Escolar Documentos
Profissional Documentos
Cultura Documentos
/usr/bin/env python
# encoding: utf-8
#
# Tested on Linux (Ubuntu), Windows XP/7, and Mac OS X
#
"""
clamav_to_yara.py
import sys
import os
import re
from optparse import OptionParser
def main():
parser = OptionParser()
parser.add_option("-f", "--file", action="store", dest="filename",
type="string", help="scanned FILENAME")
parser.add_option("-o", "--output-file", action="store", dest="outfile",
type="string", help="output filename")
parser.add_option("-v", "--verbose", action="store_true", default=False,
dest="verbose", help="verbose")
parser.add_option("-s", "--search", action="store", dest="search",
type="string", help="search filter", default="")
if opts.filename == None:
parser.print_help()
parser.error("You must supply a filename!")
if not os.path.isfile(opts.filename):
parser.error("%s does not exist" % opts.filename)
if opts.outfile == None:
parser.print_help()
parser.error("You must specify an output filename!")
yara_rule = """
rule %s
{
strings:
%s
condition:
%s
}
"""
rules = {}
output = ""
data = open(opts.filename, 'rb').readlines()
if matches:
for match in matches:
#print "\t\tfound %s" % (match[1])
start = int(match[1])
jump_regex = re.compile('(\{(%d)-\})' %
(start))
if (start < 256):
#print "\t\t\tfound short jump of
len %d" % (start)
signature =
jump_regex.sub('[0-\g<2>]', signature)
else:
#print "\t\t\tfound long jump,
replacing with '*'"
signature = jump_regex.sub('*',
signature)
# {n-m} is n to m bytes
# need to make sure it's not bigger than 255,
# and the high bound cannot exceed 255
# if it is we'll treat it like a '*'
jump_regex = re.compile('(\{(\d+)-(\d+)\})')
matches = jump_regex.findall(signature)
if matches:
for match in matches:
#print "\t\tfound %s - %s" % (match[1],
match[2])
start = int(match[1])
end = int(match[2])
jump_regex = re.compile('(\{(%d)-(%d)\})' %
(start, end))
if (end - start == 0):
if opts.verbose:
print "\t**Skip nothing,
impossible!**"
signature = jump_regex.sub('',
signature)
elif (end - start < 256) and (end < 256):
#print "\t\t\tfound short jump of
len %d" % (end - start)
signature =
jump_regex.sub('[\g<2>-\g<3>]', signature)
else:
#print "\t\t\tfound long jump,
replacing with '*'"
signature = jump_regex.sub('*',
signature)
# {n} bytes
# here we must also enforce the 255 byte maximum jump
# that YARA can handle
jump_regex = re.compile('(\{(\d+)\})')
matches = jump_regex.findall(signature)
if matches:
for match in matches:
#print "\t\tfound %s" % (match[1])
start = int(match[1])
jump_regex = re.compile('(\{(%d)\})' %
(start))
if start < 256:
#print "\t\t\tfound short jump of
len %d" % (start)
signature =
jump_regex.sub('[\g<2>]', signature)
else:
#print "\t\t\tfound long jump,
replacing with '*'"
signature = jump_regex.sub('*',
signature)
rules[rulename].append(part.strip())
else:
if signature[0] != '(':
rules[rulename].append(signature.strip())
if len(output) > 0:
print "\r\n[+] Wrote %d rules to %s\r\n" % (len(rules),
opts.outfile)
fout = open(opts.outfile, 'wb')
fout.write(output)
fout.close()
else:
print "\r\n**Could not find any signatures to convert!!!**\r\n"
if __name__ == '__main__':
print "\n" + '#' * 75
print "\t" + "Malware Analyst's Cookbook - ClamAV to YARA Converter 0.0.1"
print "\n" + '#' * 75, "\n"
main()