The findcrypt plugin will no longer raise alerts on OIDs located in a…

…uthenticode signature. Less false positives!
JusticeRage · Apr 5, 2018 · 037715d · 037715d
1 parent d412e28
commit 037715d
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 22 deletions.
diff --git a/bin/yara_rules/findcrypt.yara b/bin/yara_rules/findcrypt.yara
@@ -15,6 +15,8 @@
   along with Manalyze. If not, see <http://www.gnu.org/licenses/>.
 */
 
+import "manape"
+
 rule CRC32
 {
   meta:
@@ -103,7 +105,9 @@ rule MD5
     $md5_c63 = { 91 D3 86 EB }
 
   condition:
-    $pkcs or any of ($mac_*) or 20 of ($md5_c*)
+	// Exclude the authenticode signature of the PE which contains OIDs.
+    $pkcs in (0..manape.authenticode.start) or $pkcs in (manape.authenticode.start + manape.authenticode.size..filesize) or 
+	any of ($mac_*) or 20 of ($md5_c*)
 }
 
 rule SHA1
@@ -121,7 +125,8 @@ rule SHA1
     $sha1_f4 = { d6 c1 62 ca }
 
   condition:
-    $sha1_pkcs or all of ($sha1_f*)
+    $sha1_pkcs in (0..manape.authenticode.start) or $sha1_pkcs in (manape.authenticode.start + manape.authenticode.size..filesize) or 
+	all of ($sha1_f*)
 }
 
 rule SHA256
@@ -206,7 +211,8 @@ rule SHA256
     $sha256_k62 = { F2 78 71 C6 }
 
   condition:
-    $sha256_pkcs or all of ($sha256_init*) or 20 of ($sha256_k*)
+    $sha256_pkcs in (0..manape.authenticode.start) or $sha256_pkcs in (manape.authenticode.start + manape.authenticode.size..filesize) or 
+	all of ($sha256_init*) or 20 of ($sha256_k*)
 }
 
 rule SHA512
@@ -298,7 +304,8 @@ rule SHA512
     $sha512_k79 = { 17 58 47 4A 8C 19 44 6C }
 
   condition:
-    $sha512_pkcs or 30 of ($sha512_k*)
+    $sha512_pkcs in (0..manape.authenticode.start) or $sha512_pkcs in (manape.authenticode.start + manape.authenticode.size..filesize) or 
+	30 of ($sha512_k*)
 }
 
 rule Whirlpool

diff --git a/docs/writing-yara-rules.rst b/docs/writing-yara-rules.rst
@@ -20,8 +20,9 @@ All scripts relying on Manalyze's PE module must start by importing it with the
 
 * The entry point of the executable is designated by ``manape.ep``.
 * The number of sections is exposed through ``manape.num_sections``.
-* For each section, you can access the size and start address with ``manape.section[i].size`` and ``manape.section[i].start``, ``i`` being the zero-based index of the section.
-* You can scan the ``VERSION_INFO`` resource with ``manape.version_info.size`` and ``manape.version_info.start``.
+* For each section, you can access the start address and the size with ``manape.section[i].start`` and ``manape.section[i].size``, ``i`` being the zero-based index of the section.
+* You can scan the ``VERSION_INFO`` resource with ``manape.version_info.start`` and ``manape.version_info.size``.
+* The authenticode signature of the binary can be located through ``manape.authenticode.start`` and ``manape.authenticode.size``.
 
 Sample rule
 ===========

diff --git a/plugins/plugins_yara.cpp b/plugins/plugins_yara.cpp
@@ -38,9 +38,7 @@ void delete_manape_module_data(manape_data* data)
     if (data != nullptr && data->sections != nullptr) {
         free(data->sections);
     }
-    if (data != nullptr) {
-        delete data;
-    }
+	delete data;
 }
 
 // ----------------------------------------------------------------------------
@@ -145,9 +143,10 @@ class YaraPlugin : public IPlugin
 	 *	The manape_data object contains address information (entry point, sections, ...). Passing them to Yara prevents
 	 *	me from using their built in PE parser (since manalyze has already done all the work).
 	 */
-	boost::shared_ptr<manape_data> _create_manape_module_data(const mana::PE& pe)
+	static boost::shared_ptr<manape_data> _create_manape_module_data(const mana::PE& pe)
 	{
         boost::shared_ptr<manape_data> res(new manape_data, delete_manape_module_data);
+		memset(res.get(), 0, sizeof(manape_data));
         auto ioh = pe.get_image_optional_header();
         auto sections = pe.get_sections();
 
@@ -163,7 +162,7 @@ class YaraPlugin : public IPlugin
         else
         {
             res->number_of_sections = sections->size();
-            res->sections = (manape_file_portion*) malloc(res->number_of_sections * sizeof(manape_file_portion));
+            res->sections = static_cast<manape_file_portion*>(malloc(res->number_of_sections * sizeof(manape_file_portion)));
             if (res->sections != nullptr)
             {
                 for (boost::uint32_t i = 0 ; i < res->number_of_sections ; ++i)
@@ -181,16 +180,27 @@ class YaraPlugin : public IPlugin
         }
 
         // Add VERSION_INFO location for some ClamAV signatures
-        auto resources = pe.get_resources();
-        for (auto it = resources->begin() ; it != resources->end() ; ++it)
-        {
-            if (*(*it)->get_type() == "RT_VERSION")
-            {
-                res->version_info.start = (*it)->get_offset();
-                res->version_info.size = (*it)->get_size();
-                break;
-            }
-        }
+        const auto resources = pe.get_resources();
+		if (resources != nullptr)
+		{
+			for (auto& it : *resources)
+			{
+				if (*it->get_type() == "RT_VERSION")
+				{
+					res->version_info.start = it->get_offset();
+					res->version_info.size = it->get_size();
+					break;
+				}
+			}
+		}
+
+		// Add authenticode signature location for the findcrypt rules.
+		if (ioh)
+		{
+			res->authenticode.start = ioh->directories[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress;
+			res->authenticode.size = ioh->directories[IMAGE_DIRECTORY_ENTRY_SECURITY].Size;
+		}
+
         return res;
 	}
 

diff --git a/test/pe.cpp b/test/pe.cpp
@@ -413,7 +413,6 @@ BOOST_AUTO_TEST_CASE(parse_rich_header)
 	BOOST_CHECK_EQUAL(std::get<0>(rich->values.at(10)), 0x0102);
 	BOOST_CHECK_EQUAL(std::get<1>(rich->values.at(10)), 0x5bd2);
 	BOOST_CHECK_EQUAL(std::get<2>(rich->values.at(10)), 1);
-
 }
 
 // ----------------------------------------------------------------------------