{"id":97,"date":"2025-07-16T15:17:57","date_gmt":"2025-07-16T06:17:57","guid":{"rendered":"http:\/\/34.64.61.65\/?p=97"},"modified":"2025-07-16T15:17:57","modified_gmt":"2025-07-16T06:17:57","slug":"yara%ec%9d%98-%ea%b8%b0%ec%b4%88","status":"publish","type":"post","link":"https:\/\/hed-g.me\/?p=97","title":{"rendered":"yara\uc758 \uae30\ucd08"},"content":{"rendered":"\n<p>\ud83d\udcabYara\uc758 \uc815\uc758<\/p>\n\n\n\n<p>\uac04\ub2e8\ud558\uac8c \ub9d0\ud574\uc11c \uc545\uc131\ucf54\ub4dc\uc758 \uc2dc\uadf8\ub2c8\ucc98\ub97c \uc774\uc6a9\ud558\uc5ec \uc545\uc131 \ud30c\uc77c\uc744 \ubd84\ub958\ud558\ub294 \ud234.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc545\uc131\ucf54\ub4dc\uc758 \uc2dc\uadf8\ub2c8\ucc98(Signature)\ub780?<\/li>\n<\/ul>\n\n\n\n<p>\uc545\uc131\ucf54\ub4dc \uc0d8\ud50c \ud30c\uc77c, \ud504\ub85c\uc138\uc2a4\uc5d0 \ud3ec\ud568\ub41c string \ub610\ub294 binary \ud328\ud134.<\/p>\n\n\n\n<p>\ub530\ub77c\uc11c \ud0d0\uc9c0\ud558\uace0\uc790 \ud560 \ub54c, string \ud0d0\uc9c0\uc640 binary \ud0d0\uc9c0\ub85c \ubd84\ub958.<\/p>\n\n\n\n<p>\uc2dc\uadf8\ub2c8\ucc98 \uc678\uc5d0\ub3c4 \ud2b9\uc815 Entry Point \uac12\uc744 \uc9c0\uc815\ud558\uac70\ub098, \ud30c\uc77c \uc624\ud504\uc14b(File Offset), \uac00\uc0c1\uba54\ubaa8\ub9ac \uc8fc\uc18c(Virtual Memory Address)\ub97c \uc81c\uc2dc\ud558\uace0 \uc815\uaddc\ud45c\ud604\uc2dd(Regular Expression)\uc744 \uc774\uc6a9\ud574 \ud6a8\uc728\uc801\uc778 \ud328\ud134 \ub9e4\uce6d \uac00\ub2a5.<\/p>\n\n\n\n<p>\ud83d\udcab\uc2dc\uadf8\ub2c8\ucc98 \uae30\ubc18 \ud0d0\uc9c0<\/p>\n\n\n\n<p>1) String \ud0d0\uc9c0<\/p>\n\n\n\n<p>Value\uc758 String\ub4e4\uc744 \ud0d0\uc9c0\ud558\ub294 \ubc29\ubc95.<\/p>\n\n\n\n<p>2) Binary \ud0d0\uc9c0<\/p>\n\n\n\n<p>\ud30c\uc77c \ub0b4\ubd80\uc758 Hex\uac12\uc744 \ud0d0\uc9c0\ud558\ub294 \ubc29\ubc95.<\/p>\n\n\n\n<p>\ud83d\udcabYara \uc0ac\uc6a9<\/p>\n\n\n\n<p>yara\ub294 Linux, Mac, Windows OS\uc5d0\uc11c \ubaa8\ub450 \uc0ac\uc6a9 \uac00\ub2a5.<\/p>\n\n\n\n<p>\uc18c\uc2a4\ucf54\ub4dc\ub97c \uc9c1\uc811 \ucef4\ud30c\uc77c \ud558\uac70\ub098 yara \uc2e4\ud589\ud30c\uc77c\uc744 \uc9c1\uc811 \uc2e4\ud589, \ub610\ub294 python \ud655\uc7a5\uc744 \ud1b5\ud574 yara \uc0ac\uc6a9 \uac00\ub2a5.