search

odin1314 / yara-project

Automatically exported from code.google.com/p/yara-project
Apache License 2.0
0 stars 0 forks source link

Trying to run MalwareRules.yara against zeus.vmem #30

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Using command 
$ python vol.py malfind -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -p 
856 -Y /home/evild3ad/yara-rules/MalwareRules.yara -D 
/home/evild3ad/Volatility/dump-files

Volatile Systems Volatility Framework 2.1_alpha
Name                 Pid    Start      End        Tag      Hits   Protect
Traceback (most recent call last):
  File "vol.py", line 135, in <module>
    main()
  File "vol.py", line 126, in main
    command.execute()
  File "/home/evild3ad/pycrypto-2.0.x-9e9641d/yara-1.4/yara-python-1.4a/Volatility/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/home/evild3ad/pycrypto-2.0.x-9e9641d/yara-1.4/yara-python-1.4a/Volatility/volatility/plugins/malware.py", line 1042, in render_text
    for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:
  File "/home/evild3ad/pycrypto-2.0.x-9e9641d/yara-1.4/yara-python-1.4a/Volatility/volatility/plugins/malware.py", line 938, in calculate
    rules = yara.compile(stuff)
yara.SyntaxError: line 63: syntax error, unexpected _IDENTIFIER_, expecting 
_OR_ or _AND_ or _IS_ or ')'

Original issue reported on code.google.com by rish.tha...@gmail.com on 15 Dec 2011 at 8:51

GoogleCodeExporter commented 9 years ago 
Could you attach the MalwareRules.yara file that you're using?

Original comment by plus...@gmail.com on 17 Dec 2011 at 11:53

GoogleCodeExporter commented 9 years ago

Original comment by plus...@gmail.com on 1 Feb 2012 at 10:00

GoogleCodeExporter commented 9 years ago 
Hello. Ive ran into this problem again. 

The malwarerules.yara file I was using is the one attached.

Original comment by rish.tha...@gmail.com on 18 Apr 2012 at 12:15

Attachments:

GoogleCodeExporter commented 9 years ago 
NB 

I am using volatility from SVN 2.1_alpha, Distorm 3.1 Yara 1.4 and Yara 1.4a 
Python as per installation instructions.

Original comment by rish.tha...@gmail.com on 18 Apr 2012 at 12:20

GoogleCodeExporter commented 9 years ago 
line 63:  ($a nd $b)

Replace "nd" for "and".

Original comment by plus...@gmail.com on 18 Apr 2012 at 9:11