In the previous post, we outlined methods to identify PE files. This post will show the same concepts, but applied to ELF files.
Method 1: String
rule elf_file_method1
{
meta:
description = "ELF file '\x7fELF' header as string"
author = "Daniel Roberson"
strings:
$elf = "\x7fELF"
condition:
$elf at 0
}Method 2: Integer
rule elf_file_method2
{
meta:
description = "ELF file '\x7fELF' header as uint32"
author = "Daniel Roberson"
condition:
uint32(0) == 0x464c457f
}Method 3: “elf” Module
import "elf"
rule elf_file_method3
{
meta:
description = "ELF file with 'elf' module"
author = "Daniel Roberson"
condition:
elf.type
}Performance
for i in $(seq 10); do (time yara -r elf.yar /usr 2>&1) 2>&1|tail -n 1 | awk {'print $6'}; done
| Method 1 (string) | Method 2 (uint32) | Method 3 (elf Module) | Dummy Rule |
| 45.76 | 41.41 | 110.88 | 43.93 |
| 44.13 | 41.85 | 110.86 | 42.34 |
| 45.31 | 43.40 | 111.08 | 41.53 |
| 44.90 | 46.11 | 111.20 | 44.55 |
| 42.37 | 43.82 | 109.97 | 45.14 |
| 41.68 | 44.76 | 109.60 | 43.37 |
| 42.57 | 45.73 | 110.26 | 41.98 |
| 43.21 | 44.01 | 113.51 | 42.11 |
| 46.15 | 43.73 | 108.81 | 43.01 |
| 44.29 | 43.82 | 110.18 | 42.61 |
| average | |||
| 44.03 | 43.86 | 110.64 | 43.06 |
Predictably, the uint32 method was the fastest, but not much faster than the string method. Using YARA’s ELF module was much slower for the simple identification of ELF files.
DMFR SECURITY 
Pingback: YARA Rules Index – DMFR SECURITY