Skip to main content

Making IDA ::1 Part One – YARA Signature Creation

August 20, 2012

During the course of a Malware Emergency Response, it is often necessary to create YARA signatures or byte signatures for other tools to help identify files similar to the initial malware executables discovered on hosts across the network. Open source tools such as YARA are routinely used on jobs when customers have a deficiency in commercial tools and response time is critical. Creating byte signatures usually involves targeting the code to write a signature for, manually creating the signature in a text editor and testing the signature against its intended targets for validation. Many times, variants of the same malware family will contain the same code structure, but will need to reference memory addresses in slightly different locations. A responder needs to wildcard the bytes in the signature corresponding to memory locations to account for these differences.

I am lazy, and response time is usually of the essence, so I decided to have IDA do a lot of the work I’ve done manually in the past. I’ve created a Python script that, when run from IDA with a selection, will produce output readily usable in tools using byte strings as signatures.

Using a section of code like the code in Figure 1, the script will produce the output listed in Figure 2 below:

Making IDA Part 1

Code targeted for signature creation

[SIGNATURE FOR ctfmon.dll] LENGTH: 0x85 RANGE: 0x1000e184-0x1000e209 DISASSEMBLY: push [ebp+hMem] ; hMem call ____?LocalFreeWrapper mov edi, offset oPasswordList; "123456" mov [ebp+hObject], 0 lea eax, [ebp+hObject] push eax push 0 push 2 push edi push 0 push dword ptr [ebx+4] call LogonUserA or eax, eax jz loc_1000E25D mov [ebp+var_28], 20h mov [ebp+var_24], 1 push dword ptr [ebx+4] pop [ebp+var_20] push dword ptr [ebx+8] pop [ebp+var_1C] mov [ebp+var_18], 0 mov [ebp+var_14], 0 mov [ebp+var_10], 0 mov [ebp+var_C], 0 lea eax, [ebp+var_28] push eax push [ebp+hObject] call LoadUserProfileA or eax, eax jz short loc_1000E212 cmp [ebp+var_C], 0 jz short loc_1000E209 push [ebp+var_C] pop hKey BYTES: ff 75 f8 e8 a1 36 ff ff bf 00 20 01 10 c7 45 fc 00 00 00 00 8d 45 fc 50 6a 00 6a 02 57 6a 00 ff 73 04 ff 15 b9 48 01 10 0b c0 0f 84 a9 00 00 00 c7 45 d8 20 00 00 00 c7 45 dc 01 00 00 00 ff 73 04 8f 45 e0 ff 73 08 8f 45 e4 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 c7 45 f0 00 00 00 00 c7 45 f4 00 00 00 00 8d 45 d8 50 ff 75 fc e8 0e 04 00 00 0b c0 74 18 83 7d f4 00 74 09 ff 75 f4 8f 05 bb 43 01 10 BYTES PER LINE: ff 75 f8 e8 a1 36 ff ff bf 00 20 01 10 c7 45 fc 00 00 00 00 8d 45 fc 50 6a 00 6a 02 57 6a 00 ff 73 04 ff 15 b9 48 01 10 0b c0 0f 84 a9 00 00 00 c7 45 d8 20 00 00 00 c7 45 dc 01 00 00 00 ff 73 04 8f 45 e0 ff 73 08 8f 45 e4 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 c7 45 f0 00 00 00 00 c7 45 f4 00 00 00 00 8d 45 d8 50 ff 75 fc e8 0e 04 00 00 0b c0 74 18 83 7d f4 00 74 09 ff 75 f4 8f 05 bb 43 01 10 WILD CARDED MEMORY BYTES: ff 75 f8 e8 a1 36 ff ff bf 00 20 01 10 c7 45 fc 00 00 00 00 8d 45 fc 50 6a 00 6a 02 57 6a 00 ff 73 04 ff ?? ?? ?? ?? ?? 0b c0 0f 84 a9 00 00 00 c7 45 d8 20 00 00 00 c7 45 dc 01 00 00 00 ff 73 04 8f 45 e0 ff 73 08 8f 45 e4 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 c7 45 f0 00 00 00 00 c7 45 f4 00 00 00 00 8d 45 d8 50 ff 75 fc e8 0e 04 00 00 0b c0 74 18 83 7d f4 00 74 09 ff 75 f4 8f ?? ?? ?? ?? ?? YARA SIGNATURE: rule Sig { strings: $hex_string = { ff 75 f8 e8 a1 36 ff ff bf 00 20 01 10 c7 45 fc 00 00 00 00 8d 45 fc 50 6a 00 6a 02 57 6a 00 ff 73 04 ff ?? ?? ?? ?? ?? 0b c0 0f 84 a9 00 00 00 c7 45 d8 20 00 00 00 c7 45 dc 01 00 00 00 ff 73 04 8f 45 e0 ff 73 08 8f 45 e4 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 c7 45 f0 00 00 00 00 c7 45 f4 00 00 00 00 8d 45 d8 50 ff 75 fc e8 0e 04 00 00 0b c0 74 18 83 7d f4 00 74 09 ff 75 f4 8f ?? ?? ?? ?? ??} condition: $hex_string }

