├── .gitmodules ├── Old_Internal_PEiD.yara ├── crypto_signatures.yara ├── packer.yara ├── packer_compiler_signatures.yara ├── readme.md └── rich.yara /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "citizenlab"] 2 | path = citizenlab 3 | url = https://github.com/citizenlab/malware-signatures.git 4 | branch = master 5 | [submodule "Yara-Rules"] 6 | path = Yara-Rules 7 | url = https://github.com/Yara-Rules/rules.git 8 | branch = master -------------------------------------------------------------------------------- /crypto_signatures.yara: -------------------------------------------------------------------------------- 1 | rule Prime_Constants_char { 2 | meta: 3 | author = "_pusher_" 4 | description = "List of primes [char]" 5 | date = "2016-07" 6 | strings: 7 | $c0 = { 03 05 07 0B 0D 11 13 17 1D 1F 25 29 2B 2F 35 3B 3D 43 47 49 4F 53 59 61 65 67 6B 6D 71 7F 83 89 8B 95 97 9D A3 A7 AD B3 B5 BF C1 C5 C7 D3 DF E3 E5 E9 EF F1 FB } 8 | condition: 9 | $c0 10 | } 11 | 12 | rule Prime_Constants_long { 13 | meta: 14 | author = "_pusher_" 15 | description = "List of primes [long]" 16 | date = "2016-07" 17 | strings: 18 | $c0 = { 03 00 00 00 05 00 00 00 07 00 00 00 0B 00 00 00 0D 00 00 00 11 00 00 00 13 00 00 00 17 00 00 00 1D 00 00 00 1F 00 00 00 25 00 00 00 29 00 00 00 2B 00 00 00 2F 00 00 00 35 00 00 00 3B 00 00 00 3D 00 00 00 43 00 00 00 47 00 00 00 49 00 00 00 4F 00 00 00 53 00 00 00 59 00 00 00 61 00 00 00 65 00 00 00 67 00 00 00 6B 00 00 00 6D 00 00 00 71 00 00 00 7F 00 00 00 83 00 00 00 89 00 00 00 8B 00 00 00 95 00 00 00 97 00 00 00 9D 00 00 00 A3 00 00 00 A7 00 00 00 AD 00 00 00 B3 00 00 00 B5 00 00 00 BF 00 00 00 C1 00 00 00 C5 00 00 00 C7 00 00 00 D3 00 00 00 DF 00 00 00 E3 00 00 00 E5 00 00 00 E9 00 00 00 EF 00 00 00 F1 00 00 00 FB 00 00 00 } 19 | condition: 20 | $c0 21 | } 22 | 23 | 24 | rule Advapi_Hash_API { 25 | meta: 26 | author = "_pusher_" 27 | description = "Looks for advapi API functions" 28 | date = "2016-07" 29 | strings: 30 | $advapi32 = "advapi32.dll" wide ascii nocase 31 | $CryptCreateHash = "CryptCreateHash" wide ascii 32 | $CryptHashData = "CryptHashData" wide ascii 33 | $CryptAcquireContext = "CryptAcquireContext" wide ascii 34 | condition: 35 | $advapi32 and ($CryptCreateHash and $CryptHashData and $CryptAcquireContext) 36 | } 37 | 38 | rule BigLib_BigMod { 39 | meta: 40 | author = "_pusher_" 41 | description = "Look for BigLib BigMod" 42 | date = "2016-10" 43 | strings: 44 | $c0 = { 55 8B EC 83 C4 FC 53 51 57 56 8B 7D 0C 8B 1F 85 DB 0F 84 F7 00 00 00 8B 75 08 8B 0E 85 C9 0F 84 F7 00 00 00 FF 75 0C FF 75 08 E8 ?? ?? ?? ?? 0F 8C FA 00 00 00 0F 84 E0 00 00 00 6A 00 E8 ?? ?? ?? ?? 89 45 FC C1 E1 05 49 8B 7D FC C7 07 01 00 00 00 0F A3 4E 04 72 03 49 EB F7 8B 17 8D 5F 04 F8 90 D1 13 8D 5B 04 4A 75 F8 73 04 FF 03 FF 07 0F A3 4E 04 0F 92 C0 08 47 04 8B 55 0C 8B 1A 39 1F 72 67 77 1D 51 8B 0F 8D 1C 8D 00 00 00 00 03 FB 8B F2 03 F3 FD F3 A7 FC 59 8B 75 08 8B 7D FC 77 48 51 8B 75 0C 8B 1F 8B 0E 2B D9 83 C6 04 83 C7 04 F8 8D 49 00 8B 16 19 17 8D 76 04 8D 7F 04 49 75 F3 73 0A 90 83 1F 00 8D 7F 04 4B 72 F7 8B 75 FC 83 7F FC 00 75 0B FF 0E 74 05 83 EF 04 EB F1 FF 06 59 8B 75 08 8B 7D FC 49 0F 89 6A FF FF FF FF 75 10 FF 75 FC E8 ?? ?? ?? ?? FF 75 FC E8 ?? ?? ?? ?? 33 C0 5E 5F 59 5B C9 C2 0C 00 B8 FF FF FF FF 5E 5F 59 5B C9 C2 0C 00 8B 7D 10 33 C0 8B 0F 41 F3 AB 33 C0 5E 5F 59 5B C9 C2 0C 00 } 45 | condition: 46 | $c0 47 | } 48 | 49 | rule BigLib_BigPowMod { 50 | meta: 51 | author = "_pusher_" 52 | description = "Look for BigLib BigPowMod" 53 | date = "2016-10" 54 | strings: 55 | $c0 = { 55 8B EC 53 51 57 56 8B 5D 10 83 3B 00 74 5D 6A 01 E8 ?? ?? ?? ?? 8B F8 8B 75 0C 8B 0E 85 C9 74 32 C1 E1 05 49 8D 49 00 57 57 57 E8 ?? ?? ?? ?? 57 53 57 E8 ?? ?? ?? ?? 0F A3 4E 04 73 12 57 FF 75 08 57 E8 ?? ?? ?? ?? 57 53 57 E8 ?? ?? ?? ?? 49 79 D5 FF 75 14 57 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 33 C0 5E 5F 59 5B C9 C2 10 00 B8 FF FF FF FF 5E 5F 59 5B C9 C2 10 00 } 56 | condition: 57 | $c0 58 | } 59 | 60 | rule Crypt32_CryptBinaryToString_API { 61 | meta: 62 | author = "_pusher_" 63 | description = "Looks for crypt32 CryptBinaryToStringA/W function" 64 | date = "2016-08" 65 | strings: 66 | $crypt32 = "crypt32.dll" wide ascii nocase 67 | $CryptBinaryToString = "CryptBinaryToString" wide ascii 68 | condition: 69 | $crypt32 and ($CryptBinaryToString) 70 | } 71 | 72 | 73 | rule MurmurHash3_Constants { 74 | meta: 75 | author = "_pusher_" 76 | description = "Look for MurmurHash3 constants" 77 | date = "2017-05" 78 | version = "0.1" 79 | strings: 80 | $c0 = { 512D9ECC } 81 | $c1 = { 9335871B } 82 | //N 83 | $c2 = { 6BCAEB85 } 84 | $c3 = { 35AEB2C2 } 85 | condition: 86 | all of them 87 | } 88 | 89 | 90 | 91 | rule CRC32c_poly_Constant { 92 | meta: 93 | author = "_pusher_" 94 | description = "Look for CRC32c (Castagnoli) [poly]" 95 | date = "2016-08" 96 | strings: 97 | $c0 = { 783BF682 } 98 | condition: 99 | $c0 100 | } 101 | 102 | rule CRC32_poly_Constant { 103 | meta: 104 | author = "_pusher_" 105 | description = "Look for CRC32 [poly]" 106 | date = "2015-05" 107 | version = "0.1" 108 | strings: 109 | $c0 = { 2083B8ED } 110 | condition: 111 | $c0 112 | } 113 | 114 | rule CRC32_table { 115 | meta: 116 | author = "_pusher_" 117 | description = "Look for CRC32 table" 118 | date = "2015-05" 119 | version = "0.1" 120 | strings: 121 | $c0 = { 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 } 122 | condition: 123 | $c0 124 | } 125 | 126 | rule CRC32_table_lookup { 127 | meta: 128 | author = "_pusher_" 129 | description = "CRC32 table lookup" 130 | date = "2015-06" 131 | version = "0.1" 132 | strings: 133 | $c0 = { 8B 54 24 08 85 D2 7F 03 33 C0 C3 83 C8 FF 33 C9 85 D2 7E 29 56 8B 74 24 08 57 8D 9B 00 00 00 00 0F B6 3C 31 33 F8 81 E7 FF 00 00 00 C1 E8 08 33 04 BD ?? ?? ?? ?? 41 3B CA 7C E5 5F 5E F7 D0 C3 } 134 | condition: 135 | $c0 136 | } 137 | 138 | rule CRC32b_poly_Constant { 139 | meta: 140 | author = "_pusher_" 141 | description = "Look for CRC32b [poly]" 142 | date = "2016-04" 143 | version = "0.1" 144 | strings: 145 | $c0 = { B71DC104 } 146 | condition: 147 | $c0 148 | } 149 | 150 | 151 | rule CRC16_table { 152 | meta: 153 | author = "_pusher_" 154 | description = "Look for CRC16 table" 155 | date = "2016-04" 156 | version = "0.1" 157 | strings: 158 | $c0 = { 00 00 21 10 42 20 63 30 84 40 A5 50 C6 60 E7 70 08 81 29 91 4A A1 6B B1 8C C1 AD D1 CE E1 EF F1 31 12 10 02 73 32 52 22 B5 52 94 42 F7 72 D6 62 39 93 18 83 7B B3 5A A3 BD D3 9C C3 FF F3 DE E3 } 159 | condition: 160 | $c0 161 | } 162 | 163 | 164 | rule FlyUtilsCnDES_ECB_Encrypt { 165 | meta: 166 | author = "_pusher_" 167 | description = "Look for FlyUtils.CnDES Encrypt ECB function" 168 | date = "2016-07" 169 | strings: 170 | $c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D E8 89 5D EC 8B D9 89 55 F8 89 45 FC 8B 7D 08 8B 75 20 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 80 7D 18 00 74 1A 0F B6 55 18 8D 4D EC 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 EC 8D 45 F8 E8 ?? ?? ?? ?? 80 7D 1C 00 74 1A 0F B6 55 1C 8D 4D E8 8B 45 FC E8 ?? ?? ?? ?? 8B 55 E8 8D 45 FC E8 ?? ?? ?? ?? 85 DB 75 07 E8 ?? ?? ?? ?? 8B D8 85 F6 75 07 E8 ?? ?? ?? ?? 8B F0 53 6A 00 8B 4D FC B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 8B 45 F4 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 6A 00 33 C9 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F0 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 56 } 171 | condition: 172 | $c0 173 | } 174 | 175 | rule FlyUtilsCnDES_ECB_Decrypt { 176 | meta: 177 | author = "_pusher_" 178 | description = "Look for FlyUtils.CnDES Decrypt ECB function" 179 | date = "2016-07" 180 | strings: 181 | $c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D E8 89 5D EC 8B F9 89 55 F8 89 45 FC 8B 5D 18 8B 75 20 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 84 DB 74 18 8B D3 8D 4D EC 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 EC 8D 45 F8 E8 ?? ?? ?? ?? 85 FF 75 07 E8 ?? ?? ?? ?? 8B F8 85 F6 75 07 E8 ?? ?? ?? ?? 8B F0 8B 4D FC B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 57 6A 00 33 C9 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F0 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 56 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 FF 75 14 FF 75 10 8B 45 0C 50 8B 4D F8 8B 55 F0 8B 45 F4 E8 ?? ?? ?? ?? 6A 00 6A 00 8B 45 F0 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 55 08 8B 45 F0 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 EB 12 E9 ?? ?? ?? ?? 8B 45 08 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F0 33 D2 89 55 F0 E8 ?? ?? ?? ?? C3 } 182 | condition: 183 | $c0 184 | } 185 | 186 | rule Elf_Hash { 187 | meta: 188 | author = "_pusher_" 189 | description = "Look for ElfHash" 190 | date = "2015-06" 191 | version = "0.3" 192 | strings: 193 | $c0 = { 53 56 33 C9 8B DA 4B 85 DB 7C 25 43 C1 E1 04 33 D2 8A 10 03 CA 8B D1 81 E2 00 00 00 F0 85 D2 74 07 8B F2 C1 EE 18 33 CE F7 D2 23 CA 40 4B 75 DC 8B C1 5E 5B C3 } 194 | $c1 = { 53 33 D2 85 C0 74 2B EB 23 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 85 C9 74 07 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 D7 8B C2 5B C3 } 195 | $c2 = { 53 56 33 C9 8B D8 85 D2 76 23 C1 E1 04 33 C0 8A 03 03 C8 8B C1 25 00 00 00 F0 85 C0 74 07 8B F0 C1 EE 18 33 CE F7 D0 23 C8 43 4A 75 DD 8B C1 5E 5B C3 } 196 | $c3 = { 53 56 57 8B F2 8B D8 8B FB 53 E8 ?? ?? ?? ?? 6B C0 02 71 05 E8 ?? ?? ?? ?? 8B D7 33 C9 8B D8 83 EB 01 71 05 E8 ?? ?? ?? ?? 85 DB 7C 2C 43 C1 E1 04 0F B6 02 03 C8 71 05 E8 ?? ?? ?? ?? 83 C2 01 B8 00 00 00 F0 23 C1 85 C0 74 07 8B F8 C1 EF 18 33 CF F7 D0 23 C8 4B 75 D5 8B C1 99 F7 FE 8B C2 85 C0 7D 09 03 C6 71 05 E8 ?? ?? ?? ?? 5F 5E 5B C3 } 197 | $c4 = { 53 33 D2 EB 2C 8B D9 80 C3 BF 80 EB 1A 73 03 80 C1 20 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 CE 8B C2 5B C3 } 198 | $c5 = { 89 C2 31 C0 85 D2 74 30 2B 42 FC 74 2B 89 C1 29 C2 31 C0 53 0F B6 1C 11 01 C3 8D 04 1B C1 EB 14 8D 04 C5 00 00 00 00 81 E3 00 0F 00 00 31 D8 83 C1 01 75 E0 C1 E8 04 5B C3 } 199 | $c6 = { 53 33 D2 85 C0 74 38 EB 30 8B D9 80 C3 BF 80 EB 1A 73 03 80 C1 20 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 85 C9 74 07 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 CA 8B C2 5B C3 } 200 | condition: 201 | any of them 202 | } 203 | 204 | rule BLOWFISH_Constants { 205 | meta: 206 | author = "phoul (@phoul)" 207 | description = "Look for Blowfish constants" 208 | date = "2014-01" 209 | version = "0.1" 210 | strings: 211 | $c0 = { D1310BA6 } 212 | $c1 = { A60B31D1 } 213 | $c2 = { 98DFB5AC } 214 | $c3 = { ACB5DF98 } 215 | $c4 = { 2FFD72DB } 216 | $c5 = { DB72FD2F } 217 | $c6 = { D01ADFB7 } 218 | $c7 = { B7DF1AD0 } 219 | $c8 = { 4B7A70E9 } 220 | $c9 = { E9707A4B } 221 | $c10 = { F64C261C } 222 | $c11 = { 1C264CF6 } 223 | condition: 224 | 6 of them 225 | } 226 | 227 | rule MD5_Constants { 228 | meta: 229 | author = "phoul (@phoul)" 230 | description = "Look for MD5 constants" 231 | date = "2014-01" 232 | version = "0.2" 233 | strings: 234 | // Init constants 235 | $c0 = { 67452301 } 236 | $c1 = { efcdab89 } 237 | $c2 = { 98badcfe } 238 | $c3 = { 10325476 } 239 | $c4 = { 01234567 } 240 | $c5 = { 89ABCDEF } 241 | $c6 = { FEDCBA98 } 242 | $c7 = { 76543210 } 243 | // Round 2 244 | $c8 = { F4D50d87 } 245 | $c9 = { 78A46AD7 } 246 | condition: 247 | 5 of them 248 | } 249 | 250 | rule MD5_API { 251 | meta: 252 | author = "_pusher_" 253 | description = "Looks for MD5 API" 254 | date = "2016-07" 255 | strings: 256 | $advapi32 = "advapi32.dll" wide ascii nocase 257 | $cryptdll = "cryptdll.dll" wide ascii nocase 258 | $MD5Init = "MD5Init" wide ascii 259 | $MD5Update = "MD5Update" wide ascii 260 | $MD5Final = "MD5Final" wide ascii 261 | condition: 262 | ($advapi32 or $cryptdll) and ($MD5Init and $MD5Update and $MD5Final) 263 | } 264 | 265 | rule RC6_Constants { 266 | meta: 267 | author = "chort (@chort0)" 268 | description = "Look for RC6 magic constants in binary" 269 | reference = "https://twitter.com/mikko/status/417620511397400576" 270 | reference2 = "https://twitter.com/dyngnosis/status/418105168517804033" 271 | date = "2013-12" 272 | version = "0.2" 273 | strings: 274 | $c1 = { B7E15163 } 275 | $c2 = { 9E3779B9 } 276 | $c3 = { 6351E1B7 } 277 | $c4 = { B979379E } 278 | condition: 279 | 2 of them 280 | } 281 | 282 | 283 | rule RIPEMD128_Constants { 284 | meta: 285 | author = "_pusher_" 286 | description = "Look for RIPEMD constants" 287 | date = "2017-05" 288 | version = "0.1" 289 | strings: 290 | $c0 = { 01234567 } 291 | $c1 = { 89ABCDEF } 292 | $c2 = { FEDCBA98 } 293 | $c3 = { 76543210 } 294 | $c4 = { 9979825A } 295 | $c5 = { A1EBD96E } 296 | 297 | $c6 = { DCBC1B8F } 298 | $c7 = { E68BA250 } 299 | $c8 = { 24D14D5C } 300 | $c9 = { F33E706D } 301 | 302 | //not ripemd128 if: 303 | //$a0 = { 4EFD53A9 } 304 | //$a1 = { E9766D7A } 305 | condition: 306 | all of ($c*) 307 | } 308 | 309 | 310 | rule RIPEMD160_Constants { 311 | meta: 312 | author = "phoul (@phoul)" 313 | description = "Look for RIPEMD-160 constants" 314 | date = "2014-01" 315 | version = "0.1" 316 | strings: 317 | $c0 = { 67452301 } 318 | $c1 = { EFCDAB89 } 319 | $c2 = { 98BADCFE } 320 | $c3 = { 10325476 } 321 | $c4 = { C3D2E1F0 } 322 | $c5 = { 01234567 } 323 | $c6 = { 89ABCDEF } 324 | $c7 = { FEDCBA98 } 325 | $c8 = { 76543210 } 326 | $c9 = { F0E1D2C3 } 327 | condition: 328 | 5 of them 329 | } 330 | 331 | rule SHA1_Constants { 332 | meta: 333 | author = "phoul (@phoul)" 334 | description = "Look for SHA1 constants" 335 | date = "2014-01" 336 | version = "0.1" 337 | strings: 338 | $c0 = { 67452301 } 339 | $c1 = { EFCDAB89 } 340 | $c2 = { 98BADCFE } 341 | $c3 = { 10325476 } 342 | $c4 = { C3D2E1F0 } 343 | $c5 = { 01234567 } 344 | $c6 = { 89ABCDEF } 345 | $c7 = { FEDCBA98 } 346 | $c8 = { 76543210 } 347 | $c9 = { F0E1D2C3 } 348 | //added by _pusher_ 2016-07 - last round 349 | $c10 = { D6C162CA } 350 | condition: 351 | 5 of them 352 | } 353 | 354 | rule SHA512_Constants { 355 | meta: 356 | author = "phoul (@phoul)" 357 | description = "Look for SHA384/SHA512 constants" 358 | date = "2014-01" 359 | version = "0.1" 360 | strings: 361 | $c0 = { 428a2f98 } 362 | $c1 = { 982F8A42 } 363 | $c2 = { 71374491 } 364 | $c3 = { 91443771 } 365 | $c4 = { B5C0FBCF } 366 | $c5 = { CFFBC0B5 } 367 | $c6 = { E9B5DBA5 } 368 | $c7 = { A5DBB5E9 } 369 | $c8 = { D728AE22 } 370 | $c9 = { 22AE28D7 } 371 | condition: 372 | 5 of them 373 | } 374 | 375 | rule TEAN { 376 | meta: 377 | author = "_pusher_" 378 | description = "Look for TEA Encryption" 379 | date = "2016-08" 380 | strings: 381 | $c0 = { 2037EFC6 } 382 | condition: 383 | $c0 384 | } 385 | 386 | rule WHIRLPOOL_Constants { 387 | meta: 388 | author = "phoul (@phoul)" 389 | description = "Look for WhirlPool constants" 390 | date = "2014-02" 391 | version = "0.1" 392 | strings: 393 | $c0 = { 18186018c07830d8 } 394 | $c1 = { d83078c018601818 } 395 | $c2 = { 23238c2305af4626 } 396 | $c3 = { 2646af05238c2323 } 397 | condition: 398 | 2 of them 399 | } 400 | 401 | rule DarkEYEv3_Cryptor { 402 | meta: 403 | description = "Rule to detect DarkEYEv3 encrypted executables (often malware)" 404 | author = "Florian Roth" 405 | reference = "http://darkeyev3.blogspot.fi/" 406 | date = "2015-05-24" 407 | hash0 = "6b854b967397f7de0da2326bdd5d39e710e2bb12" 408 | hash1 = "d53149968eca654fc0e803f925e7526fdac2786c" 409 | hash2 = "7e3a8940d446c57504d6a7edb6445681cca31c65" 410 | hash3 = "d3dd665dd77b02d7024ac16eb0949f4f598299e7" 411 | hash4 = "a907a7b74a096f024efe57953c85464e87275ba3" 412 | hash5 = "b1c422155f76f992048377ee50c79fe164b22293" 413 | hash6 = "29f5322ce5e9147f09e0a86cc23a7c8dc88721b9" 414 | hash7 = "a0382d7c12895489cb37efef74c5f666ea750b05" 415 | hash8 = "f3d5b71b7aeeb6cc917d5bb67e2165cf8a2fbe61" 416 | score = 55 417 | strings: 418 | $s0 = "\\DarkEYEV3-" 419 | condition: 420 | uint16(0) == 0x5a4d and $s0 421 | } 422 | 423 | rule Miracl_powmod 424 | { meta: 425 | author = "Maxx" 426 | description = "Miracl powmod" 427 | strings: 428 | $c0 = { 53 55 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 18 02 00 00 85 C0 0F 85 EC 01 00 00 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 12 00 00 00 8B 86 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 06 8B 4E 10 3B C1 74 2E 8B 7C 24 1C 57 E8 ?? ?? ?? ?? 83 C4 04 83 F8 02 7C 33 8B 57 04 8B 0E 51 8B 02 50 E8 ?? ?? ?? ?? 83 C4 08 83 F8 01 0F 84 58 01 00 00 EB 17 8B 7C 24 1C 6A 02 57 E8 ?? ?? ?? ?? 83 C4 08 85 C0 0F 84 3F 01 00 00 8B 8E C4 01 00 00 8B 54 24 18 51 52 E8 ?? ?? ?? ?? 8B 86 CC } 429 | condition: 430 | $c0 431 | } 432 | 433 | rule Miracl_crt 434 | { meta: 435 | author = "Maxx" 436 | description = "Miracl crt" 437 | strings: 438 | $c0 = { 51 56 57 E8 ?? ?? ?? ?? 8B 74 24 10 8B F8 89 7C 24 08 83 7E 0C 02 0F 8C 99 01 00 00 8B 87 18 02 00 00 85 C0 0F 85 8B 01 00 00 8B 57 1C 42 8B C2 89 57 1C 83 F8 18 7D 17 C7 44 87 20 4A 00 00 00 8B 87 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 46 04 8B 54 24 14 53 55 8B 08 8B 02 51 50 E8 ?? ?? ?? ?? 8B 4E 0C B8 01 00 00 00 83 C4 08 33 ED 3B C8 89 44 24 18 0F 8E C5 00 00 00 BF 04 00 00 00 8B 46 04 8B 0C 07 8B 10 8B 44 24 1C 51 52 8B 0C 07 51 E8 ?? ?? ?? ?? 8B 56 04 8B 4E 08 8B 04 } 439 | condition: 440 | $c0 441 | } 442 | 443 | rule CryptoPP_a_exp_b_mod_c 444 | { meta: 445 | author = "Maxx" 446 | description = "CryptoPP a_exp_b_mod_c" 447 | strings: 448 | $c0 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC ?? 00 00 00 56 8B B4 24 B0 00 00 00 57 6A 00 8B CE C7 44 24 0C 00 00 00 00 E8 ?? ?? ?? ?? 84 C0 0F 85 16 01 00 00 8D 4C 24 24 E8 ?? ?? ?? ?? BF 01 00 00 00 56 8D 4C 24 34 89 BC 24 A4 00 00 00 E8 ?? ?? ?? ?? 8B 06 8D 4C 24 3C 50 6A 00 C6 84 24 A8 00 00 00 02 E8 ?? ?? ?? ?? 8D 4C 24 48 C6 84 24 A0 00 00 00 03 E8 ?? ?? ?? ?? C7 44 24 24 ?? ?? ?? ?? 8B 8C 24 AC 00 00 00 8D 54 24 0C 51 52 8D 4C 24 2C C7 84 24 A8 } 449 | $c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 4C 56 57 33 FF 8D 44 24 0C 89 7C 24 08 C7 44 24 10 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 89 44 24 14 8B 74 24 70 8D 4C 24 18 56 89 7C 24 60 E8 ?? ?? ?? ?? 8B 76 08 8D 4C 24 2C 56 57 C6 44 24 64 01 E8 ?? ?? ?? ?? 8D 4C 24 40 C6 44 24 5C 02 E8 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 8B 4C 24 6C 8B 54 24 68 8B 74 24 64 51 52 56 8D 4C 24 18 C7 44 24 68 03 00 00 00 E8 ?? ?? ?? ?? 8B 7C 24 4C 8B 4C 24 48 8B D7 33 C0 F3 } 450 | $c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 34 56 57 33 FF 8D 44 24 0C 89 7C 24 08 C7 44 24 10 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 89 44 24 14 8B 74 24 58 8D 4C 24 18 56 89 7C 24 48 E8 ?? ?? ?? ?? 8B 0E C6 44 24 44 01 51 57 8D 4C 24 2C E8 ?? ?? ?? ?? 8D 4C 24 30 C6 44 24 44 02 E8 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 8B 54 24 54 8B 44 24 50 8B 74 24 4C 52 50 56 8D 4C 24 18 C7 44 24 50 03 00 00 00 E8 ?? ?? ?? ?? 8B 4C 24 30 8B 7C 24 34 33 C0 F3 AB 8B 4C } 451 | condition: 452 | any of them 453 | } 454 | 455 | rule CryptoPP_modulo 456 | { meta: 457 | author = "Maxx" 458 | description = "CryptoPP modulo" 459 | strings: 460 | $c0 = { 83 EC 20 53 55 8B 6C 24 2C 8B D9 85 ED 89 5C 24 08 75 18 8D 4C 24 0C E8 ?? ?? ?? ?? 8D 44 24 0C 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D FF 56 85 CD 57 75 09 8B 53 04 8B 02 23 C1 EB 76 8B CB E8 ?? ?? ?? ?? 83 FD 05 8B C8 77 2D 33 F6 33 FF 49 85 C0 74 18 8B 53 04 8D 41 01 8D 14 8A 8B 0A 03 F1 83 D7 00 48 83 EA 04 85 C0 77 F1 6A 00 55 57 56 E8 ?? ?? ?? ?? EB 3B 33 C0 8B D1 49 85 D2 74 32 8B 54 24 10 33 DB 8D 71 01 8B 52 04 8D 3C 8A 8B 17 33 ED 0B C5 8B 6C 24 34 33 C9 53 0B CA 55 } 461 | $c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 2C 56 57 8B F1 33 FF 8D 4C 24 20 89 7C 24 08 E8 ?? ?? ?? ?? 8D 4C 24 0C 89 7C 24 3C E8 ?? ?? ?? ?? 8B 44 24 48 8D 4C 24 0C 50 56 8D 54 24 28 51 52 C6 44 24 4C 01 E8 ?? ?? ?? ?? 8B 74 24 54 83 C4 10 8D 44 24 20 8B CE 50 E8 ?? ?? ?? ?? 8B 7C 24 18 8B 4C 24 14 8B D7 33 C0 F3 AB 52 E8 ?? ?? ?? ?? 8B 7C 24 30 8B 4C 24 2C 8B D7 33 C0 C7 44 24 10 ?? ?? ?? ?? 52 F3 AB E8 ?? ?? ?? ?? 8B 4C 24 3C 83 C4 08 8B C6 64 89 } 462 | $c2 = { 83 EC 24 53 55 8B 6C 24 30 8B D9 85 ED 89 5C 24 08 75 18 8D 4C 24 0C E8 ?? ?? ?? ?? 8D 44 24 0C 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D FF 56 85 CD 57 75 09 8B 53 0C 8B 02 23 C1 EB 76 8B CB E8 ?? ?? ?? ?? 83 FD 05 8B C8 77 2D 33 F6 33 FF 49 85 C0 74 18 8B 53 0C 8D 41 01 8D 14 8A 8B 0A 03 F1 83 D7 00 48 83 EA 04 85 C0 77 F1 6A 00 55 57 56 E8 ?? ?? ?? ?? EB 3B 33 C0 8B D1 49 85 D2 74 32 8B 54 24 10 33 DB 8D 71 01 8B 52 0C 8D 3C 8A 8B 17 33 ED 0B C5 8B 6C 24 38 33 C9 53 0B CA 55 } 463 | $c3 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 1C 56 57 8B F1 33 FF 8D 4C 24 0C 89 7C 24 08 E8 ?? ?? ?? ?? 8D 4C 24 18 89 7C 24 2C E8 ?? ?? ?? ?? 8B 44 24 38 8D 4C 24 18 50 56 8D 54 24 14 51 52 C6 44 24 3C 01 E8 ?? ?? ?? ?? 8B 74 24 44 83 C4 10 8D 44 24 0C 8B CE 50 E8 ?? ?? ?? ?? 8B 4C 24 18 8B 7C 24 1C 33 C0 F3 AB 8B 4C 24 1C 51 E8 ?? ?? ?? ?? 8B 4C 24 10 8B 7C 24 14 33 C0 F3 AB 8B 54 24 14 52 E8 ?? ?? ?? ?? 8B 4C 24 2C 83 C4 08 8B C6 64 89 0D 00 00 00 } 464 | condition: 465 | any of them 466 | } 467 | 468 | rule FGint_MontgomeryModExp 469 | { meta: 470 | author = "_pusher_" 471 | date = "2015-06" 472 | version = "0.2" 473 | description = "FGint MontgomeryModExp" 474 | strings: 475 | $c0 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 } 476 | $c1 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 } 477 | $c2 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 ?? E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 } 478 | $c3 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 D0 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 47 4C 47 00 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 D0 E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 02 02 00 00 } 479 | condition: 480 | any of them 481 | } 482 | 483 | rule FGint_FGIntModExp 484 | { meta: 485 | author = "_pusher_" 486 | date = "2015-05" 487 | description = "FGint FGIntModExp" 488 | strings: 489 | $c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D ?? 8B F1 89 55 ?? 8B D8 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 46 04 8B 40 04 83 E0 01 83 F8 01 75 0F 57 8B CE 8B 55 ?? 8B C3 E8 ?? ?? ?? ?? EB ?? 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 F4 8B C3 E8 ?? ?? ?? ?? 8B 45 } 490 | condition: 491 | $c0 492 | } 493 | 494 | rule FGint_MulByInt 495 | { meta: 496 | author = "_pusher_" 497 | date = "2015-05" 498 | description = "FGint MulByInt" 499 | strings: 500 | $c0 = { 53 56 57 55 83 C4 E8 89 4C 24 04 8B EA 89 04 24 8B 04 24 8B 40 04 8B 00 89 44 24 08 8B 44 24 08 83 C0 02 50 8D 45 04 B9 01 00 00 00 8B 15 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 C4 04 33 F6 8B 7C 24 08 85 FF 76 6D BB 01 00 00 00 8B 04 24 8B 40 04 8B 04 98 33 D2 89 44 24 10 89 54 24 14 8B 44 24 04 33 D2 52 50 8B 44 24 18 8B 54 24 1C ?? ?? ?? ?? ?? 89 44 24 10 89 54 24 14 8B C6 33 D2 03 44 24 10 13 54 24 14 89 44 24 10 89 54 24 14 8B 44 24 10 25 FF FF FF 7F 8B 55 04 89 04 9A 8B 44 24 10 8B 54 24 14 0F AC D0 1F C1 EA 1F 8B F0 43 4F 75 98 } 501 | condition: 502 | $c0 503 | } 504 | 505 | rule FGint_DivMod 506 | { meta: 507 | author = "_pusher_" 508 | date = "2015-05" 509 | description = "FGint FGIntDivMod" 510 | strings: 511 | $c0 = { 55 8B EC 83 C4 BC 53 56 57 8B F1 89 55 F8 89 45 FC 8B 5D 08 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 FC 8A 00 88 45 D7 8B 45 F8 8A 00 88 45 D6 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8B D3 8B 45 FC E8 ?? ?? ?? ?? 8D 55 E0 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 F8 8B 45 FC } 512 | condition: 513 | $c0 514 | } 515 | 516 | rule FGint_FGIntDestroy 517 | { meta: 518 | author = "_pusher_" 519 | date = "2015-05" 520 | description = "FGint FGIntDestroy" 521 | strings: 522 | $c0 = { 53 8B D8 8D 43 04 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5B C3 } 523 | condition: 524 | $c0 525 | } 526 | 527 | rule FGint_Base10StringToGInt 528 | { meta: 529 | author = "_pusher_" 530 | date = "2015-06" 531 | version = "0.2" 532 | description = "FGint Base10StringToGInt" 533 | strings: 534 | $c0 = { 55 8B EC B9 04 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 8B DA 89 45 FC 8B 45 FC ?? ?? ?? ?? ?? 33 C0 55 ?? ?? ?? ?? ?? 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? 8B 45 FC 8A 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC ?? ?? ?? ?? ?? 48 7F D4 8D 45 E4 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC ?? ?? ?? ?? ?? 8B 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 18 C6 45 EB 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? EB 18 C6 45 EB 01 EB 12 8D 45 FC } 535 | $c1 = { 55 8B EC 83 C4 D8 53 56 57 33 C9 89 4D D8 89 4D DC 89 4D E0 89 4D E4 89 4D EC 8B DA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 0F 42 45 00 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 8B 45 FC 8A 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC E8 ?? ?? ?? ?? 48 7F D4 8D 45 E4 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 45 E4 BA 28 42 45 00 E8 ?? ?? ?? ?? 75 18 C6 45 EB 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? EB 18 C6 45 EB 01 } 536 | $c2 = { 55 8B EC 83 C4 D8 53 56 33 C9 89 4D D8 89 4D DC 89 4D E0 89 4D F8 89 4D F4 8B DA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 A6 32 47 00 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 8B 45 FC 0F B6 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC E8 ?? ?? ?? ?? 48 7F D3 8D 45 E0 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 45 E0 BA BC 32 47 00 E8 ?? ?? ?? ?? 75 18 C6 45 E9 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? EB 18 C6 45 E9 01 } 537 | 538 | condition: 539 | any of them 540 | } 541 | 542 | rule FGint_ConvertBase256to64 543 | { meta: 544 | author = "_pusher_" 545 | date = "2015-05" 546 | description = "FGint ConvertBase256to64" 547 | strings: 548 | $c0 = { 55 8B EC 81 C4 EC FB FF FF 53 56 57 33 C9 89 8D EC FB FF FF 89 8D F0 FB FF FF 89 4D F8 8B FA 89 45 FC B9 00 01 00 00 8D 85 F4 FB FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 F4 FB FF FF BA FF 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 8B D8 85 DB 7E 2F BE 01 00 00 00 8D 45 F8 8B 55 FC 0F B6 54 32 FF 8B 94 95 F4 FB FF FF E8 ?? ?? ?? ?? 46 4B 75 E5 EB } 549 | condition: 550 | $c0 551 | } 552 | 553 | rule FGint_ConvertHexStringToBase256String 554 | { meta: 555 | author = "_pusher_" 556 | date = "2015-06" 557 | version = "0.2" 558 | description = "FGint ConvertHexStringToBase256String" 559 | strings: 560 | $c0 = { 55 8B EC 83 C4 F0 53 56 33 C9 89 4D F0 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? D1 F8 79 03 83 D0 00 85 C0 7E 5F 89 45 F4 BE 01 00 00 00 8B C6 03 C0 8B 55 FC 8A 54 02 FF 8B 4D FC 8A 44 01 FE 3C 3A 73 0A 8B D8 80 EB 30 C1 E3 04 EB 08 8B D8 80 EB 37 C1 E3 04 80 FA 3A 73 07 80 EA 30 0A DA EB 05 80 EA 37 0A DA 8D 45 F0 8B D3 } 561 | $c1 = { 55 8B EC 83 C4 EC 53 56 33 C9 89 4D EC 89 4D F4 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 ?? ?? ?? ?? 79 05 48 83 C8 FE 40 48 75 12 8D 45 F4 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? EB 0B 8D 45 F4 8B 55 FC E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? D1 F8 79 03 83 D0 00 85 C0 7E 62 89 45 F0 BE ?? ?? ?? ?? 8B C6 03 C0 8B 55 F4 8A 54 02 FF 8B 4D F4 8A 44 01 FE 3C 3A 73 0A 8B D8 80 EB 30 C1 E3 04 EB 08 8B D8 80 EB 37 C1 E3 04 80 FA 3A 73 07 80 EA 30 0A DA EB 08 80 EA 37 80 E2 0F 0A DA 8D 45 EC 8B D3 } 562 | condition: 563 | any of them 564 | } 565 | 566 | rule FGint_Base256StringToGInt 567 | { meta: 568 | author = "_pusher_" 569 | date = "2015-05" 570 | description = "FGint Base256StringToGInt" 571 | strings: 572 | $c0 = { 55 8B EC 81 C4 F8 FB FF FF 53 56 57 33 C9 89 4D F8 8B FA 89 45 FC 8B 45 FC ?? ?? ?? ?? ?? B9 00 01 00 00 8D 85 F8 FB FF FF 8B 15 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 55 ?? ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 F8 ?? ?? ?? ?? ?? 8D 85 F8 FB FF FF BA FF 00 00 00 ?? ?? ?? ?? ?? 8B 45 FC ?? ?? ?? ?? ?? 8B D8 85 DB 7E 34 BE 01 00 00 00 8D 45 F8 8B 55 FC 0F B6 54 32 FF 8B 94 95 F8 FB FF FF ?? ?? ?? ?? ?? 46 4B 75 E5 EB 12 8D 45 F8 B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? 8B 45 F8 80 38 30 75 0F } 573 | condition: 574 | $c0 575 | } 576 | 577 | rule FGint_FGIntToBase256String 578 | { meta: 579 | author = "_pusher_" 580 | date = "2015-06" 581 | version = "0.2" 582 | description = "FGint FGIntToBase256String" 583 | strings: 584 | $c0 = { 55 8B EC 33 C9 51 51 51 51 53 56 8B F2 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 FC E8 ?? ?? ?? ?? EB 10 8D 45 FC 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 07 00 00 80 79 05 48 83 C8 F8 40 85 C0 75 D8 8B 45 FC E8 ?? ?? ?? ?? 8B D8 85 DB 79 03 83 C3 07 C1 FB 03 8B C6 E8 ?? ?? ?? ?? 85 DB 76 4B 8D 45 F4 50 B9 08 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 55 F4 8D 45 FB E8 ?? ?? ?? ?? 8D 45 F0 8A 55 FB E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8D 45 FC B9 08 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 4B 75 B5 } 585 | $c1 = { 55 8B EC 33 C9 51 51 51 51 53 56 8B F2 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 FC E8 ?? ?? ?? ?? EB 10 8D 45 FC 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 07 00 00 80 79 05 48 83 C8 F8 40 85 C0 75 D8 8B 45 FC 85 C0 74 05 83 E8 04 8B 00 8B D8 85 DB 79 03 83 C3 07 C1 FB 03 8B C6 E8 ?? ?? ?? ?? 85 DB 76 4C 8D 45 F4 50 B9 08 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 55 F4 8D 45 FB E8 ?? ?? ?? ?? 8D 45 F0 0F B6 55 FB E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8D 45 FC B9 08 00 00 00 BA 01 00 00 00 E8 } 586 | condition: 587 | any of them 588 | } 589 | 590 | rule FGint_ConvertBase256StringToHexString 591 | { meta: 592 | author = "_pusher_" 593 | date = "2015-05" 594 | description = "FGint ConvertBase256StringToHexString" 595 | strings: 596 | $c0 = { 55 8B EC 33 C9 51 51 51 51 51 51 53 56 57 8B F2 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B C6 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 8B F8 85 FF 0F 8E AB 00 00 00 C7 45 F8 01 00 00 00 8B 45 FC 8B 55 F8 8A 5C 10 FF 33 C0 8A C3 C1 E8 04 83 F8 0A 73 1E 8D 45 F4 33 D2 8A D3 C1 EA 04 83 C2 30 E8 ?? ?? ?? ?? 8B 55 F4 8B C6 E8 ?? ?? ?? ?? EB 1C 8D 45 F0 33 D2 8A D3 C1 EA 04 83 C2 37 E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8B C3 24 0F 3C 0A 73 22 8D 45 EC 8B D3 80 E2 0F 81 E2 FF 00 00 00 83 C2 30 E8 ?? ?? ?? ?? 8B 55 EC 8B C6 E8 ?? ?? ?? ?? EB 20 8D 45 E8 8B D3 80 E2 0F 81 E2 FF 00 00 00 83 C2 37 } 597 | condition: 598 | $c0 599 | } 600 | 601 | 602 | rule FGint_PGPConvertBase256to64 603 | { meta: 604 | author = "_pusher_" 605 | date = "2016-08" 606 | description = "FGint PGPConvertBase256to64" 607 | strings: 608 | $c0 = { 55 8B EC 81 C4 E8 FB FF FF 53 56 57 33 C9 89 8D E8 FB FF FF 89 4D F8 89 4D F4 89 4D F0 8B FA 89 45 FC B9 00 01 00 00 8D 85 EC FB FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 EC FB FF FF BA FF 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 E8 ?? ?? ?? ?? 8B 45 FC 8B 00 E8 ?? ?? ?? ?? 8B D8 85 DB 7E 22 BE 01 00 00 00 8D 45 F8 8B 55 FC 8B 12 0F B6 54 32 FF 8B 94 95 EC FB FF FF E8 ?? ?? ?? ?? 46 4B 75 E3 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 85 D2 75 0A 8D 45 F0 E8 ?? ?? ?? ?? EB 4B 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 83 FA 04 75 1C 8D 45 F8 BA 4C 33 40 00 E8 ?? ?? ?? ?? 8D 45 F0 BA 58 33 40 00 E8 ?? ?? ?? ?? EB 1A 8D 45 F8 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 8B D8 85 DB 7E 57 8D 45 F4 50 B9 06 00 00 00 BA 01 00 00 00 8B 45 F8 E8 ?? ?? ?? ?? 8D 45 EC 8B 55 F4 E8 ?? ?? ?? ?? 8D 85 E8 FB FF FF 8B 55 EC 8A 92 ?? ?? ?? ?? E8 } 609 | condition: 610 | $c0 611 | } 612 | 613 | 614 | rule FGint_RSAEncrypt 615 | { meta: 616 | author = "_pusher_" 617 | date = "2015-05" 618 | description = "FGint RSAEncrypt" 619 | strings: 620 | $c0 = { 55 8B EC 83 C4 D0 53 56 57 33 DB 89 5D D0 89 5D DC 89 5D D8 89 5D D4 8B F9 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 E0 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 DC 8B C7 E8 ?? ?? ?? ?? 8B 45 DC E8 ?? ?? ?? ?? 8B D8 8D 55 DC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 DC 8B 4D DC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F3 4E EB 10 } 621 | condition: 622 | $c0 623 | } 624 | 625 | rule FGint_RsaDecrypt 626 | { meta: 627 | author = "Maxx" 628 | description = "FGint RsaDecrypt" 629 | strings: 630 | $c0 = { 55 8B EC 83 C4 A0 53 56 57 33 DB 89 5D A0 89 5D A4 89 5D A8 89 5D B4 89 5D B0 89 5D AC 89 4D F8 8B FA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 } 631 | condition: 632 | $c0 633 | } 634 | 635 | rule FGint_RSAVerify 636 | { meta: 637 | author = "_pusher_" 638 | description = "FGint RSAVerify" 639 | strings: 640 | $c0 = { 55 8B EC 83 C4 E0 53 56 8B F1 89 55 F8 89 45 FC 8B 5D 0C 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 E8 8B 45 F8 E8 ?? ?? ?? ?? 8D 55 F0 8B 45 FC E8 ?? ?? ?? ?? 8D 4D E0 8B D3 8D 45 F0 E8 ?? ?? ?? ?? 8D 55 F0 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 E0 50 8B CB 8B D6 8D 45 E8 E8 ?? ?? ?? ?? 8D 55 E8 8D 45 E0 E8 ?? ?? ?? ?? 8D 55 F0 8D 45 E8 E8 ?? ?? ?? ?? 3C 02 8B 45 08 0F 94 00 8D 45 E8 E8 ?? ?? ?? ?? 8D 45 F0 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? B9 03 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 BA 02 00 00 00 E8 ?? ?? ?? ?? C3 } 641 | condition: 642 | $c0 643 | } 644 | 645 | rule FGint_FindPrimeGoodCurveAndPoint 646 | { meta: 647 | author = "_pusher_" 648 | date = "2015-06" 649 | description = "FGint FindPrimeGoodCurveAndPoint" 650 | version = "0.1" 651 | strings: 652 | $c0 = { 55 8B EC 83 C4 F4 53 56 57 33 DB 89 5D F4 89 4D FC 8B FA 8B F0 33 C0 55 } 653 | condition: 654 | $c0 655 | } 656 | 657 | rule FGint_ECElGamalEncrypt 658 | { meta: 659 | author = "_pusher_" 660 | date = "2016-08" 661 | description = "FGint ECElGamalEncrypt" 662 | version = "0.1" 663 | strings: 664 | $c0 = { 55 8B EC 81 C4 3C FF FF FF 53 56 57 33 DB 89 5D D8 89 5D D4 89 5D D0 8B 75 10 8D 7D 8C A5 A5 A5 A5 A5 8B 75 14 8D 7D A0 A5 A5 A5 A5 A5 8B 75 18 8D 7D DC A5 A5 8B 75 1C 8D 7D E4 A5 A5 8B F1 8D 7D EC A5 A5 8B F2 8D 7D F4 A5 A5 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 A0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 8C 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 78 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 64 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 50 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 3C FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 7D CF } 665 | $c1 = { 55 8B EC 83 C4 A8 53 56 57 33 DB 89 5D A8 89 5D AC 89 5D BC 89 5D B8 89 5D B4 89 4D F4 89 55 F8 89 45 FC 8B 75 0C 8B 45 FC E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 71 14 41 00 64 FF 30 64 89 20 8D 55 BC 8B C6 E8 ?? ?? ?? ?? 8B 45 BC E8 ?? ?? ?? ?? 8B D8 8D 55 BC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 BC 8B 4D BC BA 8C 14 41 00 E8 ?? ?? ?? ?? 8B FB 4F EB 10 8D 45 BC 8B 4D BC BA 98 14 41 00 E8 ?? ?? ?? ?? 8B 45 BC } 666 | condition: 667 | $c0 or $c1 668 | } 669 | 670 | rule FGint_ECAddPoints 671 | { meta: 672 | author = "_pusher_" 673 | date = "2015-06" 674 | description = "FGint ECAddPoints" 675 | version = "0.1" 676 | strings: 677 | $c0 = { 55 8B EC 83 C4 A8 53 56 57 8B 75 0C 8D 7D F0 A5 A5 8B F1 8D 7D F8 A5 A5 8B F2 8D 7D A8 A5 A5 A5 A5 A5 8B F0 8D 7D BC A5 A5 A5 A5 A5 8B 5D 08 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 A8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 } 678 | condition: 679 | $c0 680 | } 681 | 682 | rule FGint_ECPointKMultiple 683 | { meta: 684 | author = "_pusher_" 685 | date = "2015-06" 686 | description = "FGint ECPointKMultiple" 687 | version = "0.1" 688 | strings: 689 | $c0 = { 55 8B EC 83 C4 BC 53 56 57 33 DB 89 5D E4 8B 75 0C 8D 7D E8 A5 A5 8B F1 8D 7D F0 A5 A5 8B F2 8D 7D F8 A5 A5 8B F0 8D 7D D0 A5 A5 A5 A5 A5 8B 5D 08 8D 45 D0 8B 15 ?? ?? ?? 00 E8 ?? ?? ?? ?? 