yara监控Meter

0x00 前言

yara可以对使用规则库直接对内存进行匹配,那么一些被加壳的特征在内存中会展示出来。
可以自定义yara规则,即使制作一些误杀率比较高的特征码(对恶意代码的检测率也高),自己也能够判断是不是误报。

0x01 安装

1
python -m pip install yara-python

第一个报错

1
error: Microsoft Visual C++ 14.0 is required

解决方案:

1
2
3
4
5
Microsoft Visual C++ 14.0
下载地址:https://964279924.ctfile.com/fs/1445568-239446865
参考链接:https://blog.csdn.net/HHTNAN/article/details/77931782

第二个报错

1
2
3
4
5
LINK : fatal error LNK1158: cannot run 'rc.exe'
error: command 'C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\VC\\BIN\\x86_amd64\\link.exe' failed with exit status 1158
----------------------------------------
Failed building wheel for yara-python

解决方案

1
2
3
把rc.exe rcdll.dll复制到C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin中去。
参考链接:https://blog.csdn.net/x875227668/article/details/48137247

0x02 yara脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
import psutil
import threading
from threading import Timer
import time
import yara
import os
#匹配规则
yararule = ""
#获取该目录下所有的规则文件
def getRules(path):
filepath = {}
for index, file in enumerate(os.listdir(path)):
rupath = os.path.join(path, file)
key = "rule" + str(index)
filepath[key] = rupath
yararule = yara.compile(filepaths=filepath)
return yararule
#使用yara对进程内存进行匹配规则
def checkProcess(pid):
matches = yararule.match(pid=pid)
if len(matches) > 0:
print(matches)
# try:
# matches = yararule.match(pid=pid) # if len(matches) > 0: # print(matches) # except: # pass
#获取新进程,与暂停三秒之后的进程列表对比,获取新的进程
def getNewProcess():
global oldProcessList
print("new thread check")
newProcessList = psutil.pids()
tmp = [b for b in newProcessList if b not in oldProcessList]
print(tmp)
time.sleep(1)
for i in tmp:
print("check pid=" + str(i))
checkProcess(i)
oldProcessList = newProcessList
#每隔三秒就获取新的进程
def runTimer():
while True:
global oldProcessList
oldProcessList = psutil.pids()
t = Timer(3, getNewProcess)
t.start()
t.join()
if __name__ == '__main__':
oldProcessList = []
rulepath = "./rules"
yararule = getRules(rulepath)
t = threading.Thread(target=runTimer)
t.start()
t.join()
print('main_end')