Closed idrii closed 4 years ago
So after some more playing around it looks like the issue is somehow related to the length of the rules being used. If I reduce the previous rule down to:
rule MimikatzMem {
strings:
$s1 = "sekurlsa::msv" fullword ascii
$s2 = "sekurlsa::wdigest" fullword ascii
condition:
1 of them
}
I get the expected match: Match: [{Rule:MimikatzMem Namespace:Namespace1 Tags:[] Meta:map[] Strings:[{Name:$s1 Offset:48 Data:[115 101 107 117 114 108 115 97 58 58 109 115 118]}]}]
however if I add another line string such as $s4 = "sekurlsa::kerberos" fullword ascii
I get the same error as mentioned above.
Interestingly it appears to be related to the number of entries in the strings section of the rule, not the length of the rule (i.e. if I make on of the strings in the above rule really long it still works but if I add a new string it fails)
Can you share the sample? Please also tell me what operating system and what versions of Go and libyara you are using.
Sure, the sample I was scanning was just the rules that I was loading in so
{
strings:
$s1 = "sekurlsa::msv" fullword ascii
$s2 = "sekurlsa::wdigest" fullword ascii
$s4 = "sekurlsa::kerberos" fullword ascii
$s5 = "sekurlsa::tspkg" fullword ascii
$s6 = "sekurlsa::livessp" fullword ascii
$s7 = "sekurlsa::ssp" fullword ascii
$s8 = "sekurlsa::logonPasswords" fullword ascii
$s9 = "sekurlsa::process" fullword ascii
$s10 = "sekurlsa::minidump" fullword ascii
$s11 = "sekurlsa::pth" fullword ascii
$s12 = "sekurlsa::tickets" fullword ascii
$s13 = "sekurlsa::ekeys" fullword ascii
$s14 = "sekurlsa::dpapi" fullword ascii
$s15 = "sekurlsa::credman" fullword ascii
condition:
1 of them
}
My OS is Ubuntu 18.0.4 and my GoLang version is go version go1.13.4 linux/amd64 I was using a copy of libyara 3.11.0
@idrii Do you also have libyara3 and libyara-dev from Ubuntu installed on your Ubuntu-18.04-based dev environment? If so, does the problem disappear if you uninstall those and rebuild the Go program?
I suspect that this might be essentially a duplicate of #55–and that the root cause is in ABI incompatibilities somewhere between YARA 3.7 and YARA 3.11.
@hillu Wow, that was it! I wasted so much time on this and for it to be such a simple issue is actually kind of annoying.
Thank you very much for your help and your awesome library
I've run into a weird issue while playing with go-yara in a test project. After further testing I've found that the same issue occurs in the
simple-yara
test thats provided with this repo.The yara rule I'm using in my testing is a very basic detection for Mimikatz:
As this rule will match on itself the error I'm seeing can be triggered by scanning the rule itself (i.e.
./simple-yara -rule rules.yar rules.yar
)Doing so produces the following crash:
As best I can tell this is crashing when trying to get the matches from some C binding related to getting string matches.
Any ideas on how to fix this?
Thanks