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 } 690 | condition: 691 | $c0 692 | } 693 | 694 | rule FGint_ECPointDestroy 695 | { meta: 696 | author = "_pusher_" 697 | date = "2015-06" 698 | description = "FGint ECPointDestroy" 699 | version = "0.1" 700 | strings: 701 | $c0 = { 53 8B D8 8B C3 E8 ?? ?? ?? ?? 8D 43 08 E8 ?? ?? ?? ?? 5B C3 } 702 | condition: 703 | $c0 704 | } 705 | 706 | rule FGint_DSAPrimeSearch 707 | { meta: 708 | author = "_pusher_" 709 | date = "2016-08" 710 | description = "FGint DSAPrimeSearch" 711 | version = "0.1" 712 | strings: 713 | $c0 = { 55 8B EC 83 C4 DC 53 56 8B DA 8B F0 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 4D F8 8B D6 8B C6 E8 ?? ?? ?? ?? 8D 4D E8 8B D6 8B C3 E8 ?? ?? ?? ?? 8D 55 F0 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D E0 8D 55 E8 8B C3 E8 ?? ?? ?? ?? 8D 45 E8 E8 ?? ?? ?? ?? 8D 4D E8 8D 55 F0 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 F0 E8 ?? ?? ?? ?? 8B 45 EC 8B 40 04 83 E0 01 85 C0 75 18 8D 4D E0 8B D6 8D 45 E8 E8 ?? ?? ?? ?? 8D 55 E8 8D 45 E0 E8 ?? ?? ?? ?? 8B D3 8D 45 E8 E8 ?? ?? ?? ?? C6 45 DF 00 EB 26 8D 4D E8 8D 55 F8 8B C3 E8 ?? ?? ?? ?? 8B D3 8D 45 E8 E8 ?? ?? ?? ?? 8D 4D DF 8B C3 BA 05 00 00 00 E8 ?? ?? ?? ?? 80 7D DF 00 74 D4 8D 45 F8 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? B9 04 00 00 00 E8 ?? ?? ?? ?? C3 } 714 | condition: 715 | $c0 716 | } 717 | 718 | rule FGint_DSASign 719 | { meta: 720 | author = "_pusher_" 721 | date = "2016-08" 722 | description = "FGint DSASign" 723 | version = "0.1" 724 | strings: 725 | $c0 = { 55 8B EC 83 C4 CC 53 56 57 89 4D FC 8B DA 8B F8 8B 75 14 8B 45 10 E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 F4 50 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 4D D4 8B D3 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 4D F4 8B D3 8B C6 E8 ?? ?? ?? ?? 8D 55 EC 8B 45 10 E8 ?? ?? ?? ?? 8D 45 E4 50 8B CB 8D 55 D4 8B 45 18 E8 ?? ?? ?? ?? 8D 4D DC 8D 55 E4 8D 45 EC E8 ?? ?? ?? ?? 8D 45 EC E8 ?? ?? ?? ?? 8D 45 E4 E8 ?? ?? ?? ?? 8D 45 CC 50 8B CB 8D 55 DC 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 DC E8 ?? ?? ?? ?? 8B 55 0C 8D 45 D4 E8 ?? ?? ?? ?? 8B 55 08 8D 45 CC E8 ?? ?? ?? ?? 8D 45 D4 E8 ?? ?? ?? ?? 8D 45 CC E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? B9 06 00 00 00 E8 } 726 | condition: 727 | $c0 728 | } 729 | 730 | rule FGint_DSAVerify 731 | { meta: 732 | author = "_pusher_" 733 | date = "2016-08" 734 | description = "FGint DSAVerify" 735 | version = "0.1" 736 | strings: 737 | $c0 = { 55 8B EC 83 C4 B4 53 56 57 89 4D FC 8B DA 8B F0 8B 7D 08 8B 45 14 E8 ?? ?? ?? ?? 8B 45 10 E8 ?? ?? ?? ?? 8B 45 0C E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 CC 8B 45 0C E8 ?? ?? ?? ?? 8D 4D F4 8B D3 8D 45 CC E8 ?? ?? ?? ?? 8D 55 C4 8B 45 14 E8 ?? ?? ?? ?? 8D 45 EC 50 8B CB 8D 55 F4 8D 45 C4 E8 ?? ?? ?? ?? 8D 45 C4 E8 ?? ?? ?? ?? 8D 55 D4 8B 45 10 E8 ?? ?? ?? ?? 8D 45 E4 50 8B CB 8D 55 F4 8D 45 D4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 C4 50 8B CE 8D 55 EC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 BC 50 8B CE 8D 55 E4 8B 45 18 E8 ?? ?? ?? ?? 8D 45 B4 50 8B CE 8D 55 BC 8D 45 C4 E8 ?? ?? ?? ?? 8D 45 C4 E8 } 738 | condition: 739 | $c0 740 | } 741 | 742 | 743 | rule DES_Long 744 | { meta: 745 | author = "_pusher_" 746 | date = "2015-05" 747 | description = "DES [long]" 748 | strings: 749 | $c0 = { 10 80 10 40 00 00 00 00 00 80 10 00 00 00 10 40 10 00 00 40 10 80 00 00 00 80 00 40 00 80 10 00 00 80 00 00 10 00 10 40 10 00 00 00 00 80 00 40 10 00 10 00 00 80 10 40 00 00 10 40 10 00 00 00 } 750 | condition: 751 | $c0 752 | } 753 | 754 | rule DES_sbox 755 | { meta: 756 | author = "_pusher_" 757 | date = "2015-05" 758 | description = "DES [sbox]" 759 | strings: 760 | $c0 = { 00 04 01 01 00 00 00 00 00 00 01 00 04 04 01 01 04 00 01 01 04 04 01 00 04 00 00 00 00 00 01 00 00 04 00 00 00 04 01 01 04 04 01 01 00 04 00 00 04 04 00 01 04 00 01 01 00 00 00 01 04 00 00 00 } 761 | condition: 762 | $c0 763 | } 764 | 765 | rule DES_pbox_long 766 | { meta: 767 | author = "_pusher_" 768 | date = "2015-05" 769 | description = "DES [pbox] [long]" 770 | strings: 771 | $c0 = { 0F 00 00 00 06 00 00 00 13 00 00 00 14 00 00 00 1C 00 00 00 0B 00 00 00 1B 00 00 00 10 00 00 00 00 00 00 00 0E 00 00 00 16 00 00 00 19 00 00 00 04 00 00 00 11 00 00 00 1E 00 00 00 09 00 00 00 01 00 00 00 07 00 00 00 17 00 00 00 0D 00 00 00 1F 00 00 00 1A 00 00 00 02 00 00 00 08 00 00 00 12 00 00 00 0C 00 00 00 1D 00 00 00 05 00 00 00 } 772 | condition: 773 | $c0 774 | } 775 | 776 | rule OpenSSL_BN_mod_exp2_mont 777 | { meta: 778 | author = "Maxx" 779 | description = "OpenSSL BN_mod_exp2_mont" 780 | strings: 781 | $c0 = { B8 30 05 00 00 E8 ?? ?? ?? ?? 8B 84 24 48 05 00 00 53 33 DB 56 8B 08 57 89 5C 24 24 89 5C 24 30 8A 01 89 5C 24 28 A8 01 89 5C 24 0C 75 24 68 89 00 00 00 68 ?? ?? ?? ?? 6A 66 6A 76 6A 03 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 81 C4 30 05 00 00 C3 8B 94 24 48 05 00 00 52 E8 ?? ?? ?? ?? 8B F0 8B 84 24 54 05 00 00 50 E8 ?? ?? ?? ?? 83 C4 08 3B F3 8B F8 75 20 3B FB 75 1C 8B 8C 24 40 05 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5B 81 C4 30 05 00 00 C3 3B F7 89 74 24 18 7F 04 89 } 782 | condition: 783 | $c0 784 | } 785 | 786 | rule OpenSSL_BN_mod_exp_mont 787 | { meta: 788 | author = "Maxx" 789 | description = "OpenSSL BN_mod_exp_mont" 790 | strings: 791 | $c0 = { B8 A0 02 00 00 E8 ?? ?? ?? ?? 53 56 57 8B BC 24 BC 02 00 00 33 F6 8B 07 89 74 24 24 89 74 24 20 89 74 24 0C F6 00 01 75 24 68 72 01 00 00 68 ?? ?? ?? ?? 6A 66 6A 6D 6A 03 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 81 C4 A0 02 00 00 C3 8B 8C 24 B8 02 00 00 51 E8 ?? ?? ?? ?? 8B D8 83 C4 04 3B DE 89 5C 24 18 75 1C 8B 94 24 B0 02 00 00 6A 01 52 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5B 81 C4 A0 02 00 00 C3 55 8B AC 24 C4 02 00 00 55 E8 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 8B F0 55 89 74 24 24 E8 } 792 | condition: 793 | $c0 794 | } 795 | 796 | rule OpenSSL_BN_mod_exp_recp 797 | { meta: 798 | author = "Maxx" 799 | description = "OpenSSL BN_mod_exp_recp" 800 | strings: 801 | $c0 = { B8 C8 02 00 00 E8 ?? ?? ?? ?? 8B 84 24 D4 02 00 00 55 56 33 F6 50 89 74 24 1C 89 74 24 18 E8 ?? ?? ?? ?? 8B E8 83 C4 04 3B EE 89 6C 24 0C 75 1B 8B 8C 24 D4 02 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5E 5D 81 C4 C8 02 00 00 C3 53 57 8B BC 24 EC 02 00 00 57 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B D8 83 C4 08 3B DE 0F 84 E7 02 00 00 8D 54 24 24 52 E8 ?? ?? ?? ?? 8B B4 24 EC 02 00 00 83 C4 04 8B 46 0C 85 C0 74 32 56 53 E8 ?? ?? ?? ?? 83 C4 08 85 C0 0F 84 BA 02 00 00 57 8D 44 24 28 53 } 802 | condition: 803 | $c0 804 | } 805 | 806 | rule OpenSSL_BN_mod_exp_simple 807 | { meta: 808 | author = "Maxx" 809 | description = "OpenSSL BN_mod_exp_simple" 810 | strings: 811 | $c0 = { B8 98 02 00 00 E8 ?? ?? ?? ?? 8B 84 24 A4 02 00 00 55 56 33 ED 50 89 6C 24 1C 89 6C 24 18 E8 ?? ?? ?? ?? 8B F0 83 C4 04 3B F5 89 74 24 0C 75 1B 8B 8C 24 A4 02 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5E 5D 81 C4 98 02 00 00 C3 53 57 8B BC 24 BC 02 00 00 57 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B D8 83 C4 08 3B DD 0F 84 71 02 00 00 8D 54 24 28 52 E8 ?? ?? ?? ?? 8B AC 24 BC 02 00 00 8B 84 24 B4 02 00 00 57 55 8D 4C 24 34 50 51 C7 44 24 30 01 00 00 00 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F } 812 | condition: 813 | $c0 814 | } 815 | 816 | rule OpenSSL_BN_mod_exp_inverse 817 | { meta: 818 | author = "Maxx" 819 | description = "OpenSSL BN_mod_exp_inverse" 820 | strings: 821 | $c0 = { B8 18 00 00 00 E8 ?? ?? ?? ?? 53 55 56 57 8B 7C 24 38 33 C0 57 89 44 24 20 89 44 24 24 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 57 89 44 24 1C E8 ?? ?? ?? ?? 57 8B F0 E8 ?? ?? ?? ?? 57 89 44 24 28 E8 ?? ?? ?? ?? 57 8B E8 E8 ?? ?? ?? ?? 57 8B D8 E8 ?? ?? ?? ?? 8B F8 8B 44 24 54 50 89 7C 24 38 E8 ?? ?? ?? ?? 83 C4 20 89 44 24 24 85 C0 8B 44 24 2C 0F 84 78 05 00 00 85 C0 75 05 E8 ?? ?? ?? ?? 85 C0 89 44 24 1C 0F 84 63 05 00 00 8B 4C 24 14 6A 01 51 E8 ?? ?? ?? ?? 6A 00 57 E8 } 822 | condition: 823 | $c0 824 | } 825 | 826 | rule OpenSSL_DSA 827 | { 828 | meta: 829 | author="_pusher_" 830 | date="2016-08" 831 | strings: 832 | $a0 = "bignum_data" wide ascii nocase 833 | $a1 = "DSA_METHOD" wide ascii nocase 834 | $a2 = "PDSA" wide ascii nocase 835 | $a3 = "dsa_mod_exp" wide ascii nocase 836 | $a4 = "bn_mod_exp" wide ascii nocase 837 | $a5 = "dsa_do_verify" wide ascii nocase 838 | $a6 = "dsa_sign_setup" wide ascii nocase 839 | $a7 = "dsa_do_sign" wide ascii nocase 840 | $a8 = "dsa_paramgen" wide ascii nocase 841 | $a9 = "BN_MONT_CTX" wide ascii nocase 842 | condition: 843 | 7 of ($a*) 844 | } 845 | 846 | rule FGint_RsaSign 847 | { meta: 848 | author = "Maxx" 849 | description = "FGint RsaSign" 850 | strings: 851 | $c0 = { 55 8B EC 83 C4 B8 53 56 57 89 4D F8 8B FA 89 45 FC 8B 75 0C 8B 5D 10 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 F0 } 852 | condition: 853 | $c0 854 | } 855 | 856 | 857 | rule LockBox_RsaEncryptFile 858 | { meta: 859 | author = "Maxx" 860 | description = "LockBox RsaEncryptFile" 861 | strings: 862 | $c0 = { 55 8B EC 83 C4 F8 53 56 8B F1 8B DA 6A 20 8B C8 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 FC 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 68 FF FF 00 00 8B CB B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8A 45 08 50 8B CE 8B 55 F8 8B 45 FC E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? C3 } 863 | condition: 864 | $c0 865 | } 866 | 867 | rule LockBox_DecryptRsaEx 868 | { meta: 869 | author = "Maxx" 870 | description = "LockBox DecryptRsaEx" 871 | strings: 872 | $c0 = { 55 8B EC 83 C4 F4 53 56 57 89 4D F8 89 55 FC 8B D8 33 C0 8A 43 04 0F B7 34 45 ?? ?? ?? ?? 0F B7 3C 45 ?? ?? ?? ?? 8B CE B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 55 FC 8B CE 8B 45 F4 E8 ?? ?? ?? ?? 6A 00 B1 02 8B D3 8B 45 F4 E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 3B C7 7E 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 8B C8 8B 55 F8 8B 45 F4 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 } 873 | condition: 874 | $c0 875 | } 876 | 877 | rule LockBox_EncryptRsaEx 878 | { meta: 879 | author = "Maxx" 880 | description = "LockBox EncryptRsaEx" 881 | strings: 882 | $c0 = { 55 8B EC 83 C4 F8 53 56 57 89 4D FC 8B FA 8B F0 33 C0 8A 46 04 0F B7 1C 45 ?? ?? ?? ?? 8B CB B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B D7 8B 4D 08 8B 45 F8 E8 ?? ?? ?? ?? 6A 01 B1 02 8B D6 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 3B C3 7E 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8B C8 8B 55 FC 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F8 E8 } 883 | condition: 884 | $c0 885 | } 886 | 887 | rule LockBox_TlbRsaKey 888 | { meta: 889 | author = "Maxx" 890 | description = "LockBox TlbRsaKey" 891 | strings: 892 | $c0 = { 53 56 84 D2 74 08 83 C4 F0 E8 ?? ?? ?? ?? 8B DA 8B F0 33 D2 8B C6 E8 ?? ?? ?? ?? 33 C0 8A 46 04 8B 15 ?? ?? ?? ?? 0F B7 0C 42 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 46 0C 33 C0 8A 46 04 8B 15 ?? ?? ?? ?? 0F B7 0C 42 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 46 10 8B C6 84 DB 74 0F E8 ?? ?? ?? ?? 64 8F 05 00 00 00 00 83 C4 0C 8B C6 5E 5B C3 } 893 | condition: 894 | $c0 895 | } 896 | 897 | rule BigDig_bpInit 898 | { meta: 899 | author = "Maxx" 900 | description = "BigDig bpInit" 901 | strings: 902 | $c0 = { 56 8B 74 24 0C 6A 04 56 E8 ?? ?? ?? ?? 8B C8 8B 44 24 10 83 C4 08 85 C9 89 08 75 04 33 C0 5E C3 89 70 08 C7 40 04 00 00 00 00 5E C3 } 903 | condition: 904 | $c0 905 | } 906 | 907 | rule BigDig_mpModExp 908 | { meta: 909 | author = "Maxx" 910 | description = "BigDig mpModExp" 911 | strings: 912 | $c0 = { 56 8B 74 24 18 85 F6 75 05 83 C8 FF 5E C3 53 55 8B 6C 24 18 57 56 55 E8 ?? ?? ?? ?? 8B D8 83 C4 08 BF 00 00 00 80 8B 44 9D FC 85 C7 75 04 D1 EF 75 F8 83 FF 01 75 08 BF 00 00 00 80 4B EB 02 D1 EF 8B 44 24 18 56 8B 74 24 18 50 56 E8 ?? ?? ?? ?? 83 C4 0C 85 DB 74 4F 8D 6C 9D FC 8B 4C 24 24 8B 54 24 20 51 52 56 56 56 E8 ?? ?? ?? ?? 