polymorf / findcrypt-yara Goto Github PK

I have install with

Warning: yara 3.6.3 is already installed

but it also warn No module named yara in IDA

I'm using ida pro 6.8, do I need a higher version?

Any ideas of why do I get this error message upon running the plugin?

Failed while executing plugin_t.run():
Traceback (most recent call last):
File "D:/tools/IDA_Pro_7.7/plugins/findcrypt3.py", line 224, in run
self.search()
File "D:/tools/IDA_Pro_7.7/plugins/findcrypt3.py", line 180, in search
values = self.yarasearch(memory, offsets, rules)
File "D:/tools/IDA_Pro_7.7/plugins/findcrypt3.py", line 197, in yarasearch
self.toVirtualAddress(string[0], offsets),
TypeError: 'yara.StringMatch' object is not subscriptable

Problem:
Could not find any in this variable libyara.so Because it is a system variable and the directory is not writable

Solved :
As can be seen from pypi's official website, Yara has not been updated since 2014, but Yara Python has been released in 2020

Step1: install yara-python (yara.so)
pip install yara-python -i https://pypi.org/simple

Step2: copy "python2.7\site-packages\yara.so" to ida\python\yara.so

The size is 410k, compared with 96k in 2014

Success~

This IDA-plugin(findcrypt) is very good!! i behind u.

IDA 7.5.201028
Windows 10
Python 3.8.2

Installed yara-python with pip but everytime I'm trying to run it I end up with following error message:

Traceback (most recent call last):
  File "C:/Program Files/IDA Pro 7.5/plugins/findcrypt3.py", line 60, in activate
    self.plugin.search()
  File "C:/Program Files/IDA Pro 7.5/plugins/findcrypt3.py", line 179, in search
    rules = yara.compile(filepaths=self.get_rules_files())
yara.Error: (2, 'No such file or directory')

The file paths for rules seem correct, what might be causing this issue?

Thanks.

ImportError: dlopen(/Library/Python/2.7/site-packages/yara.so, 2): Symbol not found: _OPENSSL_sk_free
I have updated the openssl，but it doesn’t work

what is the difference? some different scene?

would really love to give the plugin a shot. Any help would be great!

plugin doesn't run with the following error:

"File "C:/Program Files/IDA 7.1/plugins/findcrypt3.py", line 108, in OnGetLine
res = [atoa(res[0]), res[1], res[2]]
NameError: global name 'atoa' is not defined"

YaraSyntaxError: C:\Program Files\IDA 7.0\plugins\findcrypt3.rules:1542: syntax error, unexpected STRINGS, expecting $end or RULE or PRIVATE or GLOBAL

how to use it, how to install

Edit/Plugins/Findcrypt
ifl:open
Shortcut for "ifl:open" will be disabled.

IDA 7.7 with Python 3.11.2 issue:

X:\FIXXXER\Program Files\Analysis\HEX\IDA\IDA 77SP1\plugins\findcrypt3.py: No module named 'yara'
Traceback (most recent call last):
File "X:\FIXXXER\Program Files\Analysis\HEX\IDA\IDA 77SP1\python\3\ida_idaapi.py", line 580, in IDAPython_ExecScript
exec(code, g)
File "X:/FIXXXER/Program Files/Analysis/HEX/IDA/IDA 77SP1/plugins/findcrypt3.py", line 9, in
import yara
ModuleNotFoundError: No module named 'yara'

At the same time yara-python module is installed, yara module is not.

Reference: https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/

Failed to import 'C:\Users\Win10Tools\Desktop\Misc\Re\IDA\IDA_Pro_7.7\python38\DLLs\libyara.dll'
PATH = C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Program Files\Python\Python38\Scripts\;C:\Program Files\Python\Python38\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\Git\cmd;C:\Program Files\Microsoft VS Code\bin;C:\Program Files\Python\Python27\Scripts;C:\Users\Win10Tools\AppData\Local\Microsoft\WindowsApps;;C:\Users\Win10Tools\Desktop\Misc\Re\IDA\IDA_Pro_7.7\python38\DLLs
C:\Users\Win10Tools\Desktop\misc\Re\IDA\IDA_Pro_7.7\plugins\findcrypt3.py: Could not find module 'C:\Users\Win10Tools\Desktop\Misc\Re\IDA\IDA_Pro_7.7\python38\DLLs\libyara.dll' (or one of its dependencies). Try using the full path with constructor syntax.
Traceback (most recent call last):
  File "C:\Users\Win10Tools\Desktop\misc\Re\IDA\IDA_Pro_7.7\python\3\ida_idaapi.py", line 580, in IDAPython_ExecScript
    exec(code, g)
  File "C:/Users/Win10Tools/Desktop/misc/Re/IDA/IDA_Pro_7.7/plugins/findcrypt3.py", line 9, in <module>
    import yara
  File "C:\Users\Win10Tools\AppData\Roaming\Python\Python38\site-packages\yara\__init__.py", line 7, in <module>
    from yara.rules import compile
  File "C:\Users\Win10Tools\AppData\Roaming\Python\Python38\site-packages\yara\rules.py", line 17, in <module>
    from yara.libyara_wrapper import *
  File "C:\Users\Win10Tools\AppData\Roaming\Python\Python38\site-packages\yara\libyara_wrapper.py", line 315, in <module>
    libyaradll = cdll.LoadLibrary(library)
  File "ctypes\__init__.py", line 451, in LoadLibrary
  File "ctypes\__init__.py", line 373, in __init__
FileNotFoundError: Could not find module 'C:\Users\Win10Tools\Desktop\Misc\Re\IDA\IDA_Pro_7.7\python38\DLLs\libyara.dll' (or one of its dependencies). Try using the full path with constructor syntax.

