07d954f6e6126a784e7770ad32643 | 0xf000 (61440) | 914600   | 2018-11-07 04:59:27 (1541584767) | QuickSearchFile.dll      |
| 3ecfc67294923acdf6bd018a73f6c590 | 0xe000 (57344) | 71168    | 2020-04-12 16:57:49 (1586725069) |                          |
| 837ed1ac9dbae2d8ec134c28481e4a10 | 0x8000 (32768) | 56320    | 2021-03-19 08:17:39 (1616156259) |                          |
| e9d7ea2dd867d6f6de4a69aead9312e9 | 0x801 (2049)   | 241664   | 2021-04-30 13:10:02 (1619802602) | codecpacks.webp.exe      |
| c6e1e2b2ed1c962e82239dfcd81999f7 | 0xf000 (61440) | 601088   | 2070-05-29 07:31:01 (3168588661) | EnterpriseAppMgmtSvc.dll |
| 2689c5357ddcc8434dd03d99a3341873 | 0xf000 (61440) | 474112   | 2086-08-04 04:03:21 (3679286601) | FfuProvider.DLL          |
+----------------------------------+----------------+----------+----------------------------------+--------------------------+

TO DO

Make it so you can see the file name of the matched file
Better error handling etc.

An experimental script to perform bulk parsing of arbitrary file features with YARA and console logging.

Related tags

Overview

RonnieColemanYARAParser

Requirements

Notes

Usage Examples

Full Output Example

TO DO

Owner

Steve

To explore creating an application that detects available connections at once from wifi and bluetooth

Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

STATS305C: Applied Statistics III (Spring, 2022)

Security offerings for AWS Control Tower

A deobfuscator for multiple python obfuscators

Tools Crack Fb Terbaru

PoC encrypted diary in Python 3

TCP/UDP port scanner on python, usong scapy and multiprocessin

zip-brute Zip File Password Cracking with Using Password List

A Radare2 based Python module for Binary Analysis and Reverse Engineering.

IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation

Zero-attacker is an multipurpose hacking tool with over 12 tools

domato but as a website

Obfuscate your Python scripts better, faster.

IDA Pro Python plugin to analyze and annotate Linux kernel alternatives

CC CAMERA HACKING TOOL

Whois-Python - Get Whois Domain with Python GUI

The disassembler parses evm bytecode from the command line or from a file.

This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data.

Lite - Lite cracker tool for python