Yara String Search with options

kisec · Apr 4, 2016 · d886309 · d886309
1 parent 487d2de
commit d886309
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 5 deletions.
diff --git a/web/static/js/volutility.js b/web/static/js/volutility.js
@@ -178,6 +178,15 @@ function ajaxHandler(command, postFields, spinner) {
         postOptions['rule_file'] = $('#rule_file').val();
     }
 
+    if (command == 'yara-string'){
+        postOptions['yara-string'] = $('#yara-string').val();
+        postOptions['yara-hex'] = $('#yara-hex').val();
+        postOptions['yara-reverse'] = $('#yara-reverse').val();
+        postOptions['yara-case'] = $('#yara-case').prop('checked');
+        postOptions['yara-kernel'] = $('#yara-kernel').prop('checked');
+        postOptions['yara-wide'] = $('#yara-wide').prop('checked');
+    }
+
     if (command == 'memhex' || command == 'memhexdump'){
         postOptions['start_offset'] = $('#start_offset').val();
         postOptions['end_offset'] = $('#end_offset').val();
@@ -249,7 +258,7 @@ function ajaxHandler(command, postFields, spinner) {
                 jQuery.noConflict();
                 $('#hiveTable').DataTable();
 
-            }else if (command == "virustotal" || command == "yara" || command == "strings") {
+            }else if (command == "virustotal" || command == "yara" || command == "strings" || command == "yara-string") {
                 $('#'+postOptions["target_div"]).html(data);
 
             }else if (command == "dropsession") {

diff --git a/web/templates/modals/yara_modal.html b/web/templates/modals/yara_modal.html
@@ -1,6 +1,6 @@
 {% load template_dict %}
 <div class="modal fade" id="yaraModal" tabindex="-1" role="dialog" aria-labelledby="yaraModal" aria-hidden="true">
-    <div class="modal-dialog">
+    <div class="modal-dialog modal-lg">
         <div class="modal-content">
 
 
@@ -39,7 +39,7 @@ <h4>Yara Strings</h4>
 
                           <div class="checkbox">
                             <label>
-                              <input type="checkbox" id="yara-kernal"> Scan Kernel Modules
+                              <input type="checkbox" id="yara-kernel"> Scan Kernel Modules
                             </label>
                           </div>
 
@@ -51,7 +51,7 @@ <h4>Yara Strings</h4>
 
 
 
-                            <a href="#" onclick="ajaxHandler('memhex', {'session_id':'{{session_details|get:"_id"}}', 'target_div':'hex-out'}, false )" class="btn" role="button btn-info">Scan for Strings</a>
+                            <a href="#" onclick="ajaxHandler('yara-string', {'session_id':'{{session_details|get:"_id"}}', 'target_div':'yara-out'}, false )" class="btn btn-info" role="button">Scan for Strings</a>
                         </form>
                     </div>
 

diff --git a/web/templates/session.html b/web/templates/session.html
@@ -126,7 +126,7 @@ <h3 class="panel-title">Image Information</h3>
         <div class="form-group">
           <input class="form-control" placeholder="Search" type="text" id="search_text" size="40">
         </div>
-        <a href="#" onclick="ajaxHandler('searchbar', {'session_id':'{{session_details|get:"_id"}}'}, true )" class="btn" role="button">Submit</a>
+        <a href="#" onclick="ajaxHandler('searchbar', {'session_id':'{{session_details|get:"_id"}}'}, true )" class="btn btn-default" role="button">Submit</a>
       </form>
 
         <li class="dropdown">

diff --git a/web/views.py b/web/views.py
@@ -688,6 +688,73 @@ def ajax_handler(request, command):
 
             return render(request, 'file_details_vt.html', {'vt_results': vt_fields})
 
+    if command == 'yara-string':
+
+        print request.POST
+
+
+        session_id = request.POST['session_id']
+        yara_string = request.POST['yara-string']
+
+        yara_hex = request.POST['yara-hex']
+        if yara_hex != '':
+            yara_hex = int(yara_hex)
+        else:
+            yara_hex = 256
+
+        yara_reverse = request.POST['yara-reverse']
+        if yara_reverse != '':
+            yara_reverse = int(yara_reverse)
+        else:
+            yara_reverse = 0
+
+        yara_case = request.POST['yara-case']
+        if yara_case == 'true':
+            yara_case = True
+        else:
+            yara_case = None
+
+        yara_kernel = request.POST['yara-kernel']
+        if yara_kernel == 'true':
+            yara_kernel = True
+        else:
+            yara_kernel = None
+
+        yara_wide = request.POST['yara-wide']
+        if yara_wide == 'true':
+            yara_wide = True
+        else:
+            yara_wide = None
+
+        logger.debug('Yara String Scanner')
+
+        try:
+            session = db.get_session(ObjectId(session_id))
+            vol_int = RunVol(session['session_profile'], session['session_path'])
+            results = vol_int.run_plugin('yarascan', output_style='json', plugin_options={'YARA_RULES': yara_string,
+                                                                                          'CASE': yara_case,
+                                                                                          'ALL': yara_kernel,
+                                                                                          'WIDE': yara_wide,
+                                                                                          'SIZE': yara_hex,
+                                                                                          'REVERSE': yara_reverse})
+
+
+
+            if 'Data' in results['columns']:
+                row_loc = results['columns'].index('Data')
+
+                for row in results['rows']:
+                    try:
+                        row[row_loc] = string_clean_hex(row[row_loc].decode('hex'))
+                    except Exception as e:
+                        logger.warning('Error converting hex to str: {0}'.format(e))
+
+
+            return render(request, 'plugin_output.html', {'plugin_results': results})
+            #return HttpResponse(results)
+        except Exception as error:
+            logger.error(error)
+
     if command == 'yara':
         if 'file_id' in request.POST:
             file_id = request.POST['file_id']