community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon kevoreilly

Update procmem_yara.py

Open cccs-mog opened this issue 10 months ago • 7 comments

cccs-mog avatar Apr 25 '24 15:04 cccs-mog

thanks, the problem of expose strings, is that it helps in leaks of private yara, we need to add some configuration for that first

doomedraven avatar May 09 '24 07:05 doomedraven

Yeah that make sense. So you mean a parameter to expose strings or not ? I can definitely change the code to reflect that. I think you mean more like a configuration to know which one to not expose, if it's the case then let me know if I can help in any way.

cccs-mog avatar May 09 '24 14:05 cccs-mog

Yes, I just need to think about how to properly handle that, not sure if just add conf option and read it in sig and put under if, what do you think? + Which config should we use

doomedraven avatar May 09 '24 17:05 doomedraven

I think it would be ideal to have a optional private field/conf option in the sig themselves which are to be private and the procmem_yara rule look for this field and don't expose if it's private instead of having the rule procmem_yara be an on/off feature. I will make the change. Thanks for the feedback !

cccs-mog avatar May 10 '24 14:05 cccs-mog

Is about string field, not sig on/off

doomedraven avatar May 10 '24 15:05 doomedraven

Yes correct, what I meant was either no strings or strings should not be enabled/disabled for everything but a rule specific behavior which is controlled(checked) via the procmem_yara.

cccs-mog avatar May 10 '24 15:05 cccs-mog

@kevoreilly

doomedraven avatar May 14 '24 14:05 doomedraven

@kevoreilly

👀

cccs-kevin avatar May 22 '24 18:05 cccs-kevin