#100DaysofYARA

In search for some inspiration, I scrolled through https://www.garykessler.net/library/file_sigs.html and font files piqued my interest. I'll start with a generic rule for the OpenType font format. It is, as one might expect starting with "Open" and all, a registered trademark of Microsoft. This signature matches on the file magic and then puts some sensible boundaries in place that I've observed in font files on my local installation.

```
rule OpenTypeFontFile {
meta:
description = "Generic signature for the OpenType font format, excludes some unexpected but valid files to reduce false-positive rate"
author = "@larsborn"
date = "2024-03-10"
reference = "https://en.wikipedia.org/wiki/OpenType"
example_hash = "09bcc57b0f2b1518758831018922eadb2b3f279b56d13e1ba9aae04c1927a763"

DaysofYARA = "26/100"
condition:
uint32be(0) == 0x4f54544f // OTTO
and 4 < uint16be(4) and uint16be(4) < 100 // sensible range for table count
and uint16be(6) & 0xf == 0 // search range is often divisible by 16
}
```

https://github.com/100DaysofYARA/2024/pull/155

#100DaysofYARA

My take on Dalvik (.dex) files. Tried to cover a bit more than the usual `"dex\n"` file magic by including checks for the following 4 bytes (3 need to be numeric followed by a `"\0"`) and finally a check for the filesize at `0x20`.

```
rule Dalvik {
meta:
description = "Dalvik (dex) compiled files"
author = "@larsborn"
date = "2024-02-18"
reference = "https://source.android.com/docs/core/runtime/dex-format"
example_hash = "f8718170a98298e56a962e1f12e34c1190535fc93a2523fe1be345db4631e788"

DaysofYARA = "23/100"
condition:
uint32be(0) == 0x6465780a // "dex\n"
and for all i in ( 1 .. 3 ) : ( // three digits
uint16(3 + i) & 0xff >= 0x30 and uint16(3 + i) & 0xff <= 0x39
)
and uint16(7) & 0xff == 0x0 // null byte "\0"
and uint32(0x20) == filesize // file size check
}
```

https://github.com/100DaysofYARA/2024/pull/145

Virus Total have released a (new?) cheat sheet for their Live Hunt YARA service, which requires the use of their custom "vt" YARA module:

https://assets.virustotal.com/reports/livehunt-cheatsheet.pdf

The original Virus Total Intelligence cheat sheet is available at:

https://storage.googleapis.com/vtpublic/reports/VTI%20Cheatsheet.pdf

#100DaysofYara #malwareanalysis

#100DaysofYARA

Let's cover more ground in the Android realm: this rule matches on Java .class files while making sure that the constant pool of those files is within sane boundaries. Feel free to negate those checks to find weird .class files instead.

```
rule JavaClass {
meta:
description = "Java class file with a sane constant pool and the first constant being printable"
author = "@larsborn"
date = "2024-02-18"
reference = "https://en.wikipedia.org/wiki/Java_class_file"
example_hash = "158a19eb94aa2f3e2f459db69ee10276c73b945dd6c5f8fc223cf2d85e2b5e33"

DaysofYARA = "24/100"
condition:
uint32be(0) == 0xcafebabe
and uint16be(6) & 0xff >= 43 // major version
and 3 < uint16be(8) and uint16be(8) <= 3000 // sane constant pool count bounds
and 3 < uint16be(11) and uint16be(11) <= 300 // sane first constant length
and for all i in ( 1 .. uint16be(11) ) : ( // first constant printable
0x20 <= (uint16be(11 + i) & 0xff) and (uint16be(11 + i) & 0xff) < 127
)
}
```

https://github.com/100DaysofYARA/2024/pull/149

#100DaysofYARA

Kotlin is a programming language designed to completely interoperate with JAVA and the JVM. It is often used within Android applications and this rule matches on the file name `DebugProbesKt.bin` within an Android application which seems to be characteristic for Kotlin.

```
rule AndroidKotlinDebugProbesKt {
meta:
description = "Kotlin artifact needed to enable the builtin support for coroutines debugger in IDEA (DebugProbesKt.bin)"
author = "@larsborn"
date = "2024-02-18"
reference = "TODO"
example_hash = "158a19eb94aa2f3e2f459db69ee10276c73b945dd6c5f8fc223cf2d85e2b5e33"

DaysofYARA = "25/100"
strings:
$constant = "kotlin/coroutines/jvm/internal/DebugProbesKt"
condition:
uint32be(0) == 0xcafebabe
and uint16be(6) & 0xff >= 43 // major version
and 3 < uint16be(8) and uint16be(8) <= 3000 // sane constant pool count bounds
and uint16be(11) == 44 // length of first constant
and for all i in ( 1 .. uint16be(11) ) : ( // first constant printable
0x20 <= (uint16be(11 + i) & 0xff) and (uint16be(11 + i) & 0xff) < 127
)
and $constant at 13
}
```

https://github.com/100DaysofYARA/2024/pull/149

#100DaysofYARA

Continuing with the Android theming: those file formats seem to make a point having their own size in the second DWORD. So here we go, a rule that matches on Android resource files (often named `resources.arsc`).

```
rule AndroidResourceArsc {
meta:
description = "Probably an Android resource file (i.e. resources.arsc)"
author = "@larsborn"
date = "2024-02-10"
reference = "https://androguard.readthedocs.io/en/latest/api/androguard.core.bytecodes.html#androguard.core.bytecodes.axml.AXMLParser"
example_hash = "e81b50d46350e67d4c60e156556e2698a9acbe73b8c2008ca0f8696a3e0e391a"

DaysofYARA = "22/100"
condition:
uint16be(0) == 0x0200 and uint32(4) == filesize
}
```

https://github.com/100DaysofYARA/2024/pull/142

#100DaysofYARA

I'll move over to some generic Android-specific rules: this one matches on the header of compiled manifest files (AndroidManifest.xml). Those start with file magic followed by the file size itself.

```
rule BinaryAndroidManifestXml {
meta:
description = "Probably a compiled binary manifest from an Android application (i.e. AndroidManifest.xml)"
author = "@larsborn"
date = "2024-02-10"
reference = "https://androguard.readthedocs.io/en/latest/api/androguard.core.bytecodes.html#androguard.core.bytecodes.axml.AXMLParser"
example_hash = "503c7b5a752e6112e29b28c74b2989efde2110cbf91c49ac0ea8752204746f06"

DaysofYARA = "21/100"
condition:
uint32be(0) == 0x03000800 and uint32(4) == filesize
}
```

https://github.com/100DaysofYARA/2024/pull/138