Since FIRST is an IDA Python plugin it only works with a license version of Hex Ray’s IDA Pro. Due to the integrations with IDA Pro there is a minimum version number. The FIRST plugin only works with IDA 6.9 (service pack 1), relased May 2016, and higher.
Important
It is easier to install Python from Python.org with the latest 2.7 build instead of using the outdated version of Python bundled in with IDA Pro.
The Linux installer is a self-unpacking binary. You may need to set file permissions to executable before running it: chmod +x./lmadmin-x64lsb-111600.bin Both the installer and lmadmin itself require LSB support installed. It is also necessary to run those commands, get a usable GUI for IDA on Xubuntu 15.10: sudo apt-get install libgtk2.0-0:i386 gtk2-engines-murrine:i386 gtk2-engines-pixbuf:i386 Red Hat Enterprise Linux 7.2. IDA will require the following packages to work properly on.
Installing Yara into IDA Pro 64-bit Linux tl;dr Install a 32-bit VM, compile Yara, copy files over. See link below for files to just install. Last Friday, pnX posted that he updated his awesome IDA plug-in, IDAScope, to include Yara support. This means that you can now run Yara sigs against files you are reversing to help in the analysis process. Run IDA Pro disassembler in Docker containers for automating, scaling and distributing the use of IDAPython scripts. intezer/docker-ida. Ida pro 6.9 free download. IDA ClassInformer PlugIn An IDA Pro Windows object RTTI vftable finder, fixer, and lister plug-in. Places structure defs, na. First of all, Download the Hex-Rays IDA Pro 7.2 (Tutorial on How to Download) Locate and double-click the.exe file. (It will usually be in your Downloads folder.) A dialog box will appear.
Attention
There are many ways to install FIRST, the quickest way is to use pip and run the setup script. The setup’s location differs depending on the OS being used and other possible configurations. The defaults for Mac and Windows are below.
![Ida Ida](/uploads/1/1/8/6/118686555/332602056.jpg)
Mac
Windows
To use FIRST, you will need to download the plugin and save it to the Hex Rays IDA Pro plugin folder. Directions for this differ depending on the operating system and a basic guide can be found below.
FIRST is available on PyPI, so to use it you can use pip:
Alternatively, if you don’t have setuptools installed, download it from PyPi and run
To use the bleeding-edge version of FIRST’s IDA Pro Integration, you can get the source fromGitHub and install it as above:
Once first-plugin-ida is installed with pip, the post installation script needs to be executed. The script simply copies over the plugin and its files to the IDA Pro installation of your choosing. Depending on your system setup, configuration, and user privileges you may need to be admin or root to successfully use the script.
OS | Default Path |
---|---|
Mac | /usr/local/bin/first-plugin-ida |
Windows | C:Python27Scriptsfirst-plugin-ida |
The script will ask you for the full path to the IDA Pro installation. Providing it will copy the plugin to IDA Pro and its dependencies. The default location forIDA Pro installations are outline below.
OS | Default Path |
---|---|
Mac | Applications/IDA Pro 6.9/idaq.app/Contents/MacOS/plugins |
Windows | C:Program Files (x86)IDA 6.9plugins |
Once the script completes without any errors you will be able to use FIRST in IDA Pro.
Manual Installation¶
If you do not wish to use pip or the post installation script then FIRST can be installed manually. To install the plugin you will need to get the plugin’s source from GitHub. The source for the plugin includes every file in the FIRST-plugin-ida/first_plugin_ida folder except FIRST-plugin-ida/first_plugin_ida/__init__.py file. All other files need to be copied over to IDA Pro’s plugins directory. Depending on the OS IDA is running on you may need to copy over other dependencies to IDA Pro’s folders.
Requirements¶
Additionally, FIRST requires one third party module to work and an optional module if Kerberos Authentication is used
- [Required] Requests (https://pypi.python.org/pypi/requests)
- [Optional] Requests-kerberos (https://pypi.python.org/pypi/requests-kerberos)
Windows¶
Once you have a copy of the plug-in, installing the plug-in is as simple as copying the Python file into the plugins folder. For IDA 6.9, the default installation path can be found at:
Default IDA Pro Path | C:Program Files (x86)IDA 6.9plugins |
---|---|
Dependency Instructions | pip install requests |
Mac OS X¶
Installing on Mac OS X requires a little more work, once you’ve installed IDA Pro, copy the FIRST plugin to the <installed_path>/Contents/MacOS/plugins/ folder and the required dependencies to <installed_path>/Contents/MacOS/python/
Default IDA Pro Path | /Applications/IDA Pro 6.9/idaq.app/Contents/MacOS/plugins/ |
---|---|
Dependency Instructions | pip install requests cp /usr/local/lib/python2.7/site-packages/requests* /Applications/IDAPro6.9/idaq.app/Contents/MacOS/python |
Linux¶
During the setup, IDA asks whether to install with the bundled Python interpreter or use the local Python interpreter from the local system. Bundled Python is nice, everything just works by default. However the downside is that you can’t really add and upgrade Python libraries, and the FIRST plugin requires the requests plugin which is not by default in the bundle.
If you installed with bundled Python, you can switch to use the local Python simply by renaming
libpython2.7.so.1.0
and python/lib/python27.zip
. For instance:You can revert back to bundle Python by reverting the renames.
Unfortunately the downside of using local Python is that if you are running under x86_64, IDA being a 32-bit binary, it won’t work out of the box. Fortunately, under recent Debian (e.g. stretch) and Ubuntu, you can install libs from other architectures. For instance, what worked for us:
Tip: if your distro is different or too old, try a chroot (e.g. debootstrap & schroot), works pretty well.
Copy the FIRST plugin (
first.py
) to your plugins directory (~/.idapro/plugins
) and start IDA (32 or 64), it should all work!YARA is described as “The pattern matching Swiss knife for malware researchers (and everyone else)”. Think of it as like
grep
, but instead of matching based on one pattern, YARA matches based on a set of rules, with each rule capable of containing multiple patterns, and complex condition logic for further refining matches. It’s a very useful tool. Let’s go over some practical examples of how to use it.Installing YARA
Official Windows binaries can be found here. Unfortunately, as of the time of this writing, practically every Linux distribution’s repository contains an out-of-date version of YARA that has one or more security vulnerabilities. Follow the instructions below to compile and install the latest release with all features enabled on a Debain or Ubuntu system. The steps should be similar in other Linux distributions.
Download the source code .tar.gz for the latest stable release.
Install the dependencies
Build the project
Install as a Debian package
Ida Pro Linux Download
Install the Python package
Introduction to YARA rules
Let’s start by looking at the different components that can be part of a rule.
At a minimum, a rule must have a name, and a condition. The simplest possible rule is:
That rule does nothing. Inversely, this rule matches on anything:
Here’s a slightly more useful example that will match on any file over 500 KB:
Most often though, you’ll write rules with a meta section, a strings section, and a condition section:
The
:
after the rule name indicates the start of a list of rule tags, which are separated by spaces. These tags are not used frequently, but you should be aware that they exist. C-style comments can be used anywhere.The
meta
section consists of a set of arbitrary key-value pairs that can be used to describe the rule, and/or the type of content that it matches. Meta values can be strings, integers, decimals, or booleans. The meta values can be viewed by the application that is using YARA when a match occurs.The strings section defines variables as content to be matched. These can be:
- Hexadecimal byte patterns (in
{}
, with support for wildcards and jumps). Often used to identify unique code, such as an unpacking mechanism - Text strings
- Regular expressions (between
//
)
The condition section is where the true power an flexibility of YARA can be found. Here are a few common example condition statements
Condition | Meaning |
any of them | The rule will match on anything containing any of the strings defined in the rule |
all of them | The rule will only match if all of the defined strings are in the content |
3 of them | The rule will match anything containing at least three of the defined strings |
$a and 3 of ($s*) | Match content that contains string $a and at least three strings whose variable begins with $s |
Practical examples
It would be very useful to check the attachments of suspected phishing emails reported to you by your users. PDF attachments with a link to a phishing site have become a common tactic, because many email gateways still do not check URLs in attached files. This rule checks for links in PDFs:
The first part of the condition checks if the first few bytes of the file match the magic numbers (list here) for a PDF, allowing the rule to quickly disregard anything that isn’t a PDF. Filters like these can greatly increase speed when scanning a large amount of data. The second part of the condition strings whose variable begins with
$s
.$s_uri
is a regular expression that matches any URI/URL in parenthesis, which will match the PDF standard for URI actions and URLs in forms.Mac Ida Pro
$s_anchor_tag
matches any HTML anchor tag, which some PDF converters may leave an a document converted from HTML.The
ascii
, wide
, and nocase
keywords tell YARA to search for ASCII and wide strings, and to be case-insensitive. By default, it will only search for ASCII strings, including substrings, and it will be case-sensitive. There are many more keywords for matching other kinds of strings.But lots of legitimate PDFs (brochures, invoices, etc) contain links, so a better indicator of badness may be a PDF that contains a single link. Unfortunately, most PDF generators like Microsoft Office will save the PDF as multiple “versions” in the same file, so we should give the rule a little flexibility, and allow for up to two URIs in a PDF.
