polymorf / findcrypt-yara Goto Github PK
View Code? Open in Web Editor NEWIDA pro plugin to find crypto constants (and more)
License: BSD 3-Clause "New" or "Revised" License
IDA pro plugin to find crypto constants (and more)
License: BSD 3-Clause "New" or "Revised" License
I have install with
Warning: yara 3.6.3 is already installed
but it also warn No module named yara in IDA
I'm using ida pro 6.8, do I need a higher version?
Failed while executing plugin_t.run():
Traceback (most recent call last):
File "D:/tools/IDA_Pro_7.7/plugins/findcrypt3.py", line 224, in run
self.search()
File "D:/tools/IDA_Pro_7.7/plugins/findcrypt3.py", line 180, in search
values = self.yarasearch(memory, offsets, rules)
File "D:/tools/IDA_Pro_7.7/plugins/findcrypt3.py", line 197, in yarasearch
self.toVirtualAddress(string[0], offsets),
TypeError: 'yara.StringMatch' object is not subscriptable
Problem:
Could not find any in this variable libyara.so Because it is a system variable and the directory is not writable
Solved :
As can be seen from pypi's official website, Yara has not been updated since 2014, but Yara Python has been released in 2020
Step1: install yara-python (yara.so)
pip install yara-python -i https://pypi.org/simple
Step2: copy "python2.7\site-packages\yara.so" to ida\python\yara.so
The size is 410k, compared with 96k in 2014
This IDA-plugin(findcrypt) is very good!! i behind u.
IDA 7.5.201028
Windows 10
Python 3.8.2
Installed yara-python
with pip
but everytime I'm trying to run it I end up with following error message:
Traceback (most recent call last):
File "C:/Program Files/IDA Pro 7.5/plugins/findcrypt3.py", line 60, in activate
self.plugin.search()
File "C:/Program Files/IDA Pro 7.5/plugins/findcrypt3.py", line 179, in search
rules = yara.compile(filepaths=self.get_rules_files())
yara.Error: (2, 'No such file or directory')
The file paths for rules seem correct, what might be causing this issue?
Thanks.
ImportError: dlopen(/Library/Python/2.7/site-packages/yara.so, 2): Symbol not found: _OPENSSL_sk_free
I have updated the openssl,but it doesn’t work
what is the difference? some different scene?
would really love to give the plugin a shot. Any help would be great!
plugin doesn't run with the following error:
"File "C:/Program Files/IDA 7.1/plugins/findcrypt3.py", line 108, in OnGetLine
res = [atoa(res[0]), res[1], res[2]]
NameError: global name 'atoa' is not defined"
YaraSyntaxError: C:\Program Files\IDA 7.0\plugins\findcrypt3.rules:1542: syntax error, unexpected STRINGS, expecting $end or RULE or PRIVATE or GLOBAL
how to use it, how to install
Edit/Plugins/Findcrypt
ifl:open
Shortcut for "ifl:open" will be disabled.
IDA 7.7 with Python 3.11.2 issue:
X:\FIXXXER\Program Files\Analysis\HEX\IDA\IDA 77SP1\plugins\findcrypt3.py: No module named 'yara'
Traceback (most recent call last):
File "X:\FIXXXER\Program Files\Analysis\HEX\IDA\IDA 77SP1\python\3\ida_idaapi.py", line 580, in IDAPython_ExecScript
exec(code, g)
File "X:/FIXXXER/Program Files/Analysis/HEX/IDA/IDA 77SP1/plugins/findcrypt3.py", line 9, in
import yara
ModuleNotFoundError: No module named 'yara'
At the same time yara-python module is installed, yara module is not.
Failed to import 'C:\Users\Win10Tools\Desktop\Misc\Re\IDA\IDA_Pro_7.7\python38\DLLs\libyara.dll'
PATH = C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Program Files\Python\Python38\Scripts\;C:\Program Files\Python\Python38\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\Git\cmd;C:\Program Files\Microsoft VS Code\bin;C:\Program Files\Python\Python27\Scripts;C:\Users\Win10Tools\AppData\Local\Microsoft\WindowsApps;;C:\Users\Win10Tools\Desktop\Misc\Re\IDA\IDA_Pro_7.7\python38\DLLs
C:\Users\Win10Tools\Desktop\misc\Re\IDA\IDA_Pro_7.7\plugins\findcrypt3.py: Could not find module 'C:\Users\Win10Tools\Desktop\Misc\Re\IDA\IDA_Pro_7.7\python38\DLLs\libyara.dll' (or one of its dependencies). Try using the full path with constructor syntax.