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Yara Rule \uc791\uc131<\/li>\n<\/ul>\n\n\n\n<p>C, Python\uc73c\ub85c \uc791\uc131. yara rule\uc744 \uc791\uc131\ud560 \ub54c \uac16\ucdb0\uc57c \ud558\ub294 \ucd5c\uc18c\ud55c\uc758 \ud615\ud0dc\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ucd5c\uc18c\ud55c\uc758 Yara rule \uc791\uc131<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>rule \ub8f0_\uc774\ub984\n{\n    condition:\n        Boolean \uac12\n}<\/code><\/pre>\n\n\n\n<p>\uc545\uc131\uc744 \ud310\ubcc4\ud560 \ud30c\uc77c\uc774 rule\uc758 condition \uc870\uac74\uc5d0 true\uac00 \ub420 \uacbd\uc6b0, yara \uba85\ub839 \uc2e4\ud589\uc2dc \uaddc\uce59\uc5d0 \ub9de\uc74c\uc744 \ucd9c\ub825.<\/p>\n\n\n\n<p>false\uac00 \ub418\uba74 \ucd9c\ub825\ud558\uc9c0 \uc54a\ub294\ub2e4.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uae30\ubcf8\uc801\uc778 Yara rule \uc791\uc131<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>rule \ub8f0_\uc774\ub984\n{\n    strings:\n        $str = \" \"\n        $hex = { 00 00 00 00 }\n        $re = \/   \/\n    condition:\n        Boolean \uac12\n}<\/code><\/pre>\n\n\n\n<p>1) \ub8f0_\uc774\ub984<\/p>\n\n\n\n<p>\uc601\ubb38\uc790\uc640 \uc22b\uc790, \ubc11\uc904 \ubb38\uc790 \ud3ec\ud568 \uac00\ub2a5, \uccab\ubc88\uc9f8 \ubb38\uc790\ub294 \uc22b\uc790\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc5c6\ub2e4.<\/p>\n\n\n\n<p>(\uc608\uc57d\uc5b4 \ud0a4\uc6cc\ub4dc\ub3c4 \uc0ac\uc6a9\ud560 \uc218 x)<\/p>\n\n\n\n<p>2) strings:<\/p>\n\n\n\n<p>\ud14d\uc2a4\ud2b8 \uc2a4\ud2b8\ub9c1 \ud615\ud0dc, hex \uc2a4\ud2b8\ub9c1 \ud615\ud0dc, \uc815\uaddc \ud45c\ud604\uc2dd \ud615\ud0dc\ub85c \uc791\uc131 \uac00\ub2a5.<\/p>\n\n\n\n<p>\uc2dd\ubcc4\uc790 $\ub97c \uc55e\uc5d0 \ubd99\uc5ec \uad6c\ubb38\uc744 \uc791\uc131\ud55c\ub2e4.<\/p>\n\n\n\n<p>(1) \ud14d\uc2a4\ud2b8 \uc2a4\ud2b8\ub9c1 \ud615\ud0dc<\/p>\n\n\n\n<p>&#8221; &#8221; \uc0ac\uc774\uc5d0 ASCII \uc778\ucf54\ub529, \ub300\uc18c\ubb38\uc790\ub97c \uad6c\ubd84\ud558\ub294 \ubb38\uc790\uc5f4\uc744 \ud45c\ud604.<\/p>\n\n\n\n<p>\ub300\uc18c\ubb38\uc790 \uad6c\ubcc4\ud558\uc9c0 \uc54a\uc744 \uc2dc &#8221; &#8221; \ub4a4\uc5d0 nocase \ud0a4\uc6cc\ub4dc \uc791\uc131.<\/p>\n\n\n\n<p>(2) hex \uc2a4\ud2b8\ub9c1 \ud615\ud0dc<\/p>\n\n\n\n<p>{ } \uc0ac\uc774\uc5d0 16\uc9c4\uc218 \ubb38\uc790\uc5f4 hex \uac12 \uc785\ub825.<\/p>\n\n\n\n<p>Wild-cards, Jumps, Alternatives \ub4f1 3\uac00\uc9c0\ub97c \uc774\uc6a9\ud558\uc5ec \ub300\uccb4 \uac00\ub2a5.<\/p>\n\n\n\n<p>\u2460 Wild-Cards<\/p>\n\n\n\n<p>hex\uac12\uc744 \uc54c\uc9c0 \ubabb\ud558\uac70\ub098 \uc5b4\ub5a0\ud55c \ubc14\uc774\ud2b8\uac00 \uc788\ub354\ub77c\ub3c4 \uc0c1\uad00\uc774 \uc5c6\uc744 \ub54c\ub294 Wild-Cards\ub97c \uc0ac\uc6a9.<\/p>\n\n\n\n<p>\ubb3c\uc74c\ud45c(?)\ub97c \uc774\uc6a9\ud558\uc5ec \ubc14\uc774\ud2b8\ub97c \ub300\uccb4 \uac00\ub2a5.<\/p>\n\n\n\n<p>ex) ?? or ?4 \ub4f1.<\/p>\n\n\n\n<p>\u2461 Jumps<\/p>\n\n\n\n<p>\ubb3c\uc74c\ud45c(?)\ub85c \ub098\ud0c0\ub0bc \uc218 \uc788\ub294 \uc815\ud655\ud55c \uae38\uc774\ub97c \ubaa8\ub974\ub294 \uacbd\uc6b0\ub294 Jumps\ub97c \uc0ac\uc6a9.<\/p>\n\n\n\n<p>\ucd5c\ub300 [0-255]\uae4c\uc9c0 \ud5c8\uc6a9\ud558\uc9c0\ub9cc \ub108\ubb34 \ubc94\uc704\uac00 \ud06c\uac8c \uc124\uc815\ub418\uc5b4 \uc788\uc73c\uba74 \ud328\ud134 \ub9e4\uce6d \uc131\ub2a5 \uc800\ud558\uac00 \uc6b0\ub824\ub418\ubbc0\ub85c \uc801\uc808\ud55c \ubc94\uc704 \uc124\uc815 \ud544\uc694<\/p>\n\n\n\n<p>ex) { &#8230; E4 [ 2-5 ]&nbsp; AE &#8230; } -&gt; E4\uc640 AE \uc0ac\uc774\uc5d0 2~5\ubc14\uc774\ud2b8\uc758 \uae38\uc774\uac00 \ub79c\ub364\uc73c\ub85c \ub4e4\uc5b4\uac08 \uc218 \uc788\ub2e4\ub294 \uc758\ubbf8.<\/p>\n\n\n\n<p>\u2462 Alternatives<\/p>\n\n\n\n<p>OR( | )\ub97c \uc0ac\uc6a9\ud558\uc5ec \ud558\ub098\uc758 \uae00\uc790 \ub610\ub294 \uc5ec\ub7ec \uae00\uc790\ub97c \uc870\uac74\uc5d0 \ubd80\ud569\uc2dc\ud0ac \uc218 \uc788\uc74c.<\/p>\n\n\n\n<p>ex) { AE (00|22) FF } : { AE 00 FF } \uc640 { AE 22 FF }<\/p>\n\n\n\n<p>(3) Regex(\uc815\uaddc\ud45c\ud604\uc2dd, Regular expression)<\/p>\n\n\n\n<p>\ud2b9\uc815\ud55c \uaddc\uce59\uc744 \uac00\uc9c4 \ubb38\uc790\uc5f4\uc758 \uc9d1\ud569\uc744 \ud45c\ud604\ud560 \ub54c \uc0ac\uc6a9\ud558\ub294 \ud615\uc2dd \uc5b8\uc5b4, \uc989 \uc815\uaddc\ud45c\ud604\uc2dd\uc744 \uc0ac\uc6a9.<\/p>\n\n\n\n<p>\/&nbsp; &nbsp;\/(\ub450 \uac1c\uc758 \uc2ac\ub798\uc2dc) \uc0ac\uc774\uc5d0 \ub098\ud0c0\ub0c4. \uc815\uaddc\ud45c\ud604\uc2dd\uc5d0 &#8216;nocase&#8217;, &#8216;wide&#8217;, &#8216;ascii&#8217;, &#8216;fullword&#8217;\uc758 \uae30\ub2a5 \uc0ac\uc6a9\uac00\ub2a5.<\/p>\n\n\n\n<p>3) Conditions:<\/p>\n\n\n\n<p>\uacb0\uacfc\uac12\uc774 \ucc38\uc778\uc9c0 \uac70\uc9d3\uc778\uc9c0 (True or False) \ud310\ubcc4, \uc989 Boolean \uac12\uc73c\ub85c \uacb0\uacfc\uac00 \ub098\ud0c0\ub09c\ub2e4.