It’s good to keep both of these rules, that way you have an informational one that should always match on any PDF with any number of links, and another that provides a higher confidence of badness.
Also, these rules only match PDFs with links that were generated according to the latest PDF standard (1.7). Any suggestions for older versions are appreciated.
Viewing strings in a file
To view a list of strings in a file, simply run the
strings
command on a Linux/MacOS/BSD or other UNIX-like system. You can pipe the output to less
to view it one page at a time. For example:Strings vs Bytes
the
strings
section in YARA rules can be made up of any combination of strings, bytes, and regular expressions. Most YARA rules are made up entirely of strings. These kinds of rules are relatively simple to write, but it is also very easy for malware authors to change or obscure strings in order to avoid detection in future builds. If a sample has few or no usable strings, that sample has likely been packed, meaning that any strings are built or decoded at runtime. YARA can scan processes, and you probably would have better luck scanning active memory for strings, but that won’t help if your goal is to identify samples at rest.Bytes in YARA are represented as hexadecimal strings, and can include wildcards and/or jumps. Bytes can be used to identify specific variations of code, such as a unique method of unpacking. Writing signatures based on bytes requires some knowledge of assembly, APIs provided by the OS, and specialized software.
IDA Pro is the industry standard platform for software reverse engineering. It is also very expensive. Currently, a the Starter Edition of IDA (which can only process 32 bit files) for one named user, along with the X86 Hex-Rays decompiler costs about $2,700. If you want to be able to decompile x86 AMD64 files, the cost is about $4,400 for IDA Pro, x86, and x64 compilers for one named user. Fortunately, a couple open source alternatives exist.
In early 2019, the NSA released an open source Software Reverse Engineering (SRE) suite called Ghidra. It includes a decomplier, and a very simillar feel to IDA.
The open source Radare Framework provides many of the same features of IDA (and a few more) for free, under a GNU GPL license. Radare does not currently have a decomplier though.
If you’re new to assembly, check out this Crash Course in x86 Assembly for Reverse Engineers.
Testing YARA rules
To test your rules against some sample files, run a command like this:
Where
dev/yararules/files.yar
is the path to the file containing your rules and samples/pdf
is the path to a directory containing sample files to test against. This will output a list of files matches, and the strings that make up each match.To find samples that do not match your rules, run a command like this:
Note that this will give a a result for each rule that each file does not match. Use grep to narrow this down. For example, if you only wanted to see the results for rules with a name that contains
pdf_
, you could run:It’s good practice to keep your rule names consistent. That makes testing much easier.
Generating rules
yarGen is an open source utility by Florian Roth that generates YARA rules for a given set of samples. It’s not magic, and generally won’t do a better than writing a rule manually. But, if you are mostly making rules out of strings rather than bytes, it can give you a great starting point to tweak and tune into a better rule. I use yarGen when I’ve some across a set of samples that I know are related, but have seemingly very different strings.
yarGen will generate many different rules for a given set of files, and the condition for each rule will likely be very narrow (i.e. all of them). I usually combine these rules based on what I suspect are the most reliable strings, and group the strings as needed in the condition statement.
You can download yarGen from its GitHub repository.
Learning more
Take some time to review the comprehensive official documentation for YARA. There, you will find complete details on writing rules, and using the command-line program, the Python API, and the C API.
Once you feel comfortable working with YARA, consider joining the YARA Exchange. The Exchange is a very active and helpful group of information security professionals that share rules and tips for writing them. You can even get access to VirusTotal Intelligence for free through the exchange, if your company doesn’t already pay for it. In return, they only ask that you participate, share with others, and don’t hog the VirusTotal Intelligence monthly quotas that are shared across the whole group.
With VirusTotal Intelligence access, you can set up alerts to notify you when samples are uploaded to VirusTotal that match your YARA rules, without using any quotas. It’s a fantastic way to stress test your rules (your inbox/alert queue will fill up very quickly if you match false-positives), and for identifying new samples, and new waves of attacks. Quotas are used for searching, downloading, and using Retro Hunt on VirusTotal Intelligence. Retro Hunt takes a set of YARA rules, runs a scan on about the last three months of all files that were uploaded to VirusTotal (literally terabytes of data), and returns a list of file hashes that matched your rules, and which rules they matched.
Check out this great talk on getting the most out of VirusTotal Intelligence and YARA by Wyatt Roersma at GrrCon 2016:
Books
Other resources
- Atom editor package for YARA syntax highlighting