YARA Rules for Binary Analysis
There are many existing talks out there on using YARA in incident response and detection, those largely look at using YARA to identify malware or malware families, this is a well explored space w/ great papers and videos. However, we will be using YARA slightly differently, in our binary triage to highlight interesting features of a binary automatically for us. I'de like to make that distinction very clear, we are not using these YARA signatures for detection, but rather for enhancing and automating our binary analysis. In fact, if we were to use these same rules for detection they would likely be way too noisy and not productive, but used in triaging binaries for analysis they save us loads of time.
With my YARA repo we will be using YARA to help identify various components of binary files that we want to call out or highlight to then run further operations on. For example this could be used to identify the language a binary was written in for further purposes, like identifying a python, .NET, or mono binary such that we can decompile them for source code analysis, or identifying a golang binary so we can use tools like "go tools objdump". We've even pulled some great YARA rules that already existed for this, such as identifying anti-virtual-machine or anti-debug capabilities in malware. We will also be looking at ctf binaries on our binary analysis platform, not just malware, so we can write YARA rules that help us identify specific vulnerable functions sooner. Technically I'm using the YARA engine integrated into the Viper framework, like in the video below, but we will have more on this automation framework to come in post on Viper soon:
