-
Notifications
You must be signed in to change notification settings - Fork 1
Usage
Download the latest release from Github - Vovk Releases
Watch the demo here: https://youtu.be/kyJS1rNzJAc
Look for the folder 'executables' and extract the contents.
There are seperate builds for x86 and x64 architectures available, use the one that is preferable.
These are the two files that you need:
- vovk.dll
- VovkRuleCreate.exe
Copy vovk.dll to the debugger extensions folder as shown in the image below.
Now you can launch the debugger (as admin) and start the process.
ou can either attach to the running process (after malware execution) or you can launch the malware within the debugger.
Once ready (launched or attached), you can load the extention by using the following command:
.load vovk
To check if it has loaded the dll, you can use the following command:
.chain
If Vovk shows up in the list of loaded extentions, you are good to go!
Main pre-loaded module in vovk can be run by this command:
!vovk.c
This command will execute the malware, break at every new module load and grab the mem-dump as a text file, written to the c drive.
A new file vovk-mem.dmp will be created in the c drive. This is the file that contains the dump.
Run the VovkRuleCreate.exe file from the same directory as the dmp file and you’ll get a new file that is your YARA Ruleset.
You can change the defaults in the code that is available on Github here: https://github.com/malienist/vovk
Please note that the project uses GNU General Public License v3.0 which can be accessed here: https://github.com/malienist/vovk/blob/main/LICENSE
Full post on Medium: https://malienist.medium.com/vovk-advanced-yara-rule-generator-3dff64e31fbb