GitHub - alexander-hanel/ida_yara: A python script that can be used to scan data within in an IDB using Yara.
Skip to content

A python script that can be used to scan data within in an IDB using Yara.

Notifications You must be signed in to change notification settings

alexander-hanel/ida_yara

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 

Repository files navigation

ida_yara

A python script that can be used to scan data within in an IDB using Yara. The code mimics IDA's find_text and find_binary. The script creates the Yara signature based off of the search and its search flags.

Requirements

  • Yara 3+

Install

  • git clone https://github.com/alexander-hanel/ida_yara.git
  • cd ida_yara
  • python-x64/python setup.py install

Usage

Same as IDA's find_text and find_binary.

import ida_yara

ida_yara.yara_find_text(start_ea, y, x, ustr, sflag=0)

  • start_ea = offset to start from
  • x = set to 0 (ignored)
  • y = set to 0 (ignored)
  • ustr = string pattern to search for. If regex, the SEARCH_REGEX must be passed as a sflag
  • sflag = if blank, search, ascii, down and return all matches

ida_yara.yara_find_binary(start_ea, ubinstr, radix=16, sflag=0)

  • start_ea = offset to start from
  • ubinstr = binary search pattern
  • radix = set to 0 (ignored)
  • sflag = if blank, search, down and return all matches

Search Flags

  • SEARCH_UP = search up return single match
  • SEARCH_DOWN = search down return single match
  • SEARCH_UP|SEARCH_NEXT = return all up from ea with the order being closest to furthest
  • SEARCH_DOWN|SEARCH_DOWN = return all down from ea
  • SEARCH_DOWN = same as SEARCH_DOWN
  • SEARCH_UNICODE = search Unicode aka wide in Yara.
  • SEARCH_CASE = match case (not on by default)
  • SEARCH_BRK = ignored
  • SEARCH_IDENT = ignored
  • SEARCH_NOSHOW = ignored
  • SEARCH_NOBRK = ignored

Example

Binary Examples

Find all binary matches.

Python>ida_yara.yara_find_binary(here(), "56 8B",0)
[4199292L, 4199342L, 4200022L, 4203118L, 4203222L, 4204330L, 4204440L, 4204738L, 4205547L, 4205635L, 4205875L, 4206910L, 4207410L, 4207546L, 4208954L, 4209628L, 4209727L, 4212087L, 4212106L, 4212213L, 4212894L, 4212941L, 4213550L, 4213625L, 4213666L, 4213764L, 4213863L, 4215527L, 4215775L, 4215889L, 4215964L, 4216043L, 4216878L, 4216942L, 4217056L, 4217606L, 4218252L, 4218508L, 4222795L, 4222931L]

Find single match above single offset.

Python>ida_yara.yara_find_binary(here(), "56 8B",0, SEARCH_UP)
4212894

Find all matches above offset. Order is closest to furthest.

Python>ida_yara.yara_find_binary(here(), "56 8B",0, SEARCH_UP|SEARCH_NEXT)
[4212213L, 4212106L, 4212087L, 4209727L, 4209628L, 4208954L, 4207546L, 4207410L, 4206910L, 4205875L, 4205635L, 4205547L, 4204738L, 4204440L, 4204330L, 4203222L, 4203118L, 4200022L, 4199342L, 4199292L]

Find single match below offset.

Python>ida_yara.yara_find_binary(here(), "56 8B",0, SEARCH_DOWN)
4212894

Find all matches below offset.

Python>ida_yara.yara_find_binary(here(), "56 8B",0, SEARCH_DOWN|SEARCH_NEXT)
[4212894L, 4212941L, 4213550L, 4213625L, 4213666L, 4213764L, 4213863L, 4215527L, 4215775L, 4215889L, 4215964L, 4216043L, 4216878L, 4216942L, 4217056L, 4217606L, 4218252L, 4218508L, 4222795L, 4222931L]

Text Examples

Find all ASCII text matches.

Python>ida_yara.yara_find_text(here(), 0,0, "Error")
[4228680L, 4228693L, 4228704L, 4231797L]

The same SEARCH_* flags can be used for text and regex also.

Python>ida_yara.yara_find_text(here(), 0,0, "Error", SEARCH_UP)
4228680

Find all UNICODE text matches.

Python>ida_yara.yara_find_text(here(), 0,0, "Error", SEARCH_UNICODE)
[4229044L]

Regex Example

Find all text that match a regex.

Python>ida_yara.yara_find_text(here(), 0,0, "Err..", SEARCH_NEXT|SEARCH_DOWN|SEARCH_REGEX )
[4228680L, 4228693L, 4228704L, 4231611L, 4231797L]

Notes

  • Very little error handling
  • IDA's search is not case-sensitive by default. This code is also not case-sensitive by default.
  • I tried to match IDA arguments so some args do nothing but still need to be populated.
  • Much faster than IDA's search because the data is not constantly loaded.
  • If you edit the IDB, execute reload_yara_mem to resync the memory.

Acknowledgments

  • Thanks to Daniel Plohmann for writing code that allowed me not to think about converting Yara match offsets to IDA virtual addresses.
  • Thanks to HexRays for the support!

About

A python script that can be used to scan data within in an IDB using Yara.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages