Making IDA ::1 Part One – YARA Signature Creation

By Case Barnes ·

During the course of a Malware Emergency Response, it is often necessary to create YARA signatures or byte signatures for other tools to help identify files similar to the initial malware executables discovered on hosts across the network. Open source tools such as YARA are routinely used on jobs when customers have a deficiency in commercial tools and response time is critical. Creating byte signatures usually involves targeting the code to write a signature for, manually creating the signature in a text editor and testing the signature against its intended targets for validation. Many times, variants of the same malware family will contain the same code structure, but will need to reference memory addresses in slightly different locations. A responder needs to wildcard the bytes in the signature corresponding to memory locations to account for these differences.

I am lazy, and response time is usually of the essence, so I decided to have IDA do a lot of the work I’ve done manually in the past. I’ve created a Python script that, when run from IDA with a selection, will produce output readily usable in tools using byte strings as signatures.

Using a section of code like the code in Figure 1, the script will produce the output listed in Figure 2 below:

Code targeted for signature creation

Code targeted for signature creation

[SIGNATURE FOR ctfmon.dll]
LENGTH: 0x85
RANGE: 0x1000e184-0x1000e209
 
DISASSEMBLY:
push [ebp+hMem] ; hMem
call ____?LocalFreeWrapper
mov edi, offset oPasswordList; "123456"
mov [ebp+hObject], 0
lea eax, [ebp+hObject]
push eax
push 0
push 2
push edi
push 0
push dword ptr [ebx+4]
call LogonUserA
or eax, eax
jz loc_1000E25D
mov [ebp+var_28], 20h
mov [ebp+var_24], 1
push dword ptr [ebx+4]
pop [ebp+var_20]
push dword ptr [ebx+8]
pop [ebp+var_1C]
mov [ebp+var_18], 0
mov [ebp+var_14], 0
mov [ebp+var_10], 0
mov [ebp+var_C], 0
lea eax, [ebp+var_28]
push eax
push [ebp+hObject]
call LoadUserProfileA
or eax, eax
jz short loc_1000E212
cmp [ebp+var_C], 0
jz short loc_1000E209
push [ebp+var_C]
pop hKey
 
BYTES:
ff 75 f8 e8 a1 36 ff ff bf 00 20 01 10 c7 45 fc 00 00 00 00 8d 45 fc 50 6a 00 6a 02 57 6a 00 ff 73 04 ff 15 b9 48 01 10 0b c0 0f 84 a9 00 00 00 c7 45 d8 20 00 00 00 c7 45 dc 01 00 00 00 ff 73 04 8f 45 e0 ff 73 08 8f 45 e4 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 c7 45 f0 00 00 00 00 c7 45 f4 00 00 00 00 8d 45 d8 50 ff 75 fc e8 0e 04 00 00 0b c0 74 18 83 7d f4 00 74 09 ff 75 f4 8f 05 bb 43 01 10
 
BYTES PER LINE:
ff 75 f8
e8 a1 36 ff ff
bf 00 20 01 10
c7 45 fc 00 00 00 00
8d 45 fc
50
6a 00
6a 02
57
6a 00
ff 73 04
ff 15 b9 48 01 10
0b c0
0f 84 a9 00 00 00
c7 45 d8 20 00 00 00
c7 45 dc 01 00 00 00
ff 73 04
8f 45 e0
ff 73 08
8f 45 e4
c7 45 e8 00 00 00 00
c7 45 ec 00 00 00 00
c7 45 f0 00 00 00 00
c7 45 f4 00 00 00 00
8d 45 d8
50
ff 75 fc
e8 0e 04 00 00
0b c0
74 18
83 7d f4 00
74 09
ff 75 f4
8f 05 bb 43 01 10
 
WILD CARDED MEMORY BYTES:
ff 75 f8 e8 a1 36 ff ff bf 00 20 01 10 c7 45 fc 00 00 00 00 8d 45 fc 50 6a 00 6a 02 57 6a 00 ff 73 04 ff ?? ?? ?? ?? ?? 0b c0 0f 84 a9 00 00 00 c7 45 d8 20 00 00 00 c7 45 dc 01 00 00 00 ff 73 04 8f 45 e0 ff 73 08 8f 45 e4 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 c7 45 f0 00 00 00 00 c7 45 f4 00 00 00 00 8d 45 d8 50 ff 75 fc e8 0e 04 00 00 0b c0 74 18 83 7d f4 00 74 09 ff 75 f4 8f ?? ?? ?? ?? ??
 
