Complex Yara Support

kisec · Apr 4, 2016 · 487d2de · 487d2de
1 parent fe905ab
commit 487d2de
Show file tree

Hide file tree

Showing 4 changed files with 98 additions and 9 deletions.
diff --git a/web/templates/modals/raw_memory_modal.html b/web/templates/modals/raw_memory_modal.html
@@ -4,7 +4,7 @@
         <div class="modal-content">
             <div class="modal-header">
                 <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>
-                <h4 class="modal-title" id="memoryModal">View Raw Memory</h4>
+                <h4 class="modal-title">View Raw Memory</h4>
             </div>
             <div class="modal-body">
 

diff --git a/web/templates/modals/yara_modal.html b/web/templates/modals/yara_modal.html
@@ -0,0 +1,75 @@
+{% load template_dict %}
+<div class="modal fade" id="yaraModal" tabindex="-1" role="dialog" aria-labelledby="yaraModal" aria-hidden="true">
+    <div class="modal-dialog">
+        <div class="modal-content">
+
+
+            <div class="modal-header">
+                <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>
+                <h4 class="modal-title">Add Session</h4>
+            </div>
+
+            <div class="modal-body">
+
+
+                <ul class="nav nav-pills">
+                    <li class="active"><a data-toggle="pill" href="#yarastrings">Manual Rule</a></li>
+                    <li><a data-toggle="pill" href="#rulefile">Rule File</a></li>
+                </ul>
+
+                <div class="tab-content">
+                    <div id="yarastrings" class="tab-pane fade in active">
+                        <h4>Yara Strings</h4>
+                        <form class="form">
+                          <div class="form-group">
+                            <input type="text" class="form-control" id="yara-string" placeholder="Search String">
+                          </div>
+                          <div class="form-group">
+                            <input type="text" class="form-control" id="yara-hex" placeholder="Size of hexdump preview (256b)">
+                          </div>
+                          <div class="form-group">
+                            <input type="text" class="form-control" id="yara-reverse" placeholder="Reverse this many bytes">
+                          </div>
+
+                          <div class="checkbox">
+                            <label>
+                              <input type="checkbox" id="yara-case"> Case Insensative
+                            </label>
+                          </div>
+
+                          <div class="checkbox">
+                            <label>
+                              <input type="checkbox" id="yara-kernal"> Scan Kernel Modules
+                            </label>
+                          </div>
+
+                          <div class="checkbox">
+                            <label>
+                              <input type="checkbox" id="yara-wide"> Match Unicode Strings (Wide)
+                            </label>
+                          </div>
+
+
+
+                            <a href="#" onclick="ajaxHandler('memhex', {'session_id':'{{session_details|get:"_id"}}', 'target_div':'hex-out'}, false )" class="btn" role="button btn-info">Scan for Strings</a>
+                        </form>
+                    </div>
+
+
+                    <div id="rulefile" class="tab-pane fade">
+                        <h4>VirusTotal</h4>
+                    </div>
+                </div>
+
+
+                <div id="yara-out"></div>
+
+
+            </div>
+
+            <div class="modal-footer">
+                <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/web/templates/session.html b/web/templates/session.html
@@ -100,7 +100,7 @@ <h3 class="panel-title">Image Information</h3>
     <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-2">
       <ul class="nav navbar-nav">
         <li><a href="#" data-toggle="modal" data-target="#memoryModal">View Raw Memory</a></li>
-        <li><a href="#" data-toggle="modal" data-target="#">Yara Scan Memory</a></li>
+        <li><a href="#" data-toggle="modal" data-target="#yaraModal">Yara Scan Memory</a></li>
         <li><a href="#" data-toggle="modal" data-target="#commentsModal">Comments <span class="badge">{{ comments|length }}</span></a></li>
 
       </ul>
@@ -196,6 +196,7 @@ <h3 class="panel-title">Plugin Results</h3>
 <div id="hiveModalDiv"></div>
 
 {% include "raw_memory_modal.html" %}
+{% include "yara_modal.html" %}
 
 <div class="comment-modal">
 {% include "comments_modal.html" %}

diff --git a/web/views.py b/web/views.py
@@ -819,13 +819,26 @@ def ajax_handler(request, command):
                 pass
             if search_type == 'string':
                 logger.debug('yarascan for string')
-                try:
-                    session = db.get_session(ObjectId(session_id))
-                    vol_int = RunVol(session['session_profile'], session['session_path'])
-                    results = vol_int.run_plugin('yarascan', output_style='json', plugin_options={'YARA_RULES': search_text})
-                    return render(request, 'plugin_output.html', {'plugin_results': results})
-                except Exception as error:
-                    logger.error(error)
+                # If search string ends with .yar assume a yara rule
+                if any(ext in search_text for ext in ['.yar', '.yara']):
+                    if os.path.exists(search_text):
+                        try:
+                            session = db.get_session(ObjectId(session_id))
+                            vol_int = RunVol(session['session_profile'], session['session_path'])
+                            results = vol_int.run_plugin('yarascan', output_style='json', plugin_options={'YARA_FILE': search_text})
+                            return render(request, 'plugin_output.html', {'plugin_results': results})
+                        except Exception as error:
+                            logger.error(error)
+                    else:
+                        logger.error('No Yara Rule Found')
+                else:
+                    try:
+                        session = db.get_session(ObjectId(session_id))
+                        vol_int = RunVol(session['session_profile'], session['session_path'])
+                        results = vol_int.run_plugin('yarascan', output_style='json', plugin_options={'YARA_RULES': search_text})
+                        return render(request, 'plugin_output.html', {'plugin_results': results})
+                    except Exception as error:
+                        logger.error(error)
 
             if search_type == 'registry':