<\/p>\n\n\n\n<p>C \uc5f0\uc0b0\uc790 \ubaa8\ub450 \uc0ac\uc6a9 \uac00\ub2a5(AND, OR, NOT, != &#8230;)<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc5f0\uc0b0\uc790 # : \ud574\ub2f9 \uc2dd\ubcc4\uc790\uac00 \ub4f1\uc7a5\ud558\ub294 \ud69f\uc218<\/li>\n<\/ul>\n\n\n\n<p>ex) #a == 10 (a\ub77c\ub294 \uc2dd\ubcc4\uc790\uac00 \ud30c\uc77c\uc5d0\uc11c 10\ubc88 \ub4f1\uc7a5\ud568\uc744 \uc758\ubbf8)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ud83d\udcabYara\uc758 \uc815\uc758 \uac04\ub2e8\ud558\uac8c \ub9d0\ud574\uc11c \uc545\uc131\ucf54\ub4dc\uc758 \uc2dc\uadf8\ub2c8\ucc98\ub97c \uc774\uc6a9\ud558\uc5ec \uc545\uc131 \ud30c\uc77c\uc744 \ubd84\ub958\ud558\ub294 \ud234. \uc545\uc131\ucf54\ub4dc \uc0d8\ud50c \ud30c\uc77c, \ud504\ub85c\uc138\uc2a4\uc5d0 \ud3ec\ud568\ub41c string \ub610\ub294 binary \ud328\ud134. \ub530\ub77c\uc11c \ud0d0\uc9c0\ud558\uace0\uc790 \ud560 \ub54c, string \ud0d0\uc9c0\uc640 binary \ud0d0\uc9c0\ub85c \ubd84\ub958. \uc2dc\uadf8\ub2c8\ucc98 \uc678\uc5d0\ub3c4 \ud2b9\uc815 Entry Point \uac12\uc744 \uc9c0\uc815\ud558\uac70\ub098, \ud30c\uc77c \uc624\ud504\uc14b(File Offset), \uac00\uc0c1\uba54\ubaa8\ub9ac \uc8fc\uc18c(Virtual Memory Address)\ub97c \uc81c\uc2dc\ud558\uace0 \uc815\uaddc\ud45c\ud604\uc2dd(Regular Expression)\uc744 \uc774\uc6a9\ud574 \ud6a8\uc728\uc801\uc778 \ud328\ud134 \ub9e4\uce6d \uac00\ub2a5. \ud83d\udcab\uc2dc\uadf8\ub2c8\ucc98 \uae30\ubc18 \ud0d0\uc9c0 1) [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[51],"tags":[141,142,140],"class_list":["post-97","post","type-post","status-publish","format-standard","hentry","category-security","tag-security","tag-yara","tag-140"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/posts\/97","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hed-g.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=97"}],"version-history":[{"count":1,"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/posts\/97\/revisions"}],"predecessor-version":[{"id":155,"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/posts\/97\/revisions\/155"}],"wp:attachment":[{"href":"https:\/\/hed-g.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=97"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hed-g.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=97"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hed-g.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=97"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}