Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

YARA Scan of Images and Process Memory in the Process Tree #58

Open
Neo23x0 opened this issue Oct 23, 2020 · 0 comments
Open

YARA Scan of Images and Process Memory in the Process Tree #58

Neo23x0 opened this issue Oct 23, 2020 · 0 comments
Labels
enhancement New feature or request

Comments

@Neo23x0
Copy link
Owner

Neo23x0 commented Oct 23, 2020

Since the yara64.exe that we use also supports scanning of files and process memory, I'd like to add scans of the image files and process memory of every parent that we can find in the process tree* (* I know that process trees can be broken and unreliable - still, I'd like to add it)

The invocation for the image files in the process tree would be:

yara.exe -r [ruleset] [ImageFilePath]

The invocation to scan a certain process memory is:

yara.exe -r [ruleset] [PID]

Screenshot 2020-10-23 194324

https://yara.readthedocs.io/en/latest/commandline.html

We could use the rules from our signature-base repository. They are mostly battle tested and should produce false positives on process memory.

Notes:

  • when using more than a handful of rules it would be necessary to concatenate all rules before applying them to avoid a loop over hundreds of rules AND to make use of the advantages of the Aho–Corasick algorithm used internally by YARA
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Neo23x0