Making IDA ::1 Part One – YARA Signature Creation

Making IDA ::1 Part One – YARA Signature Creation

During the course of a Malware Emergency Response, it is often necessary to create YARA signatures or byte signatures for other tools to help identify files similar to the initial malware executables discovered on hosts across the network. Open source tools such as YARA are routinely used on jobs when customers have a deficiency in commercial tools and response time is critical. Creating byte signatures usually involves targeting the code to write a signature for, manually creating the signature in a text editor and testing the signature against its intended targets for validation. Many times, variants of the same malware family will contain the same code structure, but will need to reference memory addresses in slightly different locations. A responder needs to wildcard the bytes in the signature corresponding to memory locations to account for these differences.

 

I am lazy, and response time is usually of the essence, so I decided to have IDA do a lot of the work I’ve done manually in the past. I’ve created a Python script that, when run from IDA with a selection, will produce output readily usable in tools using byte strings as signatures.

 

Using a section of code like the code in Figure 1, the script will produce the output listed in Figure 2 below:

 

Making IDA Part 1

 

Code targeted for signature creation

 

[SIGNATURE FOR ctfmon.dll] LENGTH: 0x85 RANGE: 0x1000e184-0x1000e209 DISASSEMBLY: push [ebp+hMem] ; hMem call ____?LocalFreeWrapper mov edi, offset oPasswordList; "123456" mov [ebp+hObject], 0 lea eax, [ebp+hObject] push eax push 0 push 2 push edi push 0 push dword ptr [ebx+4] call LogonUserA or eax, eax jz loc_1000E25D mov [ebp+var_28], 20h mov [ebp+var_24], 1 push dword ptr [ebx+4] pop [ebp+var_20] push dword ptr [ebx+8] pop [ebp+var_1C] mov [ebp+var_18], 0 mov [ebp+var_14], 0 mov [ebp+var_10], 0 mov [ebp+var_C], 0 lea eax, [ebp+var_28] push eax push [ebp+hObject] call LoadUserProfileA or eax, eax jz short loc_1000E212 cmp [ebp+var_C], 0 jz short loc_1000E209 push [ebp+var_C] pop hKey BYTES: ff 75 f8 e8 a1 36 ff ff bf 00 20 01 10 c7 45 fc 00 00 00 00 8d 45 fc 50 6a 00 6a 02 57 6a 00 ff 73 04 ff 15 b9 48 01 10 0b c0 0f 84 a9 00 00 00 c7 45 d8 20 00 00 00 c7 45 dc 01 00 00 00 ff 73 04 8f 45 e0 ff 73 08 8f 45 e4 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 c7 45 f0 00 00 00 00 c7 45 f4 00 00 00 00 8d 45 d8 50 ff 75 fc e8 0e 04 00 00 0b c0 74 18 83 7d f4 00 74 09 ff 75 f4 8f 05 bb 43 01 10 BYTES PER LINE: ff 75 f8 e8 a1 36 ff ff bf 00 20 01 10 c7 45 fc 00 00 00 00 8d 45 fc 50 6a 00 6a 02 57 6a 00 ff 73 04 ff 15 b9 48 01 10 0b c0 0f 84 a9 00 00 00 c7 45 d8 20 00 00 00 c7 45 dc 01 00 00 00 ff 73 04 8f 45 e0 ff 73 08 8f 45 e4 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 c7 45 f0 00 00 00 00 c7 45 f4 00 00 00 00 8d 45 d8 50 ff 75 fc e8 0e 04 00 00 0b c0 74 18 83 7d f4 00 74 09 ff 75 f4 8f 05 bb 43 01 10 WILD CARDED MEMORY BYTES: ff 75 f8 e8 a1 36 ff ff bf 00 20 01 10 c7 45 fc 00 00 00 00 8d 45 fc 50 6a 00 6a 02 57 6a 00 ff 73 04 ff ?? ?? ?? ?? ?? 0b c0 0f 84 a9 00 00 00 c7 45 d8 20 00 00 00 c7 45 dc 01 00 00 00 ff 73 04 8f 45 e0 ff 73 08 8f 45 e4 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 c7 45 f0 00 00 00 00 c7 45 f4 00 00 00 00 8d 45 d8 50 ff 75 fc e8 0e 04 00 00 0b c0 74 18 83 7d f4 00 74 09 ff 75 f4 8f ?? ?? ?? ?? ?? YARA SIGNATURE: rule Sig { strings: $hex_string = { ff 75 f8 e8 a1 36 ff ff bf 00 20 01 10 c7 45 fc 00 00 00 00 8d 45 fc 50 6a 00 6a 02 57 6a 00 ff 73 04 ff ?? ?? ?? ?? ?? 0b c0 0f 84 a9 00 00 00 c7 45 d8 20 00 00 00 c7 45 dc 01 00 00 00 ff 73 04 8f 45 e0 ff 73 08 8f 45 e4 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 c7 45 f0 00 00 00 00 c7 45 f4 00 00 00 00 8d 45 d8 50 ff 75 fc e8 0e 04 00 00 0b c0 74 18 83 7d f4 00 74 09 ff 75 f4 8f ?? ?? ?? ?? ??} condition: $hex_string }

 

CreateYaraSignature Output

 

Modifying the appropriate value in __CONFIG of the SignatureCreator class will disable any given section of the output and, optionally, the script can be configured to prompt for a file for saving the signature. The file-prompting feature requires PySide to be installed. PySide is available from Hex-Rays site at http://www.hex-rays.com/products/ida/support/download.shtml. Wild-carding is rudimentary and relies on the o_* operand type constants provided by idc.py:

 

o_void = idaapi.o_void # No Operand ---------- o_reg = idaapi.o_reg # General Register (al,ax,es,ds...) reg o_mem = idaapi.o_mem # Direct Memory Reference (DATA) addr o_phrase = idaapi.o_phrase # Memory Ref [Base Reg + Index Reg] phrase o_displ = idaapi.o_displ # Memory Reg [Base Reg + Index Reg + Displacement] phrase+addr o_imm = idaapi.o_imm # Immediate Value value o_far = idaapi.o_far # Immediate Far Address (CODE) addr o_near = idaapi.o_near # Immediate Near Address (CODE) addr o_idpspec0 = idaapi.o_idpspec0 # IDP specific type o_idpspec1 = idaapi.o_idpspec1 # IDP specific type o_idpspec2 = idaapi.o_idpspec2 # IDP specific type o_idpspec3 = idaapi.o_idpspec3 # IDP specific type o_idpspec4 = idaapi.o_idpspec4 # IDP specific type o_idpspec5 = idaapi.o_idpspec5 # IDP specific type o_last = idaapi.o_last # first unused type

 

o_* constants in idc.py

 

Inclusion of any of the types in the __CONFIG of SignatureCreator, 'OP_TYPES_TO_WILDCARD' : [o_mem,o_phrase, o_displ,o_far,o_near], will wildcard any bytes after the initial byte of the disassembled line.

 

The video, embedded below, demonstrates creating and testing a YARA signature on a password stealer.

 

Happy hunting! I hope this script will help make your IDA environment a little more like home. If you have any questions, rants, fixes, etc. please send them my way.

 

% case b

 

Security Tools:

 

Image removed. CreateYaraSignature.py.txt

Practice Manager, Enterprise Incident Management and Response
Case Barnes is a manager of Optiv’s enterprise incident management practice where he provides clients tactical solutions to mitigate the consequences of executing malicious code and the actions of internal and external threat actors.