Update RIPEMD detection to use round constants. #443

Ek0n · 2024-03-19T15:28:41Z

This prevents detecting SHA1 as RIPEMD. Tested with OpenSSL and Nettle.

Here is an example of running it on my system:

yara -i RIPEMD160_Constants -N -r crypto/crypto_signatures.yar /usr/lib/x86_64-linux-gnu/
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.4.2
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/libnettle.a
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/ruby/3.1.0/digest/rmd160.so
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/libmd.so.0.1.0
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/libmd.a
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/libnettle.so.8.8
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/libcrypto.so.3
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/libgcrypt.a
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/libavutil.so.58.2.100
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/libmhash.so.2.0.1
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/libmbedcrypto.so.2.28.3
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/librhash.so.0
RIPEMD160_Constants /usr/lib/x86_64-linux-gnu/libcrypto.a

This prevents detecting SHA1 as RIPEMD. Tested with OpenSSL and Nettle.

sylvainpelissier · 2024-08-31T06:19:11Z

I have added your rule here: sylvainpelissier/cryptography-yara-rules@f3c6a48

Thank you.

Update RIPEMD detection to use round constants.

363c939

This prevents detecting SHA1 as RIPEMD. Tested with OpenSSL and Nettle.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update RIPEMD detection to use round constants. #443

Update RIPEMD detection to use round constants. #443

Ek0n commented Mar 19, 2024

sylvainpelissier commented Aug 31, 2024

Update RIPEMD detection to use round constants. #443

Are you sure you want to change the base?

Update RIPEMD detection to use round constants. #443

Conversation

Ek0n commented Mar 19, 2024

sylvainpelissier commented Aug 31, 2024