YARA searches for strings inside files. Strings to search for are defined with YARA rules.

With the release of YARA 3.8.0, support for searching for XOR encoded strings was introduced. By adding the modifier xor to the definition of a string, YARA 3.8.0 would search for strings that were XOR encoded, with a single-byte key, ranging from 1 to 255.

Here is an example of a string with xor modifier.

    rule xor_test {
        strings:
            $a = “https://isc.sans.edu” xor
        condition:
            $a
    }

This YARA version’s xor modifier would not match unencoded strings.

Apparently, that was not the purpose, and this was fixed with version 3.10.0.

The same rule would now also match unencoded strings.

With the latest version of YARA, 3.11.0, a YARA rule developer has now control over which XOR key range is used by modifier xor.

This is done by specifing an optional minimum-key – maximum-key range after the xor modifier, like this: xor(min-max).

The following rule has an xor modifier with key range 0x01-0xFF (minimum/maximum keys can be specified with decimal or hexadecimal values).

    rule xor_test {
        strings:
            $a = “https://isc.sans.edu” xor(0x01-0xFF)
        condition:
            $a
    }

This rule will not match unencoded strings.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Join VMUG at VMworld Europe 2019! BARCELONA, SPAIN 4-7 November 2019 Heading to VMworld Europe 2019? The VMUG community will have many fun ways to meet up and engage on-site with fellow members! Find Your #VMUGAdventure   Whether you are a dedicated VMUG member who has explored VMUG’s programming or you are brand new and […]

The post Join VMUG at VMworld Europe 2019! appeared first on VMarena.