From ce454a3f8c3166df1be5c049b6fb64786a6e4bf8 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Tue, 19 Nov 2024 21:41:53 +0100 Subject: [PATCH] chore(yara): Log rule loading and check view section size Log the loading of the YARA rule and check the size of the view of section. Small sections should not be candidates for scanning. --- pkg/yara/scanner.go | 4 +++- pkg/yara/scanner_test.go | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/yara/scanner.go b/pkg/yara/scanner.go index 2833233a3..d9a4a0164 100644 --- a/pkg/yara/scanner.go +++ b/pkg/yara/scanner.go @@ -103,6 +103,7 @@ func NewScanner(psnap ps.Snapshotter, config config.Config) (Scanner, error) { return nil } rulesInCompiler.Add(1) + log.Infof("loading yara rule(s) from %s", filepath.Join(path, fi.Name())) return nil }) @@ -277,7 +278,8 @@ func (s scanner) Scan(e *kevent.Kevent) (bool, error) { // scan process mapping a suspicious RX/RWX section view pid := e.Kparams.MustGetPid() prot := e.Kparams.MustGetUint32(kparams.MemProtect) - if e.PID != 4 && ((prot&kevent.SectionRX) != 0 && (prot&kevent.SectionRWX) != 0) { + size := e.Kparams.MustGetUint64(kparams.FileViewSize) + if e.PID != 4 && size >= 4096 && ((prot&kevent.SectionRX) != 0 && (prot&kevent.SectionRWX) != 0) { filename := e.GetParamAsString(kparams.FileName) // skip mappings of signed images addr := e.Kparams.MustGetUint64(kparams.FileViewBase) diff --git a/pkg/yara/scanner_test.go b/pkg/yara/scanner_test.go index bd2fcb181..f548a09c9 100644 --- a/pkg/yara/scanner_test.go +++ b/pkg/yara/scanner_test.go @@ -725,6 +725,7 @@ func TestScan(t *testing.T) { Kparams: kevent.Kparams{ kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: pid}, kparams.FileViewBase: {Name: kparams.FileViewBase, Type: kparams.Address, Value: uint64(0x7ffe0000)}, + kparams.FileViewSize: {Name: kparams.FileViewSize, Type: kparams.Uint64, Value: uint64(12333)}, kparams.MemProtect: {Name: kparams.MemProtect, Type: kparams.Flags, Value: uint32(kevent.SectionRX), Flags: kevent.ViewProtectionFlags}, }, Metadata: make(map[kevent.MetadataKey]any), @@ -780,6 +781,7 @@ func TestScan(t *testing.T) { Kparams: kevent.Kparams{ kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(1123)}, kparams.FileViewBase: {Name: kparams.FileViewBase, Type: kparams.Address, Value: uint64(0x7f3e1000)}, + kparams.FileViewSize: {Name: kparams.FileViewSize, Type: kparams.Uint64, Value: uint64(12333)}, kparams.MemProtect: {Name: kparams.MemProtect, Type: kparams.Flags, Value: uint32(kevent.SectionRX), Flags: kevent.ViewProtectionFlags}, }, Metadata: make(map[kevent.MetadataKey]any), @@ -828,6 +830,7 @@ func TestScan(t *testing.T) { Kparams: kevent.Kparams{ kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(321321)}, kparams.FileViewBase: {Name: kparams.FileViewBase, Type: kparams.Address, Value: uint64(0x7ffe0000)}, + kparams.FileViewSize: {Name: kparams.FileViewSize, Type: kparams.Uint64, Value: uint64(12333)}, kparams.MemProtect: {Name: kparams.MemProtect, Type: kparams.Flags, Value: uint32(0x10000), Flags: kevent.ViewProtectionFlags}, }, Metadata: make(map[kevent.MetadataKey]any), @@ -877,6 +880,7 @@ func TestScan(t *testing.T) { kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(1123)}, kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "regedit.exe")}, kparams.FileViewBase: {Name: kparams.FileViewBase, Type: kparams.Address, Value: uint64(0x7ffe0000)}, + kparams.FileViewSize: {Name: kparams.FileViewSize, Type: kparams.Uint64, Value: uint64(12333)}, kparams.MemProtect: {Name: kparams.MemProtect, Type: kparams.Flags, Value: uint32(kevent.SectionRWX), Flags: kevent.ViewProtectionFlags}, }, Metadata: make(map[kevent.MetadataKey]any),