|
|
|
@ -11,11 +11,12 @@ moduleinfo = {'version': '1', 'author': 'Christian STUDER', |
|
|
|
'module-type': ['expansion', 'hover'], |
|
|
|
'require_standard_format': True} |
|
|
|
moduleconfig = [] |
|
|
|
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256'], 'output': ['yara']} |
|
|
|
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256', 'imphash'], 'output': ['yara']} |
|
|
|
|
|
|
|
def get_hash_condition(hashtype, hashvalue): |
|
|
|
condition = 'hash.{}(0, filesize) == "{}"'.format(hashtype, hashvalue.lower()) |
|
|
|
return condition, 'hash' |
|
|
|
hashvalue = hashvalue.lower() |
|
|
|
required_module, params = ('pe', '()') if hashtype == 'imphash' else ('hash', '(0, filesize)') |
|
|
|
return '{}.{}{} == "{}"'.format(required_module, hashtype, params, hashvalue), required_module |
|
|
|
|
|
|
|
def handler(q=False): |
|
|
|
if q is False: |
|
|
|
@ -31,7 +32,7 @@ def handler(q=False): |
|
|
|
_, value = value.split('|') |
|
|
|
condition, required_module = get_hash_condition(attribute_type, value) |
|
|
|
import_section = 'import "{}"'.format(required_module) |
|
|
|
rule_start = 'import "hash" \r\nrule %s_%s {' % (attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else 'import "hash"\r\nrule %s {' % attribute_type.upper() |
|
|
|
rule_start = '%s\r\nrule %s_%s {' % (import_section, attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else '%s\r\nrule %s {' % (import_section, attribute_type.upper()) |
|
|
|
condition = '\tcondition:\r\n\t\t{}'.format(condition) |
|
|
|
rule = '\r\n'.join([rule_start, condition, '}']) |
|
|
|
try: |
|
|
|
|
chrisr3d
3 years ago