An experimental script to perform bulk parsing of arbitrary file features with YARA and console logging.

Related tags

Security related resourcesRonnieColemanYARAParser
Overview

RonnieColemanYARAParser

This script is named after Ronnie Coleman, and peforms bulk lifts on arbitary file features using YARA console logging.

asciicast

Requirements

Notes

This was really designed for me to bulk build an on-demand table for file features I wanted, and to see the values I specified using YARA's own technology. This allows me to quickly view, stack, organize the "surface area" of a file so I can turn around with the ones I want and create YARA rules. This is a terrible script and bad python, does basically no input checking and no error handling, so beware that it will get jacked up if you try to do crazy things.

  • Start with PE features, things from modules, and top-level (non array) things that are easily parsed out by YARA.
  • hash.md5 - this is the only hashing thing I included, it would probably be better not to do this at all, but c'est la vie
  • If something doesnt work because of your terminal or whatever, maybe try putting it in quotes so argparse can do its thing
  • Things I like: hash.md5, filesize, pe.timestamp pe.dll_name, pe.export_timestamp, pe.pdb_path, etc
  • Go shop around in the manual for more good ones (https://yara.readthedocs.io/en/stable/modules/pe.html)

Usage Examples

ronnie.py -t hash.md5 filesize pe.timestamp pe.dll_name  -p ~/yarafiddling/samps -s pe.dll_name

ronnie.py -t hash.md5 filesize pe.timestamp pe.entry_point --path ~/yarafiddling/samps

ronnie.py -t hash.md5 filesize pe.timestamp "uint16be(0)" --path ~/yarafiddling/samps --sort pe.timestamp

Full Output Example

CTO-MBP\steve >> % python3 ronnie.py -t hash.md5 "uint16be(60)" filesize pe.timestamp pe.dll_name  --path ~/yarafiddling/samps --sort pe.timestamp                   

[Bleep Blop Directory] Folder scanned: /Users/steve/yarafiddling/samps

[:great-job:] LIGHT WEIGHT! Heres the sorted table:

+----------------------------------+----------------+----------+----------------------------------+--------------------------+
| hash.md5                         | uint16be(60)   | filesize | pe.timestamp                     | pe.dll_name              |
+----------------------------------+----------------+----------+----------------------------------+--------------------------+
| 0d7cefb89b6d31ab784bd4e0b0f0eaad | 0x1700 (5888)  | 6427399  |                                  |                          |
| 3a5a7ced739923f929234beefcef82b5 | 0xe00 (3584)   | 10608640 |                                  |                          |
| 77c73b8b1846652307862dd66ec09ebf | 0xf800 (63488) | 509952   |                                  |                          |
| 5bd5605725ec34984efbe81f8d39507a | 0x1 (1)        | 102912   | 1999-10-21 00:49:30 (940481370)  |                          |
| 802a7c343f0d58052800dd64e0c911cf | 0xe800 (59392) | 36528    | 2011-01-13 12:33:11 (1294939991) |                          |
| 91456bf6edbf9a24a1423bcbd6c7a5fe | 0xe800 (59392) | 35014    | 2011-01-16 08:28:36 (1295184516) |                          |
| c2d07d954f6e6126a784e7770ad32643 | 0xf000 (61440) | 914600   | 2018-11-07 04:59:27 (1541584767) | QuickSearchFile.dll      |
| 3ecfc67294923acdf6bd018a73f6c590 | 0xe000 (57344) | 71168    | 2020-04-12 16:57:49 (1586725069) |                          |
| 837ed1ac9dbae2d8ec134c28481e4a10 | 0x8000 (32768) | 56320    | 2021-03-19 08:17:39 (1616156259) |                          |
| e9d7ea2dd867d6f6de4a69aead9312e9 | 0x801 (2049)   | 241664   | 2021-04-30 13:10:02 (1619802602) | codecpacks.webp.exe      |
| c6e1e2b2ed1c962e82239dfcd81999f7 | 0xf000 (61440) | 601088   | 2070-05-29 07:31:01 (3168588661) | EnterpriseAppMgmtSvc.dll |
| 2689c5357ddcc8434dd03d99a3341873 | 0xf000 (61440) | 474112   | 2086-08-04 04:03:21 (3679286601) | FfuProvider.DLL          |
+----------------------------------+----------------+----------+----------------------------------+--------------------------+

TO DO

  • Make it so you can see the file name of the matched file
  • Better error handling etc.
Owner
Steve
braggadocio here
Steve
GitHub Repository
Notebooks, slides and dataset of the CorrelAid Machine Learning Winter School

