yarascan fails to ececute grep expression (attached)
Closed this issue · 4 comments
GoogleCodeExporter commented
If the following command line is executed on a Win7 Enterprise box using ver
2.4 of Volatility:
W:\VOL_Analysis_Scripts>volatility.exe yarascan -f MemoryDump.bin
--yara-rules="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\x2e(25[0-5]|2[0-4][0-9]|[01
]?[0-9][0-9]?)\x2e(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\x2e(25[0-5]|2[0-4][0-9]
|[01]?[0-9][0-9]?)" --kernel --profile=WinXPSP2x86
Nothing is found. Note that if the MemoryDump.bin image used is mounted as a
memory dump under X-Ways Forensics and the exact same grep string (as above) is
used to perform a simultaneous search, thousands of matches are found.
So it appears that YaraScan has a problem parsing this grep expression to the
point where it can be executed successfully as a "yara-rules" command.
FEEDBACK: It would be very helpful if yarascan had a default option to search
for URLs and IPs such as --find_URLS and --find_IPs and output hits found as
single line ASCII strings (no HEX).
Bill Spernow
bill.spernow@securitymentors.com
Original issue reported on code.google.com by Bill.Spe...@gmail.com
on 3 Feb 2015 at 9:16
GoogleCodeExporter commented
Hi Bill, please note that yarascan is not a regular expression engine, it is a
yara engine. Yara accepts yara rules, which are not plain regular expressions.
Yara is capable of handling regular expressions, and you can find more
information on how to do so at [1]. To allow quick use of these features, we
allow regular expressions to be wrapped in /'s (so /<regexp>/), just like yara
regular expressions. The value itself is then inserted in a simple yara
"strings" rule. The same is true if a string literal is detected. The only
time we don't wrap everything in a strings rule is if a complete rule (starting
with {) is provided.
You might also find the strings plugin a simpler mechanism for locating strings
of a particular pattern in memory such as URLs or IPs, rather than having to
write complete yara rules.
I'm going to mark this issue as won't fix, since it's not a volatility issue,
and we try to mimic yara's syntax as closely as possible.
[1] http://yara.readthedocs.org/en/v3.2.0/writingrules.html#regular-expressions
Original comment by mike.auty@gmail.com
on 3 Feb 2015 at 11:27
- Changed state: WontFix
GoogleCodeExporter commented
Also, please file all new bugs on github as mentioned in issue 521.
Original comment by mike.auty@gmail.com
on 3 Feb 2015 at 11:28
GoogleCodeExporter commented
Hi Bill, also note that the yarascan plugin can accept a yara rules file (which
can, via include directives, include other yara rules files). So, instead of
searching for individual criteria one at a time, you can dump the regex (after
potentially fixing it to yara syntax) along with regexes for IPs, hostnames, AV
signatures, etc, into a rule file and then scan for them all at once.
By the way, yes, please file future issues at github...I'm surprised anyone saw
this issue.
Original comment by michael.hale@gmail.com
on 3 Feb 2015 at 11:43
GoogleCodeExporter commented
Thanks for the insight and guidance. Appreciate the help. FYI: I was confused
by the 4.2 Cheat Sheet for Volatility that seems to infer that, given the
examples provided, for search options for URLs and IPs that yarascan does have
full blown grep capability. Also, nowhere in the book "Memory Forensics" is
there any advisement that yarascan's compatibilities are limited with respect
to running grep like expressions as detailed in the bullets on page 211.
Original comment by Bill.Spe...@gmail.com
on 4 Feb 2015 at 2:58