Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

YARA's XOR Modifier

Published: 2019-10-14
Last Updated: 2019-10-14 18:21:53 UTC
by Didier Stevens (Version: 1)
0 comment(s)

YARA searches for strings inside files. Strings to search for are defined with YARA rules.

With the release of YARA 3.8.0, support for searching for XOR encoded strings was introduced. By adding the modifier xor to the definition of a string, YARA 3.8.0 would search for strings that were XOR encoded, with a single-byte key, ranging from 1 to 255.

Here is an example of a string with xor modifier.

    rule xor_test {
        strings:
            $a = "https://isc.sans.edu" xor
        condition:
            $a
    }

This YARA version's xor modifier would not match unencoded strings.

Apparently, that was not the purpose, and this was fixed with version 3.10.0.

The same rule would now also match unencoded strings.

With the latest version of YARA, 3.11.0, a YARA rule developer has now control over which XOR key range is used by modifier xor.

This is done by specifing an optional minimum-key - maximum-key range after the xor modifier, like this: xor(min-max).

The following rule has an xor modifier with key range 0x01-0xFF (minimum/maximum keys can be specified with decimal or hexadecimal values).

    rule xor_test {
        strings:
            $a = "https://isc.sans.edu" xor(0x01-0xFF)
        condition:
            $a
    }

This rule will not match unencoded strings.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: xor yara
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

YARA v3.11.0 released
Oct 12th 2019
2 days ago by DidierStevens (0 comments)

Mining Live Networks for OUI Data Oddness
Oct 10th 2019
4 days ago by Rob VandenBrink (0 comments)

What data does Vidar malware steal from an infected host?
Oct 9th 2019
5 days ago by Brad (0 comments)

Microsoft October 2019 Patch Tuesday
Oct 8th 2019
6 days ago by Renato (0 comments)

View All Diaries →

Latest Discussions

convert OST to PST
created Oct 10th 2019
4 days ago by Anonymous (0 replies)

convert OST to PST
created Oct 10th 2019
4 days ago by Anonymous (0 replies)

convert OST to PST
created Oct 10th 2019
4 days ago by Anonymous (0 replies)

Suspicious Domain Scoring
created Oct 4th 2019
1 week ago by Luke (1 reply)

SANS ISC InfoSec News RSS Feed broken?
created Aug 29th 2019
1 month ago by Adi (2 replies)

View All Forums →

Latest News

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
3 months ago by Brad (0 comments)