volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

Vad files have rules that may operate on larger data samples

Open ikelos opened this issue 4 years ago • 5 comments
trafficstars

At the moment, vadyarascan may have a rule of the form:

    strings:
        $a = { AA BB CC }
        $b = { DD EE FF }
    condition:
        #a > 1 and #b > 1

If the two strings occur in different virtual chunks, yara won't match them, whereas if all the data is taken in one go then yara would match it.

To get around this, we'd either have to change how scanning works or we'd need to rebuild the data in a buffer and then map back and forth between the offsets the yarascanner finds and the actual offsets within memory. Unfortunately that's probably the going to be the easiest way, but it might run into memory issues, and we'll need to increase the chunk size if people expect to find and conditions that are more than the current chunk size (16Mb) apart.

ikelos avatar May 13 '21 21:05 ikelos

Thank you for checking this

doomedraven avatar May 14 '21 06:05 doomedraven

Possible solution is to add a chunk size parameter, so you can scan larger chunks. This needs a little investigating...

ikelos avatar Jun 02 '21 19:06 ikelos

i still finishing my porting but when im using the vadyarascan it goes super fast, and when i read each vad and scan is damn slow

doomedraven avatar Jun 02 '21 19:06 doomedraven

Is this the rule in question?

rule Smokeloader_2020_32 {
    strings:
        $a_01 = { 6A 04 [1-3] C7 [6-10] ?? ?? E8 [4] 6A }
        $a_02 = { 8B ?? 8D [6-8] B8 [3-6] 8D [2-8] FF ?? [4-8] 8D ?? [4] 51 }
        $b = { E4 07 }
    condition:
        all of ($a*) and #b > 1
}

If so, I would suspect that scanning the memory file yields results but Volatility's yarascan plugin does not, because $b (two bytes E4 07) are being found in memory unrelated to the memory that contains $a_01 and $a_02. A more accurate rule would add the "within" operator to the conditions so that $b must be found within 1 MB (for example) of the first two strings. If you want to paste the output of the yara command on the memory file (not the Volatility plugin output) along with the offsets where $a* and $b were found, we could confirm. In general, is this rule supposed to be detecting a malicious binary (PE file)?

iMHLv2 avatar Jun 02 '21 20:06 iMHLv2

Hello @iMHLv2 yes, and this works just fine on Volatility2, that is why i was surprised

scanner = malfind.VadYaraScanner(task=task, rules=rules)
for hit, addr in scanner.scan():

doomedraven avatar Jun 02 '21 20:06 doomedraven

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] avatar Oct 30 '23 01:10 github-actions[bot]

This issue was closed because it has been inactive for 60 days since being marked as stale.

github-actions[bot] avatar Dec 30 '23 01:12 github-actions[bot]