8B 45 00 83 C4 14 85 C7 74 19 8B 44 24 24 8B 4C 24 20 8B 54 24 18 50 51 52 56 56 E8 ?? ?? ?? ?? 83 C4 14 83 FF 01 75 0B 4B BF 00 00 00 80 83 ED 04 EB } 913 | condition: 914 | $c0 915 | } 916 | 917 | rule BigDig_mpModInv 918 | { meta: 919 | author = "Maxx" 920 | description = "BigDig mpModInv" 921 | strings: 922 | $c0 = { 81 EC 2C 07 00 00 8D 84 24 CC 00 00 00 53 56 8B B4 24 44 07 00 00 57 56 6A 01 50 E8 ?? ?? ?? ?? 8B 8C 24 4C 07 00 00 56 8D 94 24 80 02 00 00 51 52 E8 ?? ?? ?? ?? 8D 84 24 BC 01 00 00 56 50 E8 ?? ?? ?? ?? 8B 9C 24 64 07 00 00 56 8D 4C 24 30 53 51 E8 ?? ?? ?? ?? 8D 54 24 38 56 52 BF 01 00 00 00 E8 ?? ?? ?? ?? 83 C4 34 85 C0 0F 85 ED 00 00 00 8D 44 24 0C 56 50 8D 8C 24 78 02 00 00 56 8D 94 24 48 03 00 00 51 8D 84 24 18 04 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C 24 BC 01 00 00 56 8D 94 } 923 | condition: 924 | $c0 925 | } 926 | 927 | rule BigDig_mpModMult 928 | { meta: 929 | author = "Maxx" 930 | description = "BigDig mpModMult" 931 | strings: 932 | $c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 98 01 00 00 8D 54 24 00 56 8B B4 24 B0 01 00 00 57 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 C0 01 00 00 8B 94 24 B4 01 00 00 8D 3C 36 56 50 8D 4C 24 20 57 51 52 E8 ?? ?? ?? ?? 8D 44 24 2C 57 50 E8 ?? ?? ?? ?? 83 C4 2C 33 C0 5F 5E 81 C4 98 01 00 00 C3 } 933 | condition: 934 | $c0 935 | } 936 | 937 | rule BigDig_mpModulo 938 | { meta: 939 | author = "Maxx" 940 | description = "BigDig mpModulo" 941 | strings: 942 | $c0 = { 8B 44 24 10 81 EC 30 03 00 00 8B 8C 24 38 03 00 00 8D 54 24 00 56 8B B4 24 40 03 00 00 57 8B BC 24 4C 03 00 00 57 50 56 51 8D 84 24 B0 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 94 24 54 03 00 00 8D 4C 24 20 57 51 52 E8 ?? ?? ?? ?? 8D 44 24 2C 56 50 E8 ?? ?? ?? ?? 8D 8C 24 CC 01 00 00 56 51 E8 ?? ?? ?? ?? 83 C4 34 33 C0 5F 5E 81 C4 30 03 00 00 C3 } 943 | condition: 944 | $c0 945 | } 946 | 947 | rule BigDig_spModExpB 948 | { meta: 949 | author = "Maxx" 950 | description = "BigDig spModExpB" 951 | strings: 952 | $c0 = { 53 8B 5C 24 10 55 56 BE 00 00 00 80 85 F3 75 04 D1 EE 75 F8 8B 6C 24 14 8B C5 D1 EE 89 44 24 18 74 48 57 8B 7C 24 20 EB 04 8B 44 24 1C 57 50 50 8D 44 24 28 50 E8 ?? ?? ?? ?? 83 C4 10 85 F3 74 14 8B 4C 24 1C 57 55 8D 54 24 24 51 52 E8 ?? ?? ?? ?? 83 C4 10 D1 EE 75 D0 8B 44 24 14 8B 4C 24 1C 5F 5E 89 08 5D 33 C0 5B C3 8B 54 24 10 5E 5D 5B 89 02 33 C0 C3 } 953 | condition: 954 | $c0 955 | } 956 | 957 | rule BigDig_spModInv 958 | { meta: 959 | author = "Maxx" 960 | description = "BigDig spModInv" 961 | strings: 962 | $c0 = { 51 8B 4C 24 10 55 56 BD 01 00 00 00 33 F6 57 8B 7C 24 18 89 6C 24 0C 85 C9 74 42 53 8B C7 33 D2 F7 F1 8B C7 8B F9 8B DA 33 D2 F7 F1 8B CB 0F AF C6 03 C5 8B EE 8B F0 8B 44 24 10 F7 D8 85 DB 89 44 24 10 75 D7 85 C0 5B 7D 13 8B 44 24 1C 8B 4C 24 14 2B C5 5F 89 01 5E 33 C0 5D 59 C3 8B 54 24 14 5F 5E 33 C0 89 2A 5D 59 C3 } 963 | condition: 964 | $c0 965 | } 966 | 967 | rule BigDig_spModMult 968 | { meta: 969 | author = "Maxx" 970 | description = "BigDig spModMult" 971 | strings: 972 | $c0 = { 8B 44 24 0C 8B 4C 24 08 83 EC 08 8D 54 24 00 50 51 52 E8 ?? ?? ?? ?? 8B 44 24 24 6A 02 8D 4C 24 10 50 51 E8 ?? ?? ?? ?? 8B 54 24 24 89 02 33 C0 83 C4 20 C3 } 973 | condition: 974 | $c0 975 | } 976 | 977 | rule CryptoPP_ApplyFunction 978 | { meta: 979 | author = "Maxx" 980 | description = "CryptoPP ApplyFunction" 981 | strings: 982 | $c0 = { 51 8D 41 E4 56 8B 74 24 0C 83 C1 F0 50 51 8B 4C 24 18 C7 44 24 0C 00 00 00 00 51 56 E8 ?? ?? ?? ?? 83 C4 10 8B C6 5E 59 C2 08 00 } 983 | $c1 = { 51 53 56 8B F1 57 6A 00 C7 44 24 10 00 00 00 00 8B 46 04 8B 48 04 8B 5C 31 04 8D 7C 31 04 E8 ?? ?? ?? ?? 50 8B CF FF 53 10 8B 44 24 18 8D 56 08 83 C6 1C 52 56 8B 74 24 1C 50 56 E8 ?? ?? ?? ?? 83 C4 10 8B C6 5F 5E 5B 59 C2 08 00 } 984 | condition: 985 | any of them 986 | } 987 | 988 | rule CryptoPP_RsaFunction 989 | { meta: 990 | author = "Maxx" 991 | description = "CryptoPP RsaFunction" 992 | strings: 993 | $c0 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC 9C 00 00 00 8B 84 24 B0 00 00 00 53 55 56 33 ED 8B F1 57 3B C5 89 B4 24 A8 00 00 00 89 6C 24 10 BF 01 00 00 00 74 18 C7 06 ?? ?? ?? ?? C7 46 20 ?? ?? ?? ?? 89 7C 24 10 89 AC 24 B4 00 00 00 8D 4E 04 E8 ?? ?? ?? ?? 8D 4E 10 89 BC 24 B4 00 00 00 E8 ?? ?? ?? ?? 8B 06 BB ?? ?? ?? ?? BF ?? ?? ?? ?? 8B 48 04 C7 04 31 ?? ?? ?? ?? 8B 16 8B 42 04 8B 54 24 10 83 CA 02 8D 48 E0 89 54 24 10 89 4C 30 FC 89 5C 24 18 89 7C } 994 | $c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 08 8B 44 24 1C 53 8B 5C 24 1C 56 8B F1 57 33 C9 89 74 24 10 3B C1 89 4C 24 0C 74 7B C7 46 04 ?? ?? ?? ?? C7 46 3C ?? ?? ?? ?? C7 46 30 ?? ?? ?? ?? C7 46 34 ?? ?? ?? ?? 3B D9 75 06 89 4C 24 28 EB 0E 8B 43 04 8B 50 0C 8D 44 1A 04 89 44 24 28 8B 56 3C C7 44 24 0C 07 00 00 00 8B 42 04 C7 44 30 3C ?? ?? ?? ?? 8B 56 3C 8B 42 08 C7 44 30 3C ?? ?? ?? ?? 8B 56 3C C7 46 38 ?? ?? ?? ?? 8B 42 04 C7 44 30 3C } 995 | $c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 08 8B 44 24 18 56 8B F1 57 85 C0 89 74 24 0C C7 44 24 08 00 00 00 00 74 63 C7 46 04 ?? ?? ?? ?? C7 46 3C ?? ?? ?? ?? C7 46 30 ?? ?? ?? ?? C7 46 34 ?? ?? ?? ?? 8B 46 3C C7 44 24 08 07 00 00 00 8B 48 04 C7 44 31 3C ?? ?? ?? ?? 8B 56 3C 8B 42 08 C7 44 30 3C ?? ?? ?? ?? 8B 4E 3C C7 46 38 ?? ?? ?? ?? 8B 51 04 C7 44 32 3C ?? ?? ?? ?? 8B 46 3C 8B 48 08 C7 44 31 3C ?? ?? ?? ?? C7 06 ?? ?? ?? ?? 8D 7E 04 6A 00 8B CF } 996 | condition: 997 | any of them 998 | } 999 | 1000 | rule CryptoPP_Integer_constructor 1001 | { meta: 1002 | author = "Maxx" 1003 | description = "CryptoPP Integer constructor" 1004 | strings: 1005 | $c0 = { 8B 44 24 08 56 83 F8 08 8B F1 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 8D 04 95 00 00 00 00 89 16 50 E8 ?? ?? ?? ?? 8B 4C 24 0C 89 46 04 C7 46 08 00 00 00 00 89 08 8B 0E 8B 46 04 83 C4 04 49 74 0F 57 8D 78 04 33 C0 F3 AB 8B C6 5F 5E C2 08 00 8B C6 5E C2 08 00 } 1006 | $c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 51 56 8B F1 89 74 24 04 C7 06 ?? ?? ?? ?? 6A 08 C7 44 24 14 00 00 00 00 C7 46 08 02 00 00 00 E8 ?? ?? ?? ?? 89 46 0C C7 46 10 00 00 00 00 C7 06 ?? ?? ?? ?? 8B 46 0C 83 C4 04 C7 40 04 00 00 00 00 8B 4E 0C 8B C6 5E C7 01 00 00 00 00 8B 4C 24 04 64 89 0D 00 00 00 00 83 C4 10 C3 } 1007 | $c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 51 56 8B F1 57 89 74 24 08 C7 06 ?? ?? ?? ?? 8B 7C 24 1C C7 44 24 14 00 00 00 00 8B CF E8 ?? ?? ?? ?? 83 F8 08 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 85 D2 89 56 08 76 12 8D 04 95 00 00 00 00 50 E8 ?? ?? ?? ?? 83 C4 04 EB 02 33 C0 89 46 0C 8B 4F 10 89 4E 10 } 1008 | $c3 = { 56 57 8B 7C 24 0C 8B F1 8B CF E8 ?? ?? ?? ?? 83 F8 08 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 8D 04 95 00 00 00 00 89 16 50 E8 ?? ?? ?? ?? 8B 16 89 46 04 8B 4F 08 83 C4 04 89 4E 08 8B 4F 04 85 D2 76 0D 2B C8 8B 3C 01 89 38 83 C0 04 4A 75 F5 8B C6 5F 5E C2 04 00 } 1009 | condition: 1010 | any of them 1011 | } 1012 | 1013 | rule RijnDael_AES 1014 | { meta: 1015 | author = "_pusher_" 1016 | description = "RijnDael AES" 1017 | date = "2016-06" 1018 | strings: 1019 | $c0 = { A5 63 63 C6 84 7C 7C F8 } 1020 | condition: 1021 | $c0 1022 | } 1023 | 1024 | rule RijnDael_AES_CHAR 1025 | { meta: 1026 | author = "_pusher_" 1027 | description = "RijnDael AES (check2) [char]" 1028 | date = "2016-06" 1029 | strings: 1030 | $c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 } 1031 | condition: 1032 | $c0 1033 | } 1034 | 1035 | rule RijnDael_AES_CHAR_inv 1036 | { meta: 1037 | author = "_pusher_" 1038 | description = "RijnDael AES S-inv [char]" 1039 | //needs improvement 1040 | date = "2016-07" 1041 | strings: 1042 | $c0 = { 48 38 47 00 88 17 33 D2 8A 56 0D 8A 92 48 38 47 00 88 57 01 33 D2 8A 56 0A 8A 92 48 38 47 00 88 57 02 33 D2 8A 56 07 8A 92 48 38 47 00 88 57 03 33 D2 8A 56 04 8A 92 } 1043 | condition: 1044 | $c0 1045 | } 1046 | 1047 | rule RijnDael_AES_LONG 1048 | { meta: 1049 | author = "_pusher_" 1050 | description = "RijnDael AES" 1051 | date = "2016-06" 1052 | strings: 1053 | $c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 } 1054 | condition: 1055 | $c0 1056 | } 1057 | 1058 | rule RsaRef2_NN_modExp 1059 | { meta: 1060 | author = "Maxx" 1061 | description = "RsaRef2 NN_modExp" 1062 | strings: 1063 | $c0 = { 81 EC 1C 02 00 00 53 55 56 8B B4 24 30 02 00 00 57 8B BC 24 44 02 00 00 57 8D 84 24 A4 00 00 00 56 50 E8 ?? ?? ?? ?? 8B 9C 24 4C 02 00 00 57 53 8D 8C 24 B4 00 00 00 56 8D 94 24 3C 01 00 00 51 52 E8 ?? ?? ?? ?? 57 53 8D 84 24 4C 01 00 00 56 8D 8C 24 D4 01 00 00 50 51 E8 ?? ?? ?? ?? 8D 54 24 50 57 52 E8 ?? ?? ?? ?? 8B 84 24 78 02 00 00 8B B4 24 74 02 00 00 50 56 C7 44 24 60 01 00 00 00 E8 ?? ?? ?? ?? 8D 48 FF 83 C4 44 8B E9 89 4C 24 18 85 ED 0F 8C AF 00 00 00 8D 34 AE 89 74 24 } 1064 | condition: 1065 | any of them 1066 | } 1067 | 1068 | rule RsaRef2_NN_modInv 1069 | { meta: 1070 | author = "Maxx" 1071 | description = "RsaRef2 NN_modInv" 1072 | strings: 1073 | $c0 = { 81 EC A4 04 00 00 53 56 8B B4 24 BC 04 00 00 57 8D 84 24 ?? 00 00 00 56 50 E8 ?? ?? ?? ?? 8D 8C 24 1C 01 00 00 BF 01 00 00 00 56 51 89 BC 24 A0 00 00 00 E8 ?? ?? ?? ?? 8B 94 24 C8 04 00 00 56 8D 84 24 AC 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 9C 24 D8 04 00 00 56 8D 4C 24 2C 53 51 E8 ?? ?? ?? ?? 8D 54 24 34 56 52 E8 ?? ?? ?? ?? 83 C4 30 85 C0 0F 85 ED 00 00 00 8D 44 24 0C 56 50 8D 8C 24 A0 01 00 00 56 8D 94 24 AC 02 00 00 51 8D 84 24 34 03 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C 24 2C 01 } 1074 | condition: 1075 | $c0 1076 | } 1077 | 1078 | rule RsaRef2_NN_modMult 1079 | { meta: 1080 | author = "Maxx" 1081 | description = "RsaRef2 NN_modMult" 1082 | strings: 1083 | $c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 08 01 00 00 8D 54 24 00 56 8B B4 24 20 01 00 00 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 2C 01 00 00 56 8D 0C 36 50 8B 84 24 28 01 00 00 8D 54 24 1C 51 52 50 E8 ?? ?? ?? ?? 68 08 01 00 00 8D 4C 24 2C 6A 00 51 E8 ?? ?? ?? ?? 83 C4 30 5E 81 C4 08 01 00 00 C3 } 1084 | condition: 1085 | $c0 1086 | } 1087 | 1088 | rule RsaRef2_RsaPrivateDecrypt 1089 | { meta: 1090 | author = "Maxx" 1091 | description = "RsaRef2 RsaPrivateDecrypt" 1092 | strings: 1093 | $c0 = { 8B 44 24 14 81 EC 84 00 00 00 8B 8C 24 94 00 00 00 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 50 8B 84 24 98 00 00 00 51 8D 4C 24 0C 50 8D 54 24 14 51 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F 85 8B 00 00 00 39 74 24 04 74 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 8A 44 24 08 84 C0 75 6B 8A 4C 24 09 B8 02 00 00 00 3A C8 75 5E 8D 4E FF 3B C8 76 0D 8A 54 04 08 84 D2 74 05 40 3B C1 72 F3 40 3B C6 73 45 8B 94 24 ?? 00 00 00 8B CE 2B C8 89 0A 8D 51 0B } 1094 | condition: 1095 | $c0 1096 | } 1097 | 1098 | rule RsaRef2_RsaPrivateEncrypt 1099 | { meta: 1100 | author = "Maxx" 1101 | description = "RsaRef2 RsaPrivateEncrypt" 1102 | strings: 1103 | $c0 = { 8B 44 24 14 8B 54 24 10 81 EC 80 00 00 00 8D 4A 0B 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 80 00 00 00 C3 8B CE B8 02 00 00 00 2B CA C6 44 24 04 00 49 C6 44 24 05 01 3B C8 76 23 53 55 8D 69 FE 57 8B CD 83 C8 FF 8B D9 8D 7C 24 12 C1 E9 02 F3 AB 8B CB 83 E1 03 F3 AA 8D 45 02 5F 5D 5B 52 8B 94 24 94 00 00 00 C6 44 04 08 00 8D 44 04 09 52 50 E8 ?? ?? ?? ?? 8B 8C 24 A4 00 00 00 8B 84 24 98 00 00 00 51 8B 8C 24 98 00 00 00 8D 54 24 14 56 52 50 51 E8 } 1104 | condition: 1105 | $c0 1106 | } 1107 | 1108 | rule RsaRef2_RsaPublicDecrypt 1109 | { meta: 1110 | author = "Maxx" 1111 | description = "RsaRef2 RsaPublicDecrypt" 1112 | strings: 1113 | $c0 = { 8B 44 24 14 81 EC 84 00 00 00 8B 8C 24 94 00 00 00 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 50 8B 84 24 98 00 00 00 51 8D 4C 24 0C 50 8D 54 24 14 51 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F 85 8E 00 00 00 39 74 24 04 74 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 8A 44 24 08 84 C0 75 6E 80 7C 24 09 01 75 67 B8 02 00 00 00 8D 4E FF 3B C8 76 0D B2 FF 38 54 04 08 75 05 40 3B C1 72 F5 8A 4C 04 08 40 84 C9 75 45 8B 94 24 ?? 