xorsearch.py: Searching With Regexes – SANS Internet Storm Center

As promised in diary entry “XORsearch: Searching With Regexes”, I will outline another method to search with xorsearch and regexes.

In stead of XORsearch.exe, the original tool that is written in C and compiled, we will use xorsearch.py, a new tool written in Python.

Unlike XORsearch.exe, xorsearch.py supports YARA rules, and thus regex searches.

Let’s say we want to use this trivial regular expression to match IPv4 addresses (it’s matching 4 numbers separated by dots): \d+\.\d+\.\d+\.\d+

We can create a YARA rule for this regex:

And then we can use this rule on a test file (test-xor-1.bin):

This tells us that YARA rule ipv4 (namespace ipv4.yara) triggered on file test-xor-1.bin when it is XOR encoded with key 0x19.

To see the YARA rule strings that were matched, use option –yarastrings:

To see the encoded file, use one of the many dump options, like -a for a HEX/ASCII dump:

Or a binary dump with option -d:

If you find it cumbersome to create a YARA rule just for a simple regex (I find it cumbersome 🙂 ), you can pass the regex via the command line prefixed with #r#, and xorsearch.py will generate the YARA rule for you:

I will give more examples of this in an upcoming diary entry.

Didier Stevens

Senior handler

blog.DidierStevens.com