Skip to content

dobin/defender2db

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
app
app
 
 
defender2yara
defender2yara
 
 
img
img
 
 
tests
tests
 
 
tools
tools
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
luadec
luadec
 
 
poetry.lock
poetry.lock
 
 
pyproject.toml
pyproject.toml
 
 
web.py
web.py
 
 

Repository files navigation

defender2db

A modification of defender2yara.

Live at defendersearch.r00ted.ch

  • Add LUA parsing
  • Push Defender data into a Sqlite DB
  • Web interface for searching

Its work in progress.

Microsoft ASR rules are in result/asr_rules. All 50'000 LUA scripts are in result/lua.

Data available at defender2db_data

Installation using Poetry

  1. Clone the GitHub repository:
git clone https://github.com/t-tani/defender2yara.git
  1. Move to the cloned directory:
cd defender2yara
  1. Install the dependencies using Poetry:
poetry install

Maybe have to install libarchive-dev:

# apt install libarchive-dev

Usage

Download / Update virus definition

Download current Defender Signatures (VDM) into cache/engine and cache/vdm:

poetry run python -m defender2yara --download

Result:

$ ls -l cache/engine/ cache/vdm/
cache/engine/:
drwxr-xr-x 2 dobin dobin 4096 Nov 21 09:05 1.1.25100.9002

cache/vdm/:
drwxr-xr-x 4 dobin dobin 4096 Nov 21 09:05 1.441

Virus definitions to SQL DB

Convert to ./cache/threats.db SQLite DB. File will be overwritten!

poetry run python -m defender2yara --convert

Display first few entries of the sqlite db:

poetry run python tools/dbtest.py

Web Application

Start web server to search and browse the definitions:

$ poetry run python3 web.py
defender2db web interface
Listen on: 0.0.0.0 5002
 * Serving Flask app 'web'
 * Debug mode: off

ASR rules

Get the ASR rules into rules/:

poetry run python -m defender2yara --asr

Pickle Cache (only for testing)

Convert VDM to a mega pickle cache/mpas.vdm.pickle and cache/mpav.vdm.pickle:

poetry run python -m defender2yara --topickle

Use the pickle instead of converting the VDM (can save a little bit of time):

Also: Convert to a mega pickle:

poetry run python -m defender2yara --convert --frompickle

Original Acknowledgments / Reference by defender2yara

This project would not have been possible without the valuable resources and insights provided by the following:

  • GitHub - commial/experiments and Windows Defender: Demystifying and Bypassing ASR by Understanding the AVS Signatures: A special thanks to the author of the commial/experiments repository on GitHub and the insightful paper Windows Defender: Demystifying and Bypassing ASR by Understanding the AVS Signatures, presented at Black Hat Europe 2021. His work and research have significantly aided our understanding of various aspects of antivirus signatures and provided deep insights into the workings of Windows Defender signatures.

  • GitHub—taviso/loadlibrary: A special thanks to Tavis Ormandy's repository [loadlibrary] (https://github.com/taviso/loadlibrary) on GitHub. This repository provided great insights into Microsoft Defender and was an entry point for reversing msmpeng.dll.

  • Retooling Blog: We also appreciate the author of the Retooling blog for their detailed article An Unexpected Journey into Microsoft Defender's Signature World. Their exploration and documentation of Microsoft Defender's signature mechanisms have been invaluable to this project.

  • Threat Name Definitions: We acknowledge Microsoft for their detailed Threat Name Definitions. This documentation has been essential in understanding the malware naming conventions used by Microsoft Defender.

Thank you to all these sources for contributing to the field and sharing their knowledge with the community.

About

Convert Microsoft Defender Antivirus Signatures (VDM) into SQL DB

Resources

Readme

License

MIT license
Activity

Stars

25 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages