Commits

Daniel Plohmann committed 5a5d5bc

added own yara path for IDAscope and EICAR example rule

  • Participants
  • Parent commits f3d58ad

Comments (0)

Files changed (5)

+# byte code
+*.pyc
+
+# private yara signatures
+*idascope/data/yara/*
         self.idascope_widgets = []
         self.ensureRootPathSanity(config.configuration)
         self.config = IDAscopeConfiguration(config.configuration)
+        print str(self.config)
         self.icon = QIcon(self.config.icon_file_path + "idascope.png")
 
     def ensureRootPathSanity(self, configuration):

File idascope/config.py

         "default_semantics": "win-ring3"
         },
     "yara": {
+        # relative path "idascope\\data\\yara\\" is added on plugin startup.
         "yara_sigs": ["C:\\yara"]
         }
 }

File idascope/core/structures/IDAscopeConfiguration.py

         self.winapi_load_keyword_database = configuration["winapi"]["load_keyword_database"]
         self.winapi_online_enabled = configuration["winapi"]["online_enabled"]
         self.inspection_default_semantics = configuration["inspection"]["default_semantics"]
-        self.yara_sig_folders = configuration["yara"]["yara_sigs"]
+        idascope_yara_folder = self.root_file_path + self.os.sep + os.sep.join(["idascope", "data", "yara"])
+        self.yara_sig_folders = [self._normalizePath(idascope_yara_folder)]
+        self.yara_sig_folders.extend(configuration["yara"]["yara_sigs"])
 
     def _normalizePath(self, path):
         if self.os_path_normpath is None:
             + "  icon_file_path: %s\n" % self.icon_file_path \
             + "  semantics_file: %s\n" % self.semantics_file \
             + "  winapi_keywords_file: %s\n" % self.winapi_keywords_file \
-            + "  winapi_rootdir: %s" % self.winapi_rootdir \
+            + "  winapi_rootdir: %s\n" % self.winapi_rootdir \
             + "  yara_sigs: %s" % self.yara_sig_folders

File idascope/data/yara/eicar.yar

+rule EICAR {
+	meta:
+		author = "Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de"
+		type = "info"
+		description = "YARA rule for EICAR test file"
+
+	strings: 
+		$eicar = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
+
+	condition:
+		$eicar
+}