自拍偷在线精品自拍偷,亚洲欧美中文日韩v在线观看不卡

<rt id="6dw6a"></rt>

<p id="6dw6a"></p>

AI.x社區(qū)

軟考社區(qū)

企業(yè)培訓

鴻蒙開發(fā)者社區(qū)

WOT技術大會

公眾號矩陣

移動端

視頻課免費課排行榜短視頻直播課軟考學堂

全部課程軟考華為認證廠商認證 IT技術 PMP項目管理免費題庫

文章資源問答課堂專欄直播

51CTO

鴻蒙開發(fā)者社區(qū)

51CTO技術棧

51CTO官微

51CTO學堂

51CTO博客

CTO訓練營

鴻蒙開發(fā)者社區(qū)訂閱號

51CTO軟考

51CTO學堂APP

51CTO學堂企業(yè)版APP

鴻蒙開發(fā)者社區(qū)視頻號

51CTO軟考題庫

賬號設置退出

如何使用yaraQA提升Yara規(guī)則的質量和性能

作者：Alpha_h4ck 2023-08-15 08:32:09

安全應用安全

很多Yara規(guī)則可能在語法上是正確的，但功能很可能仍然存在問題。而yaraQA則會試圖找到這些問題并將其報告給YARA規(guī)則集的開發(fā)者或維護者。

關于yaraQA

yaraQA是一款功能強大的Yara規(guī)則分析工具，在該工具的幫助下，廣大研究人員可以輕松提升Yara規(guī)則的質量和性能。

很多Yara規(guī)則可能在語法上是正確的，但功能很可能仍然存在問題。而yaraQA則會試圖找到這些問題并將其報告給YARA規(guī)則集的開發(fā)者或維護者。

yaraQA的功能

yaraQA會嘗試檢測下列問題：

1、語法正確，但由于條件中的錯誤，從而導致不匹配的規(guī)則；
2、使用可能錯誤的字符串和修飾符組合的規(guī)則（例如$ = "\\Debug\\" fullword）；
3、由短原子、重復字符或循環(huán)引起的性能問題（例如$ = "AA"; 可以使用--ignore-performance從分析中排除）；

工具安裝

由于該工具基于Python 3開發(fā)，因此我們首先需要在本地設備上安裝并配置好Python 3環(huán)境。接下來，廣大研究人員可以使用下列命令將該項目源碼克隆至本地：

git clone https://github.com/Neo23x0/yaraQA.git

然后切換到項目目錄中，使用pip工具和項目提供的requirements.txt文件安裝該工具所需的其他依賴組件：

cd yaraQA/

pip install -r requirements.txt

工具使用幫助

usage: yaraQA.py [-h] [-f yara files [yara files ...]] [-d yara files [yara files ...]] [-o outfile] [-b baseline] [-l level]

                 [--ignore-performance] [--debug]

 

YARA RULE ANALYZER

 

optional arguments:

  -h, --help            顯示工具幫助信息和退出

  -f yara files [yara files ...]

                        輸入文件路徑（一個或多個Yara規(guī)則，由空格分隔）

  -d yara files [yara files ...]

                        輸入目錄路徑（Yara規(guī)則目錄，由空格分隔）

  -o outfile          分析結果輸出文件（JSON格式，默認為'yaraQA-issues.json'）

  -b baseline          使用一個問題基線來過濾分析結果中的問題

  -l level               要顯示的最低級別（1=基本信息, 2=警告, 3=嚴重）

  --ignore-performance   屏蔽與性能相關的規(guī)則問題

  --debug               調試模式輸出

工具使用樣例

python3 yaraQA.py -d ./test/

屏蔽所有性能相關的問題，僅顯示邏輯問題：

python3 yaraQA.py -d ./test/ --ignore-performance

屏蔽所有信息性字符問題：

python3 yaraQA.py -d ./test/ -level 2

使用一個基線，僅顯示新的問題，基線文件需要是一個.json文件：

python3 yaraQA.py -d ./test/ -b yaraQA-reviewed-issues.json

工具輸出

yaraQA會將檢測到的問題寫入一個名為yaraQA-issues.json的文件中。

下面給出的是yaraQA生成的JSON格式結果：

[

    {

        "rule": "Demo_Rule_1_Fullword_PDB",

        "id": "SM1",

        "issue": "The rule uses a PDB string with the modifier 'wide'. PDB strings are always included as ASCII strings. The 'wide' keyword is unneeded.",

        "element": {

            "name": "$s1",

            "value": "\\\\i386\\\\mimidrv.pdb",

            "type": "text",

            "modifiers": [

                "ascii",

                "wide",

                "fullword"

            ]

        },

        "level": "info",

        "type": "logic",

        "recommendation": "Remove the 'wide' modifier"

    },

    {

        "rule": "Demo_Rule_1_Fullword_PDB",

        "id": "SM2",

        "issue": "The rule uses a PDB string with the modifier 'fullword' but it starts with two backslashes and thus the modifier could lead to a dysfunctional rule.",

        "element": {

            "name": "$s1",

            "value": "\\\\i386\\\\mimidrv.pdb",

            "type": "text",

            "modifiers": [

                "ascii",

                "wide",

                "fullword"

            ]

        },

        "level": "warning",

        "type": "logic",

        "recommendation": "Remove the 'fullword' modifier"

    },

    {

        "rule": "Demo_Rule_2_Short_Atom",

        "id": "PA2",

        "issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",

        "element": {

            "name": "$s1",

            "value": "{ 01 02 03 }",

            "type": "byte"

        },

        "level": "warning",

        "type": "performance",

        "recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."

    },

    {

        "rule": "Demo_Rule_3_Fullword_FilePath_Section",

        "id": "SM3",

        "issue": "The rule uses a string with the modifier 'fullword' but it starts and ends with two backslashes and thus the modifier could lead to a dysfunctional rule.",

        "element": {

            "name": "$s1",

            "value": "\\\\ZombieBoy\\\\",

            "type": "text",

            "modifiers": [

                "ascii",

                "fullword"

            ]

        },

        "level": "warning",

        "type": "logic",

        "recommendation": "Remove the 'fullword' modifier"

    },

    {

        "rule": "Demo_Rule_4_Condition_Never_Matches",

        "id": "CE1",

        "issue": "The rule uses a condition that will never match",

        "element": {

            "condition_segment": "2 of",

            "num_of_strings": 1

        },

        "level": "error",

        "type": "logic",

        "recommendation": "Fix the condition"

    },

    {

        "rule": "Demo_Rule_5_Condition_Short_String_At_Pos",

        "id": "PA1",

        "issue": "This rule looks for a short string at a particular position. A short string represents a short atom and could be rewritten to an expression using uint(x) at position.",

        "element": {

            "condition_segment": "$mz at 0",

            "string": "$mz",

            "value": "MZ"

        },

        "level": "warning",

        "type": "performance",

        "recommendation": ""

    },

    {

        "rule": "Demo_Rule_5_Condition_Short_String_At_Pos",

        "id": "PA2",

        "issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",

        "element": {

            "name": "$mz",

            "value": "MZ",

            "type": "text",

            "modifiers": [

                "ascii"

            ]

        },

        "level": "warning",

        "type": "performance",

        "recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."

    },

    {

        "rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",

        "id": "PA1",

        "issue": "This rule looks for a short string at a particular position. A short string represents a short atom and could be rewritten to an expression using uint(x) at position.",

        "element": {

            "condition_segment": "$mz at 0",

            "string": "$mz",

            "value": "{ 4d 5a }"

        },

        "level": "warning",

        "type": "performance",

        "recommendation": ""

    },

    {

        "rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",

        "id": "PA2",

        "issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",

        "element": {

            "name": "$mz",

            "value": "{ 4d 5a }",

            "type": "byte"

        },

        "level": "warning",

        "type": "performance",

        "recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."

    },

    {

        "rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",

        "id": "SM3",

        "issue": "The rule uses a string with the modifier 'fullword' but it starts and ends with two backslashes and thus the modifier could lead to a dysfunctional rule.",

        "element": {

            "name": "$s1",

            "value": "\\\\Section\\\\in\\\\Path\\\\",

            "type": "text",

            "modifiers": [

                "ascii",

                "fullword"

            ]

        },

        "level": "warning",

        "type": "logic",

        "recommendation": "Remove the 'fullword' modifier"

    }

]

包含問題的規(guī)則樣例

項目專門提供了包含問題的規(guī)則樣例，可以在./test目錄中找到。

工具運行截圖

許可證協(xié)議

本項目的開發(fā)與發(fā)布遵循GPL-3.0開源許可證協(xié)議。

責任編輯：武曉燕來源： FreeBuf.COM

yaraQA 語法規(guī)則

51CTO技術棧公眾號

業(yè)務
速覽

媒體

51CTO CIOAge HC3i

社區(qū)

51CTO博客鴻蒙開發(fā)者社區(qū) AI.x社區(qū)

教育

51CTO學堂精培企業(yè)培訓 CTO訓練營

<sub id="7pjjk"></sub>