Steezy is a python tool that leverages other tools and libraries for the automation of generating different Yara strings for instructions from compiled executables.
Steezy has two modes of operation.
- Generating rules for a function virtual address.
- Generating rules for a range of instructions.
Supported file formats:
- PE
- ELF
- MACH-O
Shellcode is not yet supported. .NET is not yet supported but will be Real Soon Now™.
The primary tool is either rizin or radare2. You need this installed and one of it's pipe libraries. You do not need both radare2 and rizin but having both installed is not an issue.
In addition Steezy includes rules generated by the mkYara tool.
- Install dependencies.
- Clone git repo.
- python setup.py install
Python 3.x (Tested with 3.7+).
Or:
mkYara:
General workflow:
- Have a sample or set of samples that interests you.
- Do some ghetto reversing.
- Find a function or a range of instructions that interest you.
- Steezy.
- Yara.
The provided offset is assumed to be the virtual address of a function. All opcodes are included. This is a blunt instrument. You can clean up the rule manually yourself later. Remove function prologue, function epilogue, etc... whatever you want to remove.
➜ steezy -f 18c1874514f6dec1e3eacea915a6592500f6824ee4d310650ca890e3d56896be -o 0x10001e20
[2022-01-14 12:38:00,930] steezy:open_file INFO: Target file: 18c1874514f6dec1e3eacea915a6592500f6824ee4d310650ca890e3d56896be
[2022-01-14 12:38:01,541] steezy:open_file INFO: Analysing file.
rule steezy_18c1874514f6dec1e3eacea915a6592500f6824ee4d310650ca890e3d56896be
{
meta:
author = "Steezy (https://github.com/schrodyn/steezy)"
hash1 = "18c1874514f6dec1e3eacea915a6592500f6824ee4d310650ca890e3d56896be"
strings:
$a0 = {558bec83ec10e8????????c745fc????????8d45fc50e8????????50e8????????8945f0837dfc01[2-6]e8????????6a??e8????????[2-6]837dfc02[2-6]e8????????8945f88b4df8516a??6a??e8????????8945f4e8????????3d????????[2-6]6a??e8????????e8????????6a??e8????????8b55f452e8????????e8????????33c08be55dc3}
$a1 = {558bec83ec10e805faffffc745fc000000008d45fc50e8f5f8ffff50e87ff7ffff8945f0837dfc01750ee8b17300006a00e86af8ffffeb46837dfc027540e8ada700008945f88b4df8516a006a00e8ddf7ffff8945f4e825f9ffff3db700000075076a00e837f8ffffe822faffff6a00e8dbfdffff8b55f452e862f1ffffe86df9ffff33c08be55dc3}
$a2 = {558bec83ec10e8????????c745fc????????8d45fc50e8????????50e8????????8945f0837dfc0175??e8????????6a??e8????????eb??837dfc0275??e8????????8945f88b4df8516a??6a??e8????????8945f4e8????????3d????????75??6a??e8????????e8????????6a??e8????????8b55f452e8????????e8????????33c08be55dc3}
$a3 = {558bec83ec10e8????????c745??000000008d45??50e8????????50e8????????8945??837d??0175??e8????????6a00e8????????eb??837d??0275??e8????????8945??8b4d??516a006a00e8????????8945??e8????????3db700000075??6a00e8????????e8????????6a00e8????????8b55??52e8????????e8????????33c08be55dc3}
condition:
any of them
}
There are some issues where the outputted string might not be what you expected. This might be due to the fact that whatever disassembler you are using has recognised a function (better?) differently than rizin/radare2. If you run into this I would suggest using the range mode with the start and end of your intended target.
Work is being considered to provide rz/r2 commands as arguments so that steezy can create the function blocks for you. This would be considered an advanced mode.
Range must be provided as <start_offset:end_offset>. The end_offset is
always inclusive when Steezy parses instructions.
➜ steezy -f 18c1874514f6dec1e3eacea915a6592500f6824ee4d310650ca890e3d56896be -r0x10001e20:10001e56
[2022-01-14 12:39:22,749] steezy:open_file INFO: Target file: 18c1874514f6dec1e3eacea915a6592500f6824ee4d310650ca890e3d56896be
[2022-01-14 12:39:23,069] steezy:open_file INFO: Analysing file.
rule steezy_18c1874514f6dec1e3eacea915a6592500f6824ee4d310650ca890e3d56896be
{
meta:
author = "Steezy (https://github.com/schrodyn/steezy)"
hash1 = "18c1874514f6dec1e3eacea915a6592500f6824ee4d310650ca890e3d56896be"
strings:
$a0 = {558bec83ec10e805faffffc745fc000000008d45fc50e8f5f8ffff50e87ff7ffff8945f0837dfc01750ee8b17300006a00e86af8ffff}
$a1 = {558bec83ec10e8????????c745fc????????8d45fc50e8????????50e8????????8945f0837dfc0175??e8????????6a??e8????????eb??}
$a2 = {558bec83ec10e8????????c745??000000008d45??50e8????????50e8????????8945??837d??0175??e8????????6a00e8????????}
condition:
any of them
}
Steezy will generate at most four rules:
- Rule with static bytes, not so useful.
- Rule with Yara wildcards using r2's instruction mask.
- Rule with Yara wildcards using r2's instruction mask and Yara ranges based around function blocks.
- Rule generated with Fox-It mkYARA.
Some other tools I've used for generating Yara rules which lead me to creating my own.
- https://gist.github.com/williballenthin/3abc9577bede0aeef25526b201732246
- https://github.com/fxb-cocacoding/yara-signator
- https://github.com/TcM1911/zig2yar
- https://github.com/mrexodia/YaraGen
- https://github.com/immortalp0ny/yarg
- https://github.com/arieljt/VTCodeSimilarity-YaraGen
- https://github.com/lucamassarelli/yarasafe
- https://github.com/fox-it/mkyara
- https://github.com/c3rb3ru5d3d53c/binlex
Considering rewriting this entirely with Vivisect which would lessen the dependencies and simplify the install.