CreateYaraSignature Output

Modifying the appropriate value in __CONFIG of the SignatureCreator class will disable any given section of the output and, optionally, the script can be configured to prompt for a file for saving the signature. The file-prompting feature requires PySide to be installed. PySide is available from Hex-Rays site at http://www.hex-rays.com/products/ida/support/download.shtml. Wild-carding is rudimentary and relies on the o_* operand type constants provided by idc.py:

o_void = idaapi.o_void # No Operand ---------- o_reg = idaapi.o_reg # General Register (al,ax,es,ds...) reg o_mem = idaapi.o_mem # Direct Memory Reference (DATA) addr o_phrase = idaapi.o_phrase # Memory Ref [Base Reg + Index Reg] phrase o_displ = idaapi.o_displ # Memory Reg [Base Reg + Index Reg + Displacement] phrase+addr o_imm = idaapi.o_imm # Immediate Value value o_far = idaapi.o_far # Immediate Far Address (CODE) addr o_near = idaapi.o_near # Immediate Near Address (CODE) addr o_idpspec0 = idaapi.o_idpspec0 # IDP specific type o_idpspec1 = idaapi.o_idpspec1 # IDP specific type o_idpspec2 = idaapi.o_idpspec2 # IDP specific type o_idpspec3 = idaapi.o_idpspec3 # IDP specific type o_idpspec4 = idaapi.o_idpspec4 # IDP specific type o_idpspec5 = idaapi.o_idpspec5 # IDP specific type o_last = idaapi.o_last # first unused type

o_* constants in idc.py

Inclusion of any of the types in the __CONFIG of SignatureCreator, 'OP_TYPES_TO_WILDCARD' : [o_mem,o_phrase, o_displ,o_far,o_near], will wildcard any bytes after the initial byte of the disassembled line.

The video, embedded below, demonstrates creating and testing a YARA signature on a password stealer.

 

Happy hunting! I hope this script will help make your IDA environment a little more like home. If you have any questions, rants, fixes, etc. please send them my way.

% case b

Security Tools:

text-plain CreateYaraSignature.py.txt


    Case Barnes

By: Case Barnes

Practice Manager, Enterprise Incident Management and Response

See More

Related Blogs

December 23, 2014

Diversionary Tactics 101

When organizations are hacked or infected with malware, an important question they ask themselves is, “Who is attacking us?” Understanding an attacker...

See Details

November 04, 2014

Improving Reliability of Sandbox Results

Cuckoo Sandbox is an increasingly popular system for automated malware analysis. Beginning in 2010 as a Google Summer of Code project, it has quickly ...

See Details

October 31, 2014

Decoding IBM WebShere Portlet URLs

Portlet based web applications built with the IBM Web Experience Factory, previously known as the WebSphere Portlet Factory, produce long URL's contai...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.