Vovk — Advanced Yara rule generator

Vishal Thakur
3 min readSep 1, 2023

--

This tool was released at BlackHat USA 2023

Join the Vovk Project
Two cohorts are now active. Fork, pull, contribute to get involved.
1. Blackhat 2023 Cohort
2. Defcon 2023 Cohort
Contributors get credit, merch and opportunities to present there research
at conferences as part of Team Malienist.

Join here: https://github.com/malienist/vovk

What is Vovk?

Vovk is a WinDbg extension (plugin) that can be used to create Yara Rules.

Vovk is a Yara Rule Generator
Vovk can be used on any Windows Binary
Vovk has to be used with WinDBG

What’s special about Vovk?

Vovk is a dynamic analysis framework that can be used as a module with the debugger (WinDBG). Vovk consists of is a DLL (the extension), built using both WdbgExts and DbgEng frameworks and an executable (EXE) that creates the actual ruleset. Yara rules created using Vovk are based on ‘dynamic’ analysis, aka ‘unpacked malware’ as it is used as a part of the debugger. The resulting rules are very accurate and specific to the files being analysed.

Live Demo — BlackHat USA 2023

Usage

In order to use Vovk, follow these simple steps:

Download the latest release from Github — Vovk Releases

Look for the folder 'executables' and extract the contents.

There are seperate builds for x86 and x64 architectures available, use the one that is preferable.

These are the two files that you need:

vovk.dll
VovkRuleCreate.exe

Copy vovk.dll to the debugger extensions folder as shown in the image below.

Now you can launch the debugger (as admin) and start the process.

You can either attach to the running process (after malware execution) or you can launch the malware within the debugger.

Once ready (launched or attached), you can load the extention by using the following command:

.load vovk

To check if it has loaded the dll, you can use the following command:

.chain

If Vovk shows up in the list of loaded extentions, you are good to go!

Main pre-loaded module in vovk can be run by this command:

!vovk.c 

This command will execute the malware, break at every new module load and grab the mem-dump as a text file, written to the c drive.

A new file vovk-mem.dmp will be created in the c drive. This is the file that contains the dump.

Run the VovkRuleCreate.exe file from the same directory as the dmp file and you’ll get a new file that is your YARA Ruleset.

You can change the defaults in the code that is available on Github here: https://github.com/malienist/vovk

Please note that the project uses GNU General Public License v3.0 which can be accessed here: https://github.com/malienist/vovk/blob/main/LICENSE

--

--

Vishal Thakur

DFIR enthusiast. Founder of HCKSYD. Founder of Security BSides Sydney Australia. Malware Analyst.