Comments (5)
idrii
commented on May 22, 2024
So after some more playing around it looks like the issue is somehow related to the length of the rules being used. If I reduce the previous rule down to:
rule MimikatzMem {
strings:
$s1 = "sekurlsa::msv" fullword ascii
$s2 = "sekurlsa::wdigest" fullword ascii
condition:
1 of them
}
I get the expected match: Match: [{Rule:MimikatzMem Namespace:Namespace1 Tags:[] Meta:map[] Strings:[{Name:$s1 Offset:48 Data:[115 101 107 117 114 108 115 97 58 58 109 115 118]}]}]
however if I add another line string such as $s4 = "sekurlsa::kerberos" fullword ascii I get the same error as mentioned above.
Interestingly it appears to be related to the number of entries in the strings section of the rule, not the length of the rule (i.e. if I make on of the strings in the above rule really long it still works but if I add a new string it fails)
from go-yara.
hillu
commented on May 22, 2024
Can you share the sample? Please also tell me what operating system and what versions of Go and libyara you are using.
from go-yara.
idrii
commented on May 22, 2024
Sure, the sample I was scanning was just the rules that I was loading in so
{
strings:
$s1 = "sekurlsa::msv" fullword ascii
$s2 = "sekurlsa::wdigest" fullword ascii
$s4 = "sekurlsa::kerberos" fullword ascii
$s5 = "sekurlsa::tspkg" fullword ascii
$s6 = "sekurlsa::livessp" fullword ascii
$s7 = "sekurlsa::ssp" fullword ascii
$s8 = "sekurlsa::logonPasswords" fullword ascii
$s9 = "sekurlsa::process" fullword ascii
$s10 = "sekurlsa::minidump" fullword ascii
$s11 = "sekurlsa::pth" fullword ascii
$s12 = "sekurlsa::tickets" fullword ascii
$s13 = "sekurlsa::ekeys" fullword ascii
$s14 = "sekurlsa::dpapi" fullword ascii
$s15 = "sekurlsa::credman" fullword ascii
condition:
1 of them
}
My OS is Ubuntu 18.0.4 and my GoLang version is go version go1.13.4 linux/amd64
I was using a copy of libyara 3.11.0
from go-yara.
hillu
commented on May 22, 2024
@idrii Do you also have libyara3 and libyara-dev from Ubuntu installed on your Ubuntu-18.04-based dev environment? If so, does the problem disappear if you uninstall those and rebuild the Go program?
I suspect that this might be essentially a duplicate of #55–and that the root cause is in ABI incompatibilities somewhere between YARA 3.7 and YARA 3.11.
from go-yara.
idrii
commented on May 22, 2024
@hillu Wow, that was it! I wasted so much time on this and for it to be such a simple issue is actually kind of annoying.
Thank you very much for your help and your awesome library
from go-yara.
Related Issues (20)
- There's no way to return an error from MemoryBlockIterator HOT 5
- yr_scanner_scan_file Using mmap is a dangerous operation HOT 9
- Unable to cross compile yara for windows on ubuntu HOT 5
- Is the new tag version expected ? HOT 1
- Issues while installing HOT 7
- Unable to use ScanProc HOT 23
- Unable to define variable on AIX HOT 4
- Scan a file in a streaming maner HOT 2
- Encrypted rules? HOT 4
- unstable rules HOT 5
- Wrong release version? HOT 1
- Building static binary HOT 3
- cannot find -lyara HOT 1
- linux编译yara出现错误 HOT 2
- generate a dynamic-link library (.so file) HOT 1
- v3.x no release tag HOT 1
- Failing to compile with go-yara HOT 9
- yararule.ScanFile, can not scan filepath which contains chinese, may be other language has the same HOT 2
- Attempt to add a new YARA rule files during runtime causes panic HOT 1
- Question: Adding multiple Compiled YARA files to a single yara.Scanner or *yara.Rules HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-yara.