However, the file exists under the path
C:\Users\Win10Tools\Desktop\Misc\Re\IDA\IDA_Pro_7.7\python38\DLLs\libyara.dll

Hello, first, thank you for publishing this, especially the huge database of signatures

I wanted to ask if you were still actively maintaining this and/or if you had any interest in implementing an additional method for searching, which I'll briefly describe. tl; dr applying the signature checks to immediate loads directly into registers- to complement searching of memory

I recently encountered a target (RISC-style fixed-width instruction set, proprietary embedded firmware) that makes a habit of loading crypto constants as immediates- e.g. for SHA1 and the constant 0x67452301 (along with other constants for SHA1, all in a single function)

movhi       r3, 0x6745
addi        r3, r3, 0x2301 # 0x67452301

Do you have any interest in supporting searching for matches in immediates like this? I believe the comment in this example was added via the CPU plugin for this architecture and is not otherwise a part of the IDB file/IDA analysis, so to do this properly one would have to either:

1. Assume that these comments are present- the responsibility of the user to put into place in one way or another or...
2. Perform the analysis in the plugin, looking for mov/add/sub instructions

The former is simpler as it requires no knowledge of the CPU architecture. The latter is by no means impossible, but would be somewhat architecture dependent I think, and may be beyond the scope of what you'd like to have as findcrypt functionality. However, a skeleton to allow the user to plug in the architecture-specific instructions used to accomplish these operations would still be immensely helpful

As far as whether this is worth your effort or not- I'm not sure how common this pattern is, though I'm sure it's present in other fixed-width instruction sets depending on how the code was written. Maybe it's not worth the effort for you and I'll have to write it myself for the few projects I've encountered this pattern on (which is fine)

Any interest in / do you have the time to add this as a feature? Or would you accept a PR?

Obviously this would really only be useful for signatures matching the width of a register for the target- 4 bytes for the general purpose registers in most cases, longer if using the various architecture-specific special registers. It would be possible to match across multiple registers if the instructions were consecutive, but this could get a bit more complicated, having to take into consideration the ordering of the constants, among other things

There are also some much more complicated patterns which I think would have to just be accepted as too much work to identify- e.g. where a register has some base value, and then multiple different constants are generated from it. The analysis for that really starts to go further beyond basic analysis of two consecutive immediate operations and would probably be best to accept as too much work for what may be a very limited/specialized case

Thanks again, this plugin has been a huge time-saver for me

1. Plugins Path: /Applications/IDA Pro 7.0/idabin/plugins
2. copy findcrypt* to Plugins Path
3. pip install yara-python
4. or sudo mv yara* /Library/Python/2.7/site-packages

Failed while executing plugin_t.run():
Traceback (most recent call last):
File "D:/Android/RE_Tools/IDA7.6/plugins/findcrypt3.py", line 224, in run
self.search()
File "D:/Android/RE_Tools/IDA7.6/plugins/findcrypt3.py", line 180, in search
values = self.yarasearch(memory, offsets, rules)
File "D:/Android/RE_Tools/IDA7.6/plugins/findcrypt3.py", line 197, in yarasearch
self.toVirtualAddress(string[0], offsets),
TypeError: 'yara.StringMatch' object is not subscriptable

It would be a nice addition to add support for XORSHIFT and XORSHIFT 64.
https://en.wikipedia.org/wiki/Xorshift

The magic is rather easy to detect: 0x2545F4914F6CDD1D

It'd be great to add a rule that detects SHA256 constants. From 41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c:

I should be able to submit a PR next week, unless someone else beats me to it.

ida 7.5
I got this error
yara.libyara_wrapper.YaraSyntaxError: C:\Program Files\IDA7.5\plugins\findcrypt3.rules:1542: syntax error, unexpected STRINGS, expecting $end or RULE or PRIVATE or GLOBAL

If i delete this rule,this plugin can run normally