{"id":7930,"date":"2022-01-18T23:15:26","date_gmt":"2022-01-18T23:15:26","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7930"},"modified":"2022-01-18T23:15:40","modified_gmt":"2022-01-18T23:15:40","slug":"yara-carpet-bomber-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2022\/01\/18\/yara-carpet-bomber-part-2\/","title":{"rendered":"Yara Carpet Bomber, Part 2"},"content":{"rendered":"\n<p><a href=\"https:\/\/twitter.com\/stvemillertime\">Steve<\/a> <a href=\"https:\/\/twitter.com\/stvemillertime\/status\/1483099109615624192\">asked<\/a> about the use cases for <a href=\"https:\/\/www.hexacorn.com\/blog\/2022\/01\/16\/yara-carpet-bomber\/\" data-type=\"post\" data-id=\"7914\">Yara Carpet Bomber<\/a> approach and in this twitter convo I provided 2 examples of quick &amp; dirty Yara rules:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/01\/yara2.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/01\/yara2-1024x261.png\" alt=\"\" class=\"wp-image-7932\" width=\"550\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/01\/yara2-1024x261.png 1024w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/01\/yara2-300x76.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/01\/yara2-768x196.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/01\/yara2.png 1228w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure><\/div>\n\n\n\n<p>that help to find all references to API names (including API names spelled backward) within a given binary e.g. in this case Notepad executable. It may come handy if you want to quickly check for API references that are inside any place of the files including import tables and strings used to resolve APIs dynamically:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/01\/yara1.png\"><img decoding=\"async\" loading=\"lazy\" width=\"458\" height=\"554\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/01\/yara1.png\" alt=\"\" class=\"wp-image-7931\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/01\/yara1.png 458w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2022\/01\/yara1-248x300.png 248w\" sizes=\"(max-width: 458px) 100vw, 458px\" \/><\/a><\/figure><\/div>\n\n\n\n<p>The list includes APIs from the following libraries:<\/p>\n\n\n\n<ul><li>advapi32.dll<\/li><li>avicap32.dll<\/li><li>cabinet.dll<\/li><li>combase.dll<\/li><li>crypt32.dll<\/li><li>dbghelp.dll<\/li><li>dbnetlib.dll<\/li><li>gdi32.dll<\/li><li>icmp.dll<\/li><li>IPHLPAPI.DLL<\/li><li>kernel32.dll<\/li><li>mfc140.dll<\/li><li>MFCaptureEngine.dll<\/li><li>mpr.dll<\/li><li>mscoree.dll<\/li><li>mstask.dll<\/li><li>ntdll.dll<\/li><\/ul>\n\n\n\n<p>You can download the set <a href=\"https:\/\/hexacorn.com\/yara\/apis.yar\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Steve asked about the use cases for Yara Carpet Bomber approach and in this twitter convo I provided 2 examples of quick &amp; dirty Yara rules: that help to find all references to API names (including API names spelled backward) &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2022\/01\/18\/yara-carpet-bomber-part-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[83],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7930"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7930"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7930\/revisions"}],"predecessor-version":[{"id":7935,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7930\/revisions\/7935"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}