Run Arbitrary Parsing Scripts on Binary Files

[jbussing]

Background

Malware is often packed or encrypted using custom algorithms on specific sections within a dropper binary. It would be nice to arbitrarily specify extracting/unpacking/decrypting/decoding scripts against binaries scanned by Binary Alert.

~~ Case 1 ~~
It is common for python scripts to be compiled using pyinstaller or py2app to create a single binary executable for both MacOS and Windows platforms. Instead of writing signatures on the compiled code (which can often reduce signal strength), it would be nice to run code to decompile the binary and then run Yara signatures on the resulting files.

For example of scripts to be applied before the Yara scanning occurs, see the 2 unpacker/decompiler scripts here https://github.com/countercept/python-exe-unpacker.

Desired Change

Support for the addition of arbitrary code to be run against binaries before Yara scanning occurs. Ideally, this should be recursive as some malicious payloads can be packed more than one time.

[jbussing]

@austinbyers I wanted to tag you on this issue. Thanks!