00 00 00 8B CE 2B C8 89 0A } 1114 | condition: 1115 | $c0 1116 | } 1117 | 1118 | rule RsaRef2_RsaPublicEncrypt 1119 | { meta: 1120 | author = "Maxx" 1121 | description = "RsaRef2 RsaPublicEncrypt" 1122 | strings: 1123 | $c0 = { 8B 44 24 14 81 EC 84 00 00 00 53 8B 9C 24 98 00 00 00 57 8B 38 83 C7 07 8D 4B 0B C1 EF 03 3B CF 76 0E 5F B8 06 04 00 00 5B 81 C4 84 00 00 00 C3 8B D7 55 2B D3 56 BE 02 00 00 00 C6 44 24 14 00 8D 6A FF C6 44 24 15 02 3B EE 76 28 8B 84 24 AC 00 00 00 8D 4C 24 13 50 6A 01 51 E8 ?? ?? ?? ?? 8A 44 24 1F 83 C4 0C 84 C0 74 E1 88 44 34 14 46 3B F5 72 D8 8B 94 24 A0 00 00 00 53 8D 44 34 19 52 50 C6 44 34 20 00 E8 ?? ?? ?? ?? 8B 8C 24 B4 00 00 00 8B 84 24 A8 00 00 00 51 8B 8C 24 A8 00 } 1124 | condition: 1125 | $c0 1126 | } 1127 | 1128 | rule RsaEuro_NN_modInv 1129 | { meta: 1130 | author = "Maxx" 1131 | description = "RsaEuro NN_modInv" 1132 | strings: 1133 | $c0 = { 81 EC A4 04 00 00 53 56 8B B4 24 BC 04 00 00 57 8D 44 24 0C 56 50 E8 ?? ?? ?? ?? 8D 8C 24 1C 01 00 00 BF 01 00 00 00 56 51 89 7C 24 1C E8 ?? ?? ?? ?? 8B 94 24 C8 04 00 00 56 8D 84 24 AC 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 9C 24 D8 04 00 00 56 8D 8C 24 B0 00 00 00 53 51 E8 ?? ?? ?? ?? 8D 94 24 B8 00 00 00 56 52 E8 ?? ?? ?? ?? 83 C4 30 85 C0 0F 85 F8 00 00 00 8D 84 24 ?? 00 00 00 56 50 8D 8C 24 A0 01 00 00 56 8D 94 24 AC 02 00 00 51 8D 84 24 34 03 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C } 1134 | condition: 1135 | $c0 1136 | } 1137 | 1138 | rule RsaEuro_NN_modMult 1139 | { meta: 1140 | author = "Maxx" 1141 | description = "RsaEuro NN_modMult" 1142 | strings: 1143 | $c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 08 01 00 00 8D 54 24 00 56 8B B4 24 20 01 00 00 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 2C 01 00 00 56 8D 0C 36 50 8B 84 24 28 01 00 00 8D 54 24 1C 51 52 50 E8 ?? ?? ?? ?? 83 C4 24 5E 81 C4 08 01 00 00 C3 } 1144 | condition: 1145 | $c0 1146 | } 1147 | 1148 | rule Miracl_Big_constructor 1149 | { meta: 1150 | author = "Maxx" 1151 | description = "Miracl Big constructor" 1152 | strings: 1153 | $c0 = { 56 8B F1 6A 00 E8 ?? ?? ?? ?? 83 C4 04 89 06 8B C6 5E C3 } 1154 | condition: 1155 | $c0 1156 | } 1157 | 1158 | rule Miracl_mirvar 1159 | { meta: 1160 | author = "Maxx" 1161 | description = "Miracl mirvar" 1162 | strings: 1163 | $c0 = { 56 E8 ?? ?? ?? ?? 8B 88 18 02 00 00 85 C9 74 04 33 C0 5E C3 8B 88 8C 00 00 00 85 C9 75 0E 6A 12 E8 ?? ?? ?? ?? 83 C4 04 33 C0 5E C3 8B 80 38 02 00 00 6A 01 50 E8 ?? ?? ?? ?? 8B F0 83 C4 08 85 F6 75 02 5E C3 8D 46 04 8B C8 8B D0 83 E1 03 2B D1 83 C2 08 89 10 8B 44 24 08 85 C0 74 0A 56 50 E8 ?? ?? ?? ?? 83 C4 08 8B C6 5E C3 } 1164 | $c1 = { 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 2C 02 00 00 85 C0 74 05 5F 33 C0 5E C3 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 17 00 00 00 8B 86 40 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 86 8C 00 00 00 85 C0 75 16 6A 12 E8 ?? ?? ?? ?? 8B 46 1C 83 C4 04 48 89 46 1C 5F 33 C0 5E C3 8B 46 18 6A 01 8D 0C 85 0C 00 00 00 51 E8 ?? ?? ?? ?? 8B F8 83 C4 08 85 FF 75 0C 8B 46 1C 5F 48 89 46 1C 33 C0 5E C3 8D 47 04 8B D0 8B C8 83 E2 03 2B CA 83 C1 08 89 08 8B 44 24 0C 85 C0 74 0A 57 50 E8 } 1165 | $c2 = { 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 18 02 00 00 85 C0 74 05 5F 33 C0 5E C3 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 17 00 00 00 8B 86 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 86 8C 00 00 00 85 C0 75 16 6A 12 E8 ?? ?? ?? ?? 8B 46 1C 83 C4 04 48 89 46 1C 5F 33 C0 5E C3 8B 86 A4 02 00 00 6A 01 50 E8 ?? ?? ?? ?? 8B F8 83 C4 08 85 FF 75 0C 8B 46 1C 5F 48 89 46 1C 33 C0 5E C3 8D 47 04 8B C8 8B D0 83 E1 03 2B D1 83 C2 08 89 10 8B 44 24 0C 85 C0 74 0A 57 50 E8 } 1166 | condition: 1167 | any of them 1168 | } 1169 | 1170 | rule Miracl_mirsys_init 1171 | { meta: 1172 | author = "Maxx" 1173 | description = "Miracl mirsys init" 1174 | strings: 1175 | $c0 = { 53 55 57 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 DB A3 ?? ?? ?? ?? 3B C3 75 06 5F 5D 33 C0 5B C3 89 58 1C A1 ?? ?? ?? ?? BD 01 00 00 00 89 58 20 A1 ?? ?? ?? ?? 8B 50 1C 42 89 50 1C A1 ?? ?? ?? ?? 8B 48 1C C7 44 88 20 1D 00 00 00 8B 15 ?? ?? ?? ?? 89 9A 14 02 00 00 A1 ?? ?? ?? ?? 89 98 70 01 00 00 8B 0D ?? ?? ?? ?? 89 99 78 01 00 00 8B 15 ?? ?? ?? ?? 89 9A 98 01 00 00 A1 ?? ?? ?? ?? 89 58 14 8B 44 24 14 3B C5 0F 84 6C 05 00 00 3D 00 00 00 80 0F 87 61 05 00 00 50 E8 } 1176 | condition: 1177 | $c0 1178 | } 1179 | 1180 | /* //gives many false positives sorry Storm Shadow 1181 | rule x509_public_key_infrastructure_cert 1182 | { meta: 1183 | desc = "X.509 PKI Certificate" 1184 | ext = "crt" 1185 | strings: 1186 | $c0 = { 30 82 ?? ?? 30 82 ?? ?? } 1187 | condition: 1188 | $c0 1189 | } 1190 | 1191 | rule pkcs8_private_key_information_syntax_standard 1192 | { meta: 1193 | desc = "Found PKCS #8: Private-Key" 1194 | ext = "key" 1195 | strings: 1196 | $c0 = { 30 82 ?? ?? 02 01 00 } 1197 | condition: 1198 | $c0 1199 | } 1200 | */ 1201 | 1202 | rule BASE64_table { 1203 | meta: 1204 | author = "_pusher_" 1205 | description = "Look for Base64 table" 1206 | date = "2015-07" 1207 | version = "0.1" 1208 | strings: 1209 | $c0 = { 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F } 1210 | condition: 1211 | $c0 1212 | } 1213 | 1214 | rule Delphi_Random { 1215 | meta: 1216 | author = "_pusher_" 1217 | description = "Look for Random function" 1218 | date = "2015-08" 1219 | version = "0.1" 1220 | strings: 1221 | $c0 = { 53 31 DB 69 93 ?? ?? ?? ?? 05 84 08 08 42 89 93 ?? ?? ?? ?? F7 E2 89 D0 5B C3 } 1222 | //x64 rad 1223 | $c1 = { 8B 05 ?? ?? ?? ?? 69 C0 05 84 08 08 83 C0 01 89 05 ?? ?? ?? ?? 8B C9 8B C0 48 0F AF C8 48 C1 E9 20 89 C8 C3 } 1224 | condition: 1225 | any of them 1226 | } 1227 | 1228 | rule Delphi_RandomRange { 1229 | meta: 1230 | author = "_pusher_" 1231 | description = "Look for RandomRange function" 1232 | date = "2016-06" 1233 | version = "0.1" 1234 | strings: 1235 | $c0 = { 56 8B F2 8B D8 3B F3 7D 0E 8B C3 2B C6 E8 ?? ?? ?? ?? 03 C6 5E 5B C3 8B C6 2B C3 E8 ?? ?? ?? ?? 03 C3 5E 5B C3 } 1236 | condition: 1237 | $c0 1238 | } 1239 | 1240 | rule Delphi_FormShow { 1241 | meta: 1242 | author = "_pusher_" 1243 | description = "Look for Form.Show function" 1244 | date = "2016-06" 1245 | version = "0.1" 1246 | strings: 1247 | $c0 = { 53 8B D8 B2 01 8B C3 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5B C3 } 1248 | //x64 rad 1249 | $c1 = { 53 48 83 EC 20 48 89 CB 48 89 D9 B2 01 E8 ?? ?? ?? ?? 48 89 D9 E8 ?? ?? ?? ?? 48 83 C4 20 5B C3 } 1250 | condition: 1251 | any of them 1252 | } 1253 | 1254 | rule Delphi_CompareCall { 1255 | meta: 1256 | author = "_pusher_" 1257 | description = "Look for Compare string function" 1258 | date = "2016-07" 1259 | strings: 1260 | $c0 = { 53 56 57 89 C6 89 D7 39 D0 0F 84 8F 00 00 00 85 F6 74 68 85 FF 74 6B 8B 46 FC 8B 57 FC 29 D0 77 02 01 C2 52 C1 EA 02 74 26 8B 0E 8B 1F 39 D9 75 58 4A 74 15 8B 4E 04 8B 5F 04 39 D9 75 4B 83 C6 08 83 C7 08 4A 75 E2 EB 06 83 C6 04 83 C7 04 5A 83 E2 03 74 22 8B 0E 8B 1F 38 D9 75 41 4A 74 17 38 FD 75 3A 4A 74 10 81 E3 00 00 FF 00 81 E1 00 00 FF 00 39 D9 75 27 01 C0 EB 23 8B 57 FC 29 D0 EB 1C 8B 46 FC 29 D0 EB 15 5A 38 D9 75 10 38 FD 75 0C C1 E9 10 C1 EB 10 38 D9 75 02 38 FD 5F 5E 5B C3 } 1261 | //newer delphi 1262 | $c1 = { 39 D0 74 30 85 D0 74 22 8B 48 FC 3B 4A FC 75 24 01 C9 01 C8 01 CA F7 D9 53 8B 1C 01 3B 1C 11 75 07 83 C1 04 78 F3 31 C0 5B C3 } 1263 | $c3 = { 39 D0 74 37 85 D0 74 38 80 78 F6 01 75 42 80 7A F6 01 75 3D 8B 48 FC 3B 4A FC 75 1F 53 8D 54 11 FC 8D 5C 01 FC F7 D9 8B 03 3B 02 75 0D 83 C1 04 79 0A 8B 04 19 3B 04 11 74 F3 5B C3 } 1264 | //x64 1265 | $c2 = { 41 56 41 55 57 56 53 48 83 EC 20 48 89 D3 48 3B CB 75 05 48 33 C0 EB 74 48 85 C9 75 07 8B 43 FC F7 D8 EB 68 48 85 DB 75 05 8B 41 FC EB 5E 8B 79 FC 44 8B 6B FC 89 FE 41 3B F5 7E 03 44 89 EE E8 ?? ?? ?? ?? 49 89 C6 48 89 D9 E8 ?? ?? ?? ?? 48 89 C1 85 F6 7E 30 41 0F B7 06 0F B7 11 2B C2 85 C0 75 29 83 FE 01 74 1E 41 0F B7 46 02 0F B7 51 02 2B C2 85 C0 75 15 49 83 C6 04 48 83 C1 04 83 EE 02 85 F6 7F D0 90 8B C7 41 2B C5 48 83 C4 20 5B 5E 5F 41 5D 41 5E C3 } 1266 | condition: 1267 | any of them 1268 | } 1269 | 1270 | rule Delphi_Copy { 1271 | meta: 1272 | author = "_pusher_" 1273 | description = "Look for Copy function" 1274 | date = "2016-06" 1275 | version = "0.1" 1276 | strings: 1277 | $c0 = { 53 85 C0 74 2D 8B 58 FC 85 DB 74 26 4A 7C 1B 39 DA 7D 1F 29 D3 85 C9 7C 19 39 D9 7F 11 01 C2 8B 44 24 08 E8 ?? ?? ?? ?? EB 11 31 D2 EB E5 89 D9 EB EB 8B 44 24 08 E8 ?? ?? ?? ?? 5B C2 04 00 } 1278 | //x64 rad 1279 | $c1 = { 53 48 83 EC 20 48 89 CB 44 89 C0 48 33 C9 48 85 D2 74 03 8B 4A FC 83 F8 01 7D 05 48 33 C0 EB 09 83 E8 01 3B C1 7E 02 89 C8 45 85 C9 7D 05 48 33 C9 EB 0A 2B C8 41 3B C9 7E 03 44 89 C9 49 89 D8 48 63 C0 48 8D 14 42 89 C8 4C 89 C1 41 89 C0 E8 ?? ?? ?? ?? 48 89 D8 48 83 C4 20 5B C3 } 1280 | condition: 1281 | any of them 1282 | } 1283 | 1284 | rule Delphi_IntToStr { 1285 | meta: 1286 | author = "_pusher_" 1287 | description = "Look for IntToStr function" 1288 | date = "2016-04" 1289 | version = "0.1" 1290 | strings: 1291 | $c0 = { 55 8B EC 81 C4 00 FF FF FF 53 56 8B F2 8B D8 FF 75 0C FF 75 08 8D 85 00 FF FF FF E8 ?? ?? ?? ?? 8D 95 00 FF FF FF 8B C6 E8 ?? ?? ?? ?? EB 0E 8B 0E 8B C6 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 06 E8 ?? ?? ?? ?? 33 D2 8A D3 3B C2 72 E3 5E 5B 8B E5 5D C2 08 00 } 1292 | //x64 rad 1293 | $c1 = { 53 48 83 EC 20 48 89 CB 48 85 D2 7D 10 48 89 D9 48 F7 DA 41 B0 01 E8 ?? ?? ?? ?? EB 0B 48 89 D9 4D 33 C0 E8 ?? ?? ?? ?? 48 89 D8 48 83 C4 20 5B C3 } 1294 | condition: 1295 | any of them 1296 | } 1297 | 1298 | 1299 | rule Delphi_StrToInt { 1300 | meta: 1301 | author = "_pusher_" 1302 | description = "Look for StrToInt function" 1303 | date = "2016-06" 1304 | version = "0.1" 1305 | strings: 1306 | $c0 = { 53 56 83 C4 F4 8B D8 8B D4 8B C3 E8 ?? ?? ?? ?? 8B F0 83 3C 24 00 74 19 89 5C 24 04 C6 44 24 08 0B 8D 54 24 04 A1 ?? ?? ?? ?? 33 C9 E8 ?? ?? ?? ?? 8B C6 83 C4 0C 5E 5B C3 } 1307 | //x64 rad 1308 | $c1 = { 55 56 53 48 83 EC 40 48 8B EC 48 89 CB 48 89 D9 48 8D 55 3C E8 ?? ?? ?? ?? 89 C6 83 7D 3C 00 74 1B 48 89 5D 20 C6 45 28 11 48 8B 0D ?? ?? ?? ?? 48 8D 55 20 4D 33 C0 E8 ?? ?? ?? ?? 89 F0 48 8D 65 40 5B 5E 5D C3 } 1309 | condition: 1310 | any of them 1311 | } 1312 | 1313 | rule Delphi_DecodeDate { 1314 | meta: 1315 | author = "_pusher_" 1316 | description = "Look for DecodeDate (DecodeDateFully) function" 1317 | date = "2016-06" 1318 | version = "0.1" 1319 | strings: 1320 | $c0 = { 55 8B EC 83 C4 E8 53 56 89 4D F4 89 55 F8 89 45 FC 8B 5D 08 FF 75 10 FF 75 0C 8D 45 E8 E8 ?? ?? ?? ?? 8B 4D EC 85 C9 7F 24 8B 45 FC 66 C7 00 00 00 8B 45 F8 66 C7 00 00 00 8B 45 F4 66 C7 00 00 00 66 C7 03 00 00 33 D2 E9 F2 00 00 00 8B C1 BE 07 00 00 00 99 F7 FE 42 66 89 13 49 66 BB 01 00 81 F9 B1 3A 02 00 7C 13 81 E9 B1 3A 02 00 66 81 C3 90 01 81 F9 B1 3A 02 00 7D ED 8D 45 F2 50 8D 45 F0 66 BA AC 8E 91 E8 ?? ?? ?? ?? 66 83 7D F0 04 75 0A 66 FF 4D F0 66 81 45 F2 AC 8E 66 6B 45 F0 64 66 03 D8 8D 45 F2 50 8D 4D F0 0F B7 45 F2 66 BA B5 05 E8 ?? ?? ?? ?? 66 8B 45 F0 C1 E0 02 66 03 D8 8D 45 F2 50 8D 4D F0 0F B7 45 F2 66 BA 6D 01 E8 ?? ?? ?? ?? 66 83 7D F0 04 75 0A 66 FF 4D F0 66 81 45 F2 6D 01 66 03 5D F0 8B C3 E8 ?? ?? ?? ?? 8B D0 33 C0 8A C2 8D 04 40 8D 34 C5 ?? ?? ?? ?? 66 B8 01 00 0F B7 C8 66 8B 4C 4E FE 66 89 4D F0 66 8B 4D F2 66 3B 4D F0 72 0B 66 8B 4D F0 66 29 4D F2 40 EB DF 8B 4D FC 66 89 19 8B 4D F8 66 89 01 66 8B 45 F2 40 8B 4D F4 66 89 01 8B C2 5E 5B 8B E5 5D C2 0C 00 } 1321 | //x64 1322 | $c1 = { 55 41 55 57 56 53 48 83 EC 30 48 8B EC 48 89 D3 4C 89 C6 4C 89 CF E8 ?? ?? ?? ?? 48 8B C8 48 C1 E9 20 85 C9 7F 23 66 C7 03 00 00 66 C7 06 00 00 66 C7 07 00 00 48 8B 85 80 00 00 00 66 C7 00 00 00 48 33 C0 E9 19 01 00 00 4C 8B 85 80 00 00 00 41 C7 C1 07 00 00 00 8B C1 99 41 F7 F9 66 83 C2 01 66 41 89 10 83 E9 01 66 41 BD 01 00 81 F9 B1 3A 02 00 7C 14 81 E9 B1 3A 02 00 66 41 81 C5 90 01 81 F9 B1 3A 02 00 7D EC 90 66 BA AC 8E 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 66 83 7D 2C 04 75 0B 66 83 6D 2C 01 66 81 45 2E AC 8E 66 6B 45 2C 64 66 44 03 E8 0F B7 4D 2E 66 BA B5 05 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 48 0F B7 45 2C 03 C0 03 C0 66 44 03 E8 0F B7 4D 2E 66 BA 6D 01 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 66 83 7D 2C 04 75 0B 66 83 6D 2C 01 66 81 45 2E 6D 01 66 44 03 6D 2C 44 89 E9 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 0F B6 D0 48 8D 14 52 48 8D 14 D1 66 B9 01 00 4C 0F B7 C1 4E 0F B7 44 42 FE 66 44 89 45 2C 4C 0F B7 45 2E 66 44 3B 45 2C 72 10 4C 0F B7 45 2C 66 44 29 45 2E 66 } 1323 | condition: 1324 | any of them 1325 | } 1326 | 1327 | 1328 | rule Unknown_Random { 1329 | meta: 1330 | author = "_pusher_" 1331 | description = "Look for Random function" 1332 | date = "2016-07" 1333 | strings: 1334 | $c0 = { 55 8B EC 52 8B 45 08 69 15 ?? ?? ?? ?? 05 84 08 08 42 89 15 ?? ?? ?? ?? F7 E2 8B C2 5A C9 C2 04 00 } 1335 | condition: 1336 | $c0 1337 | } 1338 | 1339 | rule VC_Random { 1340 | meta: 1341 | author = "_pusher_" 1342 | description = "Look for VC Random function" 1343 | date = "2016-10" 1344 | version = "0.2" 1345 | strings: 1346 | $c0 = { E8 ?? ?? ?? ?? 8B 48 14 69 C9 FD 43 03 00 81 C1 C3 9E 26 00 89 48 14 8B C1 C1 E8 10 25 FF 7F 00 00 C3 } 1347 | $c1 = { E8 ?? ?? ?? ?? 69 48 14 FD 43 03 00 81 C1 C3 9E 26 00 89 48 14 C1 E9 10 81 E1 FF 7F 00 00 8B C1 C3 } 1348 | $c2 = { A1 ?? ?? ?? ?? 69 C0 FD 43 03 00 05 C3 9E 26 00 A3 ?? ?? ?? ?? C1 F8 10 25 FF 7F 00 00 C3 } 1349 | condition: 1350 | any of ($c*) 1351 | } 1352 | 1353 | rule DCP_RIJNDAEL_Init { 1354 | meta: 1355 | author = "_pusher_" 1356 | description = "Look for DCP RijnDael Init" 1357 | date = "2016-07" 1358 | strings: 1359 | $c0 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 ?? ?? ?? ?? 8B D7 8B 4D FC 8B C3 8B 38 FF 57 ?? 85 F6 75 25 8D 43 38 33 C9 BA 10 00 00 00 E8 ?? ?? ?? ?? 8D 4B 38 8D 53 38 8B C3 8B 30 FF 56 ?? 8B C3 8B 10 FF 52 ?? EB 16 8D 53 38 8B C6 B9 10 00 00 00 E8 ?? ?? ?? ?? 8B C3 8B 10 FF 52 ?? 5F 5E 5B 59 5D C2 04 00 } 1360 | condition: 1361 | $c0 1362 | } 1363 | 1364 | rule DCP_RIJNDAEL_EncryptECB { 1365 | meta: 1366 | author = "_pusher_" 1367 | description = "Look for DCP RijnDael EncryptECB" 1368 | date = "2016-07" 1369 | strings: 1370 | $c0 = { 53 56 57 55 83 C4 B4 89 0C 24 8D 74 24 08 8D 7C 24 28 80 78 30 00 75 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 0A 89 0F 8B CA 83 C1 04 8B 09 8D 5F 04 89 0B 8B CA 83 C1 08 8B 09 8D 5F 08 89 0B 83 C2 0C 8B 12 8D 4F 0C 89 11 8B 50 58 83 EA 02 85 D2 0F 82 3B 01 00 00 42 89 54 24 04 33 D2 8B 0F 8B DA C1 E3 02 33 4C D8 5C 89 0E 8D 4F 04 8B 09 33 4C D8 60 8D 6E 04 89 4D 00 8D 4F 08 8B 09 33 4C D8 64 8D 6E 08 89 4D 00 8D 4F 0C 8B 09 33 4C D8 68 8D 5E 0C 89 0B 33 C9 8A 0E 8D 0C 8D } 1371 | condition: 1372 | $c0 1373 | } 1374 | 1375 | rule DCP_BLOWFISH_Init { 1376 | meta: 1377 | author = "_pusher_" 1378 | description = "Look for DCP Blowfish Init" 1379 | date = "2016-07" 1380 | strings: 1381 | $c0 = { 53 56 57 55 8B F2 8B F8 8B CF B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 8B C3 8B 10 FF 52 34 8B C6 E8 ?? ?? ?? ?? 50 8B C6 E8 ?? ?? ?? ?? 8B D0 8B C3 59 8B 30 FF 56 3C 8B 43 3C 85 C0 79 03 83 C0 07 C1 F8 03 E8 ?? ?? ?? ?? 8B F0 8B D6 8B C3 8B 08 FF 51 40 8B 47 40 8B 6B 3C 3B C5 7D 0F 6A 00 8B C8 8B D6 8B C7 8B 38 FF 57 30 EB 0D 6A 00 8B D6 8B CD 8B C7 8B 38 FF 57 30 8B 53 3C 85 D2 79 03 83 C2 07 C1 FA 03 8B C6 B9 FF 00 00 00 E8 ?? ?? ?? ?? 8B 53 3C 85 D2 79 03 83 C2 07 C1 FA 03 8B C6 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5D 5F 5E 5B C3 } 1382 | condition: 1383 | $c0 1384 | } 1385 | 1386 | 1387 | rule DCP_BLOWFISH_EncryptCBC { 1388 | meta: 1389 | author = "_pusher_" 1390 | description = "Look for DCP Blowfish EncryptCBC" 1391 | date = "2016-07" 1392 | strings: 1393 | $c0 = { 55 8B EC 83 C4 F0 53 56 57 89 4D F8 89 55 FC 8B D8 80 7B 34 00 75 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 7D 08 85 FF 79 03 83 C7 07 C1 FF 03 85 FF 7E 56 BE 01 00 00 00 6A 08 8B 45 FC 8B D6 4A C1 E2 03 03 C2 8D 4D F0 8D 53 54 E8 ?? ?? ?? ?? 8D 4D F0 8D 55 F0 8B C3 E8 ?? ?? ?? ?? 8B 55 F8 8B C6 48 C1 E0 03 03 D0 8D 45 F0 B9 08 00 00 00 E8 ?? ?? ?? ?? 8D 53 54 8D 45 F0 B9 08 00 00 00 E8 ?? ?? ?? ?? 46 4F 75 AF 8B 75 08 81 E6 07 00 00 80 79 05 4E 83 CE F8 46 85 F6 74 26 8D 4D F0 8D 53 54 8B C3 E8 ?? ?? ?? ?? 56 8B 4D F8 03 4D 08 2B CE 8B 55 FC 03 55 08 2B D6 8D 45 F0 E8 ?? ?? ?? ?? 8D 45 F0 B9 FF 00 00 00 BA 08 00 00 00 E8 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C2 04 00 } 1394 | condition: 1395 | $c0 1396 | } 1397 | 1398 | rule DCP_DES_Init { 1399 | meta: 1400 | author = "_pusher_" 1401 | description = "Look for DCP Des Init" 1402 | date = "2016-02" 1403 | strings: 1404 | $c0 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 FE F9 FF FF 8B D7 8B 4D FC 8B C3 8B 38 FF 57 5C 85 F6 75 25 8D 43 38 33 C9 BA 08 00 00 00 E8 F3 A9 FA FF 8D 4B 38 8D 53 38 8B C3 8B 30 FF 56 6C 8B C3 8B 10 FF 52 48 EB 16 8D 53 38 8B C6 B9 08 00 00 00 E8 6E A7 FA FF 8B C3 8B 10 FF 52 48 5F 5E 5B 59 5D C2 04 00 } 1405 | $c1 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 EE D4 FF FF 8B D7 8B 4D FC 8B C3 8B 38 FF 57 74 85 F6 75 2B 8D 43 40 B9 FF 00 00 00 BA 08 00 00 00 E8 ?? ?? ?? ?? 8D 4B 40 8D 53 40 8B C3 8B 30 FF 96 84 00 00 00 8B C3 8B 10 FF 52 58 EB 16 8D 53 40 8B C6 B9 08 00 00 00 E8 ?? ?? ?? ?? 8B C3 8B 10 FF 52 58 5F 5E 5B 59 5D C2 04 00 } 1406 | condition: 1407 | any of them 1408 | } 1409 | 1410 | 1411 | rule DCP_DES_EncryptECB { 1412 | meta: 1413 | author = "_pusher_" 1414 | description = "Look for DCP Des EncryptECB" 1415 | date = "2016-02" 1416 | strings: 1417 | $c0 = { 53 80 78 ?? 00 75 16 B9 ?? ?? ?? 00 B2 01 A1 ?? ?? ?? 00 E8 ?? ?? ?? FF E8 ?? ?? ?? FF 8D 58 ?? 53 E8 ?? ?? FF FF 5B C3 } 1418 | condition: 1419 | any of them 1420 | } 1421 | -------------------------------------------------------------------------------- /packer_compiler_signatures.yara: -------------------------------------------------------------------------------- 1 | import "pe" 2 | import "math" 3 | 4 | rule IsPE32 : PECheck 5 | { 6 | condition: 7 | // MZ signature at offset 0 and ... 8 | uint16(0) == 0x5A4D and 9 | // ... PE signature at offset stored in MZ header at 0x3C 10 | uint16(uint32(0x3C)+0x18) == 0x010B 11 | } 12 | 13 | rule IsELF32 : ELFCheck 14 | { 15 | condition: 16 | // ELF signature at offset 0 and ... 17 | uint32(0) == 0x464C457F and 18 | uint8(0x4) == 0x01 19 | } 20 | 21 | rule IsPE64 : PECheck 22 | { 23 | condition: 24 | // MZ signature at offset 0 and ... 25 | uint16(0) == 0x5A4D and 26 | // ... PE signature at offset stored in MZ header at 0x3C 27 | uint16(uint32(0x3C)+0x18) == 0x020B 28 | } 29 | 30 | rule IsELF64 : ELFCheck 31 | { 32 | condition: 33 | // ELF signature at offset 0 and ... 34 | uint32(0) == 0x464C457F and 35 | uint8(0x4) == 0x02 36 | } 37 | 38 | rule IsNET_EXE : PECheck 39 | { 40 | condition: 41 | pe.imports ("mscoree.dll","_CorExeMain") 42 | } 43 | 44 | rule IsNET_DLL : PECheck 45 | { 46 | condition: 47 | pe.imports ("mscoree.dll","_CorDllMain") 48 | } 49 | 50 | rule IsDLL : PECheck 51 | { 52 | condition: 53 | // MZ signature at offset 0 and ... 54 | uint16(0) == 0x5A4D and 55 | // ... PE signature at offset stored in MZ header at 0x3C 56 | (uint16(uint32(0x3C)+0x16) & 0x2000) == 0x2000 57 | 58 | } 59 | 60 | rule IsConsole : PECheck 61 | { 62 | condition: 63 | // MZ signature at offset 0 and ... 64 | uint16(0) == 0x5A4D and 65 | // ... PE signature at offset stored in MZ header at 0x3C 66 | uint16(uint32(0x3C)+0x5C) == 0x0003 67 | } 68 | 69 | rule IsWindowsGUI : PECheck 70 | { 71 | condition: 72 | // MZ signature at offset 0 and ... 73 | uint16(0) == 0x5A4D and 74 | // ... PE signature at offset stored in MZ header at 0x3C 75 | uint16(uint32(0x3C)+0x5C) == 0x0002 76 | } 77 | 78 | rule IsPacked : PE ELF Check 79 | { 80 | meta: 81 | author="_pusher_" 82 | description = "PE & ELF Entropy Check" 83 | date = "2017.05" 84 | version = "2.0" 85 | condition: 86 | // MZ signature at offset 0 and ... 87 | ((IsPE32 or IsPE64) or (IsELF32 or IsELF64)) and 88 | math.entropy(0, filesize-pe.overlay.size) >= 7.0 89 | } 90 | 91 | rule IsNotPacked : PE ELF Check 92 | { 93 | meta: 94 | author="_pusher_" 95 | description = "PE & ELF Entropy Check" 96 | date = "2017.05" 97 | version = "1.0" 98 | condition: 99 | // MZ signature at offset 0 and ... 100 | ((IsPE32 or IsPE64) or (IsELF32 or IsELF64)) and 101 | math.entropy(0, filesize-pe.overlay.size) < 7.0 102 | } 103 | 104 | rule IsResourceLess : PECheck 105 | { 106 | meta: 107 | description = "PE File has no resources" 108 | condition: 109 | (IsPE32 or IsPE64) and (pe.number_of_resources == 0) 110 | } 111 | 112 | 113 | rule HasOverlay : PECheck 114 | { 115 | meta: 116 | author="_pusher_" 117 | description = "Overlay Check" 118 | condition: 119 | // MZ signature at offset 0 and ... 120 | uint16(0) == 0x5A4D and 121 | // ... PE signature at offset stored in MZ header at 0x3C 122 | uint32(uint32(0x3C)) == 0x00004550 and 123 | //stupid check if last section is 0 124 | //not (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x0 and 125 | 126 | (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) < filesize 127 | 128 | } 129 | 130 | rule HasTaggantSignature : PECheck 131 | { 132 | meta: 133 | author="_pusher_" 134 | description = "TaggantSignature Check" 135 | date="2016-07" 136 | strings: 137 | $a0 = { 54 41 47 47 ?? ?? ?? ?? ?? ?? 00 00 ?? 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 09 30 07 06 05 2B 0E 03 02 1A 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 01 A0 82 ?? ?? 04 82 ?? ?? ?? 00 01 00 ?? ?? } 138 | //$c0 = { 06 09 2A 86 } 139 | condition: 140 | // MZ signature at offset 0 and ... 141 | uint16(0) == 0x5A4D and 142 | // ... PE signature at offset stored in MZ header at 0x3C 143 | uint32(uint32(0x3C)) == 0x00004550 and 144 | //TAGG+4E==packerid 145 | //(uint32be(@a0+0x4E) == 0x0B51D132) and 146 | //(uint32be(@a0+0x12) == 0x006092a86) and 147 | //(uint32be(@a0+0x12)) == uint32be(@c0) and 148 | 149 | //uint32be(@a0+0x04) < (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) and 150 | $a0 151 | } 152 | 153 | 154 | rule HasDigitalSignature : PECheck 155 | { 156 | meta: 157 | author="_pusher_" 158 | description = "DigitalSignature Check" 159 | date="2016-07" 160 | strings: 161 | //size check is wildcarded 162 | $a0 = { ?? ?? ?? ?? 00 02 02 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 0B 30 09 06 05 2B 0E 03 02 1A 05 00 30 68 06 0A 2B 06 01 04 01 82 37 02 01 04 A0 5A 30 58 30 33 06 0A 2B 06 01 04 01 82 37 02 01 0F 30 25 03 01 00 A0 20 A2 1E 80 1C 00 3C 00 3C 00 3C 00 4F 00 62 00 73 00 6F 00 6C 00 65 00 74 00 65 00 3E 00 3E 00 3E 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 } 163 | $a1 = { ?? ?? ?? ?? 00 02 02 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 0B 30 09 06 05 2B 0E 03 02 1A 05 00 30 ?? 06 0A 2B 06 01 04 01 82 37 02 01 04 A0 ?? 30 ?? 30 ?? 06 0A 2B 06 01 04 01 82 37 02 01 0F 30 ?? 03 01 00 A0 ?? A2 ?? 80 00 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 } 164 | $a2 = { ?? ?? ?? ?? 00 02 02 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 0E 30 ?? 06 ?? ?? 86 48 86 F7 0D 02 05 05 00 30 67 06 0A 2B 06 01 04 01 82 37 02 01 04 A0 59 30 57 30 33 06 0A 2B 06 01 04 01 82 37 02 01 0F 30 25 03 01 00 A0 20 A2 1E 80 1C 00 3C 00 3C 00 3C 00 4F 00 62 00 73 00 6F 00 6C 00 65 00 74 00 65 00 3E 00 3E 00 3E 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 } 165 | $a3 = { ?? ?? ?? ?? 00 02 02 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 0F 30 ?? 06 ?? ?? 86 48 01 65 03 04 02 01 05 00 30 78 06 0A 2B 06 01 04 01 82 37 02 01 04 A0 6A 30 68 30 33 06 0A 2B 06 01 04 01 82 37 02 01 0F 30 25 03 01 00 A0 20 A2 1E 80 1C 00 3C 00 3C 00 3C 00 4F 00 62 00 73 00 6F 00 6C 00 65 00 74 00 65 00 3E 00 3E 00 3E 30 31 30 0D 06 09 60 86 48 01 65 03 04 02 01 05 00 04 } 166 | condition: 167 | // MZ signature at offset 0 and ... 168 | uint16(0) == 0x5A4D and 169 | // ... PE signature at offset stored in MZ header at 0x3C 170 | uint32(uint32(0x3C)) == 0x00004550 and 171 | (for any of ($a*) : ($ in ( (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)..filesize)) ) 172 | //its not always like this: 173 | //and uint32(@a0) == (filesize-(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)) 174 | } 175 | 176 | rule HasDebugData : PECheck 177 | { 178 | meta: 179 | author = "_pusher_" 180 | description = "DebugData Check" 181 | date="2016-07" 182 | condition: 183 | // MZ signature at offset 0 and ... 184 | uint16(0) == 0x5A4D and 185 | // ... PE signature at offset stored in MZ header at 0x3C 186 | uint32(uint32(0x3C)) == 0x00004550 and 187 | //orginal 188 | //((uint32(uint32(0x3C)+0xA8) >0x0) and (uint32be(uint32(0x3C)+0xAC) >0x0)) 189 | //((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) x64/x32 190 | (IsPE32 or IsPE64) and 191 | ((uint32(uint32(0x3C)+0xA8+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)) >0x0) and (uint32be(uint32(0x3C)+0xAC+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)) >0x0)) 192 | } 193 | 194 | rule IsBeyondImageSize : PECheck 195 | { 196 | meta: 197 | author = "_pusher_" 198 | date = "2016-07" 199 | description = "Data Beyond ImageSize Check" 200 | condition: 201 | // MZ signature at offset 0 and ... 202 | uint16(0) == 0x5A4D and 203 | // ... PE signature at offset stored in MZ header at 0x3C 204 | uint32(uint32(0x3C)) == 0x00004550 and 205 | for any i in (0..pe.number_of_sections-1): 206 | ( 207 | (pe.sections[i].virtual_address+pe.sections[i].virtual_size) > (uint32(uint32(0x3C)+0x50)) or 208 | (pe.sections[i].raw_data_offset+pe.sections[i].raw_data_size) > filesize 209 | ) 210 | } 211 | 212 | rule ImportTableIsBad : PECheck 213 | { 214 | meta: 215 | author = "_pusher_ & mrexodia" 216 | date = "2016-07" 217 | description = "ImportTable Check" 218 | condition: 219 | // MZ signature at offset 0 and ... 220 | uint16(0) == 0x5A4D and 221 | // ... PE signature at offset stored in MZ header at 0x3C 222 | uint32(uint32(0x3C)) == 0x00004550 and 223 | (IsPE32 or IsPE64) and 224 | ( //Import_Table_RVA+Import_Data_Size .. cannot be outside imagesize 225 | ((uint32(uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) )) + (uint32(uint32(0x3C)+0x84+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)))) > (uint32(uint32(0x3C)+0x50)) 226 | or 227 | (((uint32(uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) )) + (uint32(uint32(0x3C)+0x84+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)))) == 0x0) 228 | //or 229 | 230 | //doest work 231 | //pe.imports("", "") 232 | 233 | //need to check if this is ok.. 15:06 2016-08-12 234 | //uint32( uint32(uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5))+uint32(uint32(0x3C)+0x34)) == 0x408000 235 | //this works.. 236 | //uint32(uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5))+uint32(uint32(0x3C)+0x34) == 0x408000 237 | 238 | //uint32be(uint32be(0x409000)) == 0x005A 239 | //pe.image_base 240 | //correct: 241 | 242 | //uint32(uint32(0x3C)+0x80)+pe.image_base == 0x408000 243 | 244 | //this works (file offset): 245 | //$a0 at 0x4000 246 | //this does not work rva: 247 | //$a0 at uint32(0x0408000) 248 | 249 | //(uint32(uint32(uint32(0x3C)+0x80)+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5))+pe.image_base) == 0x0) 250 | 251 | or 252 | //tiny PE files.. 253 | (uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) > filesize) 254 | 255 | //or 256 | //uint32(uint32(0x3C)+0x80) == 0x21000 257 | //uint32(uint32(uint32(0x3C)+0x80)) == 0x0 258 | //pe.imports("", "") 259 | ) 260 | } 261 | 262 | rule ExportTableIsBad : PECheck 263 | { 264 | meta: 265 | author = "_pusher_ & mrexodia" 266 | date = "2016-07" 267 | description = "ExportTable Check" 268 | condition: 269 | // MZ signature at offset 0 and ... 270 | uint16(0) == 0x5A4D and 271 | // ... PE signature at offset stored in MZ header at 0x3C 272 | uint32(uint32(0x3C)) == 0x00004550 and 273 | (IsPE32 or IsPE64) and 274 | ( //Export_Table_RVA+Export_Data_Size .. cannot be outside imagesize 275 | ((uint32(uint32(0x3C)+0x78+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) )) + (uint32(uint32(0x3C)+0x7C+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)))) > (uint32(uint32(0x3C)+0x50)) 276 | ) 277 | } 278 | 279 | 280 | rule HasModified_DOS_Message : PECheck 281 | { 282 | meta: 283 | author = "_pusher_" 284 | description = "DOS Message Check" 285 | date="2016-07" 286 | strings: 287 | $a0 = "This program must be run under Win32" wide ascii nocase 288 | $a1 = "This program cannot be run in DOS mode" wide ascii nocase 289 | //UniLink 290 | $a2 = "This program requires Win32" wide ascii nocase 291 | $a3 = "This program must be run under Win64" wide ascii nocase 292 | condition: 293 | // MZ signature at offset 0 and ... 294 | uint16(0) == 0x5A4D and 295 | // ... PE signature at offset stored in MZ header at 0x3C 296 | uint32(uint32(0x3C)) == 0x00004550 and not 297 | (for any of ($a*) : ($ in (0x0..uint32(0x3c) ))) 298 | } 299 | 300 | rule HasRichSignature : PECheck 301 | { 302 | meta: 303 | author = "_pusher_" 304 | description = "Rich Signature Check" 305 | date="2016-07" 306 | strings: 307 | $a0 = "Rich" ascii 308 | condition: 309 | // MZ signature at offset 0 and ... 310 | uint16(0) == 0x5A4D and 311 | // ... PE signature at offset stored in MZ header at 0x3C 312 | uint32(uint32(0x3C)) == 0x00004550 and 313 | (for any of ($a*) : ($ in (0x0..uint32(0x3c) ))) 314 | } 315 | 316 | rule NeedsAdminAccess : PECheck 317 | { 318 | meta: 319 | author = "_pusher_" 320 | description = "AdminAccess Signature Check" 321 | date="2017-05" 322 | strings: 323 | //weirdo yara bug 324 | $a0 = "requestedExecutionLevel" fullword ascii nocase 325 | $a1 = "level=\"requireAdministrator" fullword ascii nocase 326 | $a2 = "level=\"highestAvailable" fullword ascii nocase 327 | condition: 328 | // MZ signature at offset 0 and ... 329 | uint16(0) == 0x5A4D and 330 | // ... PE signature at offset stored in MZ header at 0x3C 331 | uint32(uint32(0x3C)) == 0x00004550 and 332 | $a0 and ($a1 or $a2) 333 | } 334 | 335 | rule IsSuspicious 336 | { 337 | meta: 338 | author="_pusher_" 339 | date = "2016-07" 340 | description="Might be PE Virus" 341 | condition: 342 | uint32(0x20) == 0x20202020 343 | } 344 | 345 | rule IsGoLink 346 | { 347 | meta: 348 | author="_pusher_" 349 | date = "2016-08" 350 | description="www.GoDevTool.com" 351 | strings: 352 | $a0 = { 47 6F 4C 69 6E 6B } 353 | condition: 354 | // MZ signature at offset 0 and ... 355 | uint16(0) == 0x5A4D and 356 | // ... PE signature at offset stored in MZ header at 0x3C 357 | $a0 at 0x40 358 | 359 | } 360 | 361 | 362 | rule borland_cpp { 363 | meta: 364 | author = "_pusher_" 365 | description = "Borland C++" 366 | date = "2015-08" 367 | version = "0.1" 368 | strings: 369 | $c0 = { 59 5F 6A 00 E8 ?? ?? ?? ?? 59 68 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A 00 E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 C0 A0 ?? ?? ?? ?? C3 A1 ?? ?? ?? ?? C3 } 370 | $c1 = { A1 ?? ?? ?? ?? C1 E0 02 A3 ?? ?? ?? ?? 52 6A 00 E8 ?? ?? ?? ?? 8B D0 E8 ?? ?? ?? ?? 5A E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? 59 68 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A 00 E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 C0 A0 ?? ?? ?? ?? C3 A1 ?? ?? ?? ?? C3 } 371 | $c2 = { 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A 00 E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 C0 A0 ?? ?? ?? ?? C3 A1 ?? ?? ?? ?? C3 } 372 | condition: 373 | ( 374 | //linker 2.25 and 5.00 375 | ((pe.linker_version.major == 2) and (pe.linker_version.minor == 25 )) or 376 | ((pe.linker_version.major == 5) and (pe.linker_version.minor == 0 )) 377 | ) and 378 | any of them 379 | } 380 | 381 | rule borland_delphi { 382 | meta: 383 | author = "_pusher_" 384 | description = "Borland Delphi 2.0 - 7.0 / 2005 - 2007" 385 | date = "2016-03" 386 | version = "0.2" 387 | strings: 388 | $c0 = { 53 8B D8 33 C0 A3 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? FF A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? 33 C0 A3 } 389 | $c1 = { 53 8B D8 33 C0 A3 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? 8D 43 08 A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5B C3 } 390 | //some x64 version of delphi 391 | $c2 = { 53 48 83 EC 20 48 89 CB C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 48 33 C9 E8 ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 43 10 48 89 05 ?? ?? ?? ?? 48 8D 05 ?? FC FF FF 48 89 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 D9 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 83 C4 20 5B C3 } 392 | //unusual delphi version unknown version (unpackme- FSG 1.31 - dulek) 393 | $c3 = { 50 6A 00 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 52 89 05 ?? ?? ?? ?? 89 42 04 C7 42 08 00 00 00 00 C7 42 0C 00 00 00 00 E8 ?? ?? ?? ?? 5A 58 E8 ?? ?? ?? ?? C3 } 394 | //delphi2 395 | $c4 = { E8 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 0A ?? ?? ?? B8 ?? ?? ?? ?? C3 } 396 | //delphi3 397 | $c5 = { 50 6A 00 E8 ?? ?? FF FF BA ?? ?? ?? ?? 52 89 05 ?? ?? ?? ?? 89 42 04 E8 ?? ?? ?? ?? 5A 58 E8 ?? ?? ?? ?? C3 55 8B EC 33 C0 } 398 | //delphi5 399 | $c6 = { 50 6A ?? E8 ?? ?? FF FF BA ?? ?? ?? ?? 52 89 05 ?? ?? ?? ?? 89 42 04 C7 42 08 ?? ?? ?? ?? C7 42 0C ?? ?? ?? ?? E8 ?? ?? ?? ?? 5A 58 E8 ?? ?? ?? ?? C3 } 400 | condition: 401 | any of them 402 | and 403 | ( 404 | //if its not linker 2.25 its been modified (unpacked usually) 405 | //unknown x64 build of delphi //weird 406 | ((pe.linker_version.major == 2) and (pe.linker_version.minor == 25 )) or ((pe.linker_version.major == 8) and (pe.linker_version.minor == 0 )) or ((pe.linker_version.major == 5) and (pe.linker_version.minor == 12 )) 407 | //unpacked files usually have this linker: 408 | or ((pe.linker_version.major == 0) and (pe.linker_version.minor == 0 )) ) 409 | //could check for dvclal.. maybe too much 410 | } 411 | 412 | rule free_pascal { 413 | meta: 414 | author = "_pusher_" 415 | description = "Free Pascal" 416 | date = "2015-08" 417 | version = "0.1" 418 | strings: 419 | $c0 = { 55 89 E5 83 ?? ?? 89 5D FC B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? A0 ?? ?? ?? ?? 84 C0 75 0C 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 } 420 | $c1 = { 55 89 E5 53 B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 80 3D ?? ?? ?? ?? 00 75 0C 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? B8 } 421 | $c2 = { 55 89 E5 83 EC 04 89 5D FC B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A0 ?? ?? ?? ?? 84 C0 75 05 E8 ?? ?? ?? ?? C7 05 } 422 | condition: 423 | any of them 424 | } 425 | 426 | rule borland_delphi_dll { 427 | meta: 428 | author = "_pusher_" 429 | description = "Borland Delphi DLL" 430 | date = "2015-08" 431 | version = "0.1" 432 | info = "one is at entrypoint" 433 | strings: 434 | $c0 = { BA ?? ?? ?? ?? 83 7D 0C 01 75 ?? 50 52 C6 05 ?? ?? ?? ?? ?? 8B 4D 08 89 0D ?? ?? ?? ?? 89 4A 04 } 435 | $c1 = { 55 8B EC 83 C4 ?? B8 ?? ?? ?? ?? E8 ?? ?? FF FF E8 ?? ?? FF FF 8D 40 00 } 436 | condition: 437 | any of them 438 | } 439 | 440 | rule borland_component { 441 | meta: 442 | author = "_pusher_" 443 | description = "Borland Component" 444 | date = "2015-08" 445 | version = "0.1" 446 | strings: 447 | $c0 = { E9 ?? ?? ?? FF 8D 40 00 } 448 | condition: 449 | $c0 at pe.entry_point 450 | } 451 | 452 | rule PureBasic : Neil Hodgson 453 | { 454 | meta: 455 | author="_pusher_" 456 | date="2016-07" 457 | strings: 458 | //make check for msvrt.dll 459 | $c0 = { 55 8B EC 6A 00 68 00 10 00 00 6A ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 00 00 00 00 C7 05 ?? ?? ?? ?? 10 00 00 00 A1 ?? ?? ?? ?? 50 6A ?? 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 5D C3 CC CC CC CC CC CC CC CC CC } 460 | $c1 = { 68 ?? ?? 00 00 68 00 00 00