Traceback (most recent call last):
File "C:\Users\Win10Tools\Desktop\misc\Re\IDA\IDA_Pro_7.7\python\3\ida_idaapi.py", line 580, in IDAPython_ExecScript
exec(code, g)
File "C:/Users/Win10Tools/Desktop/misc/Re/IDA/IDA_Pro_7.7/plugins/findcrypt3.py", line 9, in <module>
import yara
File "C:\Users\Win10Tools\AppData\Roaming\Python\Python38\site-packages\yara\__init__.py", line 7, in <module>
from yara.rules import compile
File "C:\Users\Win10Tools\AppData\Roaming\Python\Python38\site-packages\yara\rules.py", line 17, in <module>
from yara.libyara_wrapper import *
File "C:\Users\Win10Tools\AppData\Roaming\Python\Python38\site-packages\yara\libyara_wrapper.py", line 315, in <module>
libyaradll = cdll.LoadLibrary(library)
File "ctypes\__init__.py", line 451, in LoadLibrary
File "ctypes\__init__.py", line 373, in __init__
FileNotFoundError: Could not find module 'C:\Users\Win10Tools\Desktop\Misc\Re\IDA\IDA_Pro_7.7\python38\DLLs\libyara.dll' (or one of its dependencies). Try using the full path with constructor syntax.
However, the file exists under the path
C:\Users\Win10Tools\Desktop\Misc\Re\IDA\IDA_Pro_7.7\python38\DLLs\libyara.dll
Hello, first, thank you for publishing this, especially the huge database of signatures
I wanted to ask if you were still actively maintaining this and/or if you had any interest in implementing an additional method for searching, which I'll briefly describe. tl; dr applying the signature checks to immediate loads directly into registers- to complement searching of memory
I recently encountered a target (RISC-style fixed-width instruction set, proprietary embedded firmware) that makes a habit of loading crypto constants as immediates- e.g. for SHA1 and the constant 0x67452301 (along with other constants for SHA1, all in a single function)
movhi r3, 0x6745
addi r3, r3, 0x2301 # 0x67452301
Do you have any interest in supporting searching for matches in immediates like this? I believe the comment in this example was added via the CPU plugin for this architecture and is not otherwise a part of the IDB file/IDA analysis, so to do this properly one would have to either:
The former is simpler as it requires no knowledge of the CPU architecture. The latter is by no means impossible, but would be somewhat architecture dependent I think, and may be beyond the scope of what you'd like to have as findcrypt functionality. However, a skeleton to allow the user to plug in the architecture-specific instructions used to accomplish these operations would still be immensely helpful
As far as whether this is worth your effort or not- I'm not sure how common this pattern is, though I'm sure it's present in other fixed-width instruction sets depending on how the code was written. Maybe it's not worth the effort for you and I'll have to write it myself for the few projects I've encountered this pattern on (which is fine)
Any interest in / do you have the time to add this as a feature? Or would you accept a PR?
Obviously this would really only be useful for signatures matching the width of a register for the target- 4 bytes for the general purpose registers in most cases, longer if using the various architecture-specific special registers. It would be possible to match across multiple registers if the instructions were consecutive, but this could get a bit more complicated, having to take into consideration the ordering of the constants, among other things
There are also some much more complicated patterns which I think would have to just be accepted as too much work to identify- e.g. where a register has some base value, and then multiple different constants are generated from it. The analysis for that really starts to go further beyond basic analysis of two consecutive immediate operations and would probably be best to accept as too much work for what may be a very limited/specialized case
Thanks again, this plugin has been a huge time-saver for me
/Applications/IDA Pro 7.0/idabin/plugins
sudo mv yara* /Library/Python/2.7/site-packages
Failed while executing plugin_t.run():
Traceback (most recent call last):
File "D:/Android/RE_Tools/IDA7.6/plugins/findcrypt3.py", line 224, in run
self.search()
File "D:/Android/RE_Tools/IDA7.6/plugins/findcrypt3.py", line 180, in search
values = self.yarasearch(memory, offsets, rules)
File "D:/Android/RE_Tools/IDA7.6/plugins/findcrypt3.py", line 197, in yarasearch
self.toVirtualAddress(string[0], offsets),
TypeError: 'yara.StringMatch' object is not subscriptable
It would be a nice addition to add support for XORSHIFT and XORSHIFT 64.
https://en.wikipedia.org/wiki/Xorshift
The magic is rather easy to detect: 0x2545F4914F6CDD1D
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.