[Solved] Yara Pattern Search in x64DBG scripting

[Benten]

Real Solution from Mr.Exodia himself:

6 hours ago, mrexodia said:

The yara commands will put the result in the references view. You can use “ref.addr(0)” to get the address of the first found reference. Then “ref.addr(1)” for the second, etc...

You don't have to look any further, that's how awesome Mr. Exodia is.

Hello Guys,

I was wondering if you guys could point me to a pattern search similar to Yara pattern search (Eg. Pattern: 00 00 [5-6] ?? ?? FF) within X64DBG scripting, or may be someway to use that Yara pattern inside X64DBG scripting.

Also is there by any chance could I set the $res1 to $res3 with subsequent search results (I mean $res = first result; $res1 = second result so on and so forth over a single pattern search). A way to get the results in an array, hope you got the idea.

Why I need it perhaps you might ask; Well I was working on a randomized obfuscation code where the basic code is essentially the same but the random junk is different in each iteration. So conventional pattern searching is obviously not the way to go about this one. But I found Yara pattern search making some sense with it, that brought up the question..

Thank you all, you guys are amazing.

//============================================================================================================
[Solution]
//============================================================================================================

Adding below code at the yaraScanCallback() would solve the issue.

Location to add the code: Here

Code:

//---------------------------------------------------------------------------------------------------------------
if (index == 0)
	varset("$result", addr, false);
else if (index == 1)
	varset("$result1", addr, false);
else if (index == 2)
	varset("$result2", addr, false);
else if (index == 3)
	varset("$result3", addr, false);
else if (index == 4)
	varset("$result4", addr, false);
//---------------------------------------------------------------------------------------------------------------

Image:

[Request]

//---------------------------------------------------------------------------------------------------------------
1. I hope Mr. Exodia will consider my request in future updates.

2. Also you guys may feel free to let me know if this has any undesired impact.
//---------------------------------------------------------------------------------------------------------------

Highest Regards,

Ben

Edited October 28, 2018 by Benten
The Lord himself has spoken atlast

[Benten]

Hello Guys,

Just a heads-up, I found the commands "Yara" and "YaraMod" in x64DBG documentation so the searching part got a lot better now. Still you guys can share anything better you might have. The getting results part though is still not coming through. Part of the problem is due to the commands not setting the results.

Regards,

Ben

Edited October 23, 2018 by Benten

[atom0s]

The docs state its included and show information here: https://x64dbg.readthedocs.io/en/latest/commands/searching/yara.html

Which mentions and links to:

Yara's Docs: https://yara.readthedocs.io/en/v3.7.0/

x64dbg Sigs repo: https://github.com/x64dbg/yarasigs

 

[Benten]

Dear @atom0s,

11 hours ago, atom0s said:

The docs state its included and show information here: https://x64dbg.readthedocs.io/en/latest/commands/searching/yara.html

Which mentions and links to:

Yara's Docs: https://yara.readthedocs.io/en/v3.7.0/

x64dbg Sigs repo: https://github.com/x64dbg/yarasigs

 

Let me thank you for your time and the comment. Let me get to the point real quick. What the document says towards the end is that the command doesn't set the results and yes you are right it just shows the information. And so from a scripting perspective this command alongside other commands (like the very useful FindAll) is of no use.

Also since someone showed an interest, let me share something I found inside the x64DBG code,

1. The system variables especially the result(s) variables and breakpointcounters are not reset/initialized to zero on reload. So we need to have the $result(s) set to 0 at the outset of all our scripts as the debugger doesn't remove the junk from last run.

2. $result1 to $result5 are almost never used, despite the greatest opportunity of providing up to 6 results from find operation/command. Imagine that you get first six results from find command in $result to $result5, and you are only interested in the second occurrence say as in finding Armadillo OEP call for instance. With all the first six results set properly we don't have to run the find once again.

3. With the recent addition of Zydis, the source code is getting more polluted and hard to compile. I believe someone could help me with the errors related to Zydis. Really guys the shits confusing and bugs me even when asleep, God!

Let me add one more thing, yara has a powerful pattern search which I successfully used against VM Protect's stupid code obfuscation (tested over the entire version 2 samples from tuts4you). If obfuscation is a thing (as so many stupid developers make it to be) just because conventional search fails, then yara is the answer to that. I believe you guys would know this better than me. And if x64dbg could integrate it, lets make use of it rather than getting mere information and stuff.

I hope some day X64dbg would be the real x64dbg with one debugger for all architectures and we could seamlessly debug both 64 and 32 bit code as in Windbg.

Regards,

Ben

Edited October 26, 2018 by Benten

[mrexodia]

The yara commands will put the result in the references view. You can use “ref.addr(0)” to get the address of the first found reference. Then “ref.addr(1)” for the second, etc...