YARA SIGNATURE:
rule Sig
{
    strings:
        $hex_string = { ff 75 f8 e8 a1 36 ff ff bf 00 20 01 10 c7 45 fc 00 00 00 00 8d 45 fc 50 6a 00 6a 02 57 6a 00 ff 73 04 ff ?? ?? ?? ?? ?? 0b c0 0f 84 a9 00 00 00 c7 45 d8 20 00 00 00 c7 45 dc 01 00 00 00 ff 73 04 8f 45 e0 ff 73 08 8f 45 e4 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 c7 45 f0 00 00 00 00 c7 45 f4 00 00 00 00 8d 45 d8 50 ff 75 fc e8 0e 04 00 00 0b c0 74 18 83 7d f4 00 74 09 ff 75 f4 8f ?? ?? ?? ?? ??}
    condition:
        $hex_string
}

CreateYaraSignature Output

Modifying the appropriate value in __CONFIG of the SignatureCreator class will disable any given section of the output and, optionally, the script can be configured to prompt for a file for saving the signature. The file-prompting feature requires PySide to be installed. PySide is available from Hex-Rays site at http://www.hex-rays.com/products/ida/support/download.shtml. Wild-carding is rudimentary and relies on the o_* operand type constants provided by idc.py:
o_void     =  idaapi.o_void      #  No Operand                           ----------
o_reg      =  idaapi.o_reg       #  General Register (al,ax,es,ds...)    reg
o_mem      =  idaapi.o_mem       #  Direct Memory Reference  (DATA)      addr
o_phrase   =  idaapi.o_phrase    #  Memory Ref [Base Reg + Index Reg]    phrase
o_displ    =  idaapi.o_displ     #  Memory Reg [Base Reg + Index Reg + Displacement] phrase+addr
o_imm      =  idaapi.o_imm       #  Immediate Value                      value
o_far      =  idaapi.o_far       #  Immediate Far Address  (CODE)        addr
o_near     =  idaapi.o_near      #  Immediate Near Address (CODE)        addr
o_idpspec0 =  idaapi.o_idpspec0  #  IDP specific type
o_idpspec1 =  idaapi.o_idpspec1  #  IDP specific type
o_idpspec2 = idaapi.o_idpspec2  #  IDP specific type
o_idpspec3 = idaapi.o_idpspec3  #  IDP specific type
o_idpspec4 = idaapi.o_idpspec4  #  IDP specific type
o_idpspec5 = idaapi.o_idpspec5  #  IDP specific type
o_last     = idaapi.o_last      #  first unused type

o_* constants in idc.py

Inclusion of any of the types in the __CONFIG of SignatureCreator, 'OP_TYPES_TO_WILDCARD' : [o_mem,o_phrase, o_displ,o_far,o_near], will wildcard any bytes after the initial byte of the disassembled line.

The video, embedded below, demonstrates creating and testing a YARA signature on a password stealer.

Happy hunting! I hope this script will help make your IDA environment a little more like home. If you have any questions, rants, fixes, etc. please send them my way.

% case b

Security Tools:

text-plain CreateYaraSignature.py.txt

Case Barnes

Practice Manager, Enterprise Incident Management and Response

Case Barnes is a manager of Optiv’s enterprise incident management practice where he provides clients tactical solutions to mitigate the consequences of executing malicious code and the actions of internal and external threat actors.