CorrelAid Machine Learning Spring School Welcome to the CorrelAid ML Spring School! In this repository you can find the slides and other files for the

CorrelAid 12 Nov 23, 2022
Hack any account sending fake nitro QR code (only for educational purpose)

DISCORD_ACCOUNT_HACKING_TOOL ( EDUCATIONAL PURPOSE ) Hack any account sending fake nitro QR code (only for educational purpose) Start my program token

Novy 7 Jan 07, 2022
PassLock is a medium-security password manager that encrypts passwords using Advanced Encryption Standards (AES)

A medium security python password manager that encrypt passwords using Advanced Encryption Standard (AES) PassLock is a password manager and password

Akshay Vs 44 Nov 18, 2022
Virus-Builder - This tool will generate a virus that can only destroy Windows computer

Virus-Builder - This tool will generate a virus that can only destroy Windows computer. You can also configure to auto run in usb drive

Saad 16 Dec 30, 2022
Fetch Chrome, Firefox, WiFi password and system info

DISCLAIMER : OUR TOOLS ARE FOR EDUCATIONAL PURPOSES ONLY. DON'T USE THEM FOR ILLEGAL ACTIVITIES. YOU ARE THE ONLY RESPONSABLE FOR YOUR ACTIONS! OUR TO

Genos 59 Nov 17, 2022
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.

The Recon-ng Framework Recon-ng content now available on Pluralsight! Recon-ng is a full-featured reconnaissance framework designed with the goal of p

2.4k Jan 07, 2023
Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io

Cowrie Welcome to the Cowrie GitHub repository This is the official repository for the Cowrie SSH and Telnet Honeypot effort. What is Cowrie Cowrie is

Cowrie 4.1k Jan 09, 2023
Data Recovery from your broken Android phone

Broken Phone Recovery a guide how to backup data from your locked android phone if you broke your screen (and more) you can skip some steps depending

v1nc 25 Sep 23, 2022
Privilege escalation with polkit - CVE-2021-3560

Polkit-exploit - CVE-2021-3560 Privilege escalation with polkit - CVE-2021-3560 Summary CVE-2021-3560 is an authentication bypass on polkit, which all

Ahmad Almorabea 95 Dec 27, 2022
proof-of-concept running docker container from omero web

docker-from-omero-poc proof-of-concept running docker container from omero web How-to Edit test_script.py so that the BaseClient is created pointing t

Erick Martins Ratamero 2 Jan 22, 2022
OpenTOTP is yet another time-based, one-time passwords (OTPs) generator/verifier inspired by RFC 6238.

OpenTOTP is yet another time-based, one-time passwords (OTPs) generator/verifier inspired by RFC 6238. It generates and validates OTPs based

1 Nov 15, 2021
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

Introduction evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files. It can process a high numbe

NVISO 116 Dec 29, 2022
This is a Cryptographied Password Manager, a tool for storing Passwords in a Secure way

Cryptographied Password Manager This is a Cryptographied Password Manager, a tool for storing Passwords in a Secure way without using external Service

Francesco 3 Nov 23, 2022
TightVNC Vulnerability.

CVE-2022-23967 In TightVNC 1.3.10, there is an integer signedness error and resultant heap-based buffer overflow in InitialiseRFBConnection in rfbprot

MaherAzzouzi 15 Jul 11, 2022
MongoDB-Injection - This challenge-script is custom-made for web-server running MongoDB which is vulnerable to No-SQL injection

MongoDB-Injection Cheesy Multi-threaded script for NoSQL Injection This challeng

Caretaker 2 Jun 06, 2022
A BurpSuite extension to parse 5GC NF OpenAPI 3.0 files to assess 5G core networks

5GC_API_parse Description 5GC API parse is a BurpSuite extension allowing to assess 5G core network functions, by parsing the OpenAPI 3.0 not supporte

PentHertz 57 Dec 16, 2022
This script allows you to make a onion host instantly.

Installation It only works in Debian based Linux distros. Clone the repo: git clone https://github.com/0xStevenson/Auto-Tor-Host.git Go to the direct

Steven 4 Feb 22, 2022
BF-Hash - A Python Tool to decrypt hashes by brute force

BF-Hash Herramienta para descifrar hashes por fuerza bruta InstalaciĆ³n git clone

5 Apr 09, 2022
The First Python Compatible Camera Hacking Tool

ZCam Hack webcam using python by sending malicious link. FEATURES : [+] Real-time Camera hacking [+] Python compatible [+] URL Shortener using bitly [

Sanketh J 109 Dec 28, 2022
A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regardin

Cycurity 39 Dec 10, 2022