YARA scans in WinDbg



Because InfoSec loves RegExes.

Andrey Bazhan, from Comae Technologies, just made a neat addition to SwishDbgExt which is the ability to use Yara rules to hunt process in memory via a new command called !ms_yarascan

You can refer to the commit for more information.

Search through a specific process

!ms_yarascan /pid 0x228 /yarafile /yarafile C:\Rules.yar

Search through all processes

!for_each_process "r? @$t0 = (nt!_EPROCESS *) @#Process; .process /r /p @$t0; !ms_yarascan /pid @@C++(@$t0->UniqueProcessId) /yarafile C:\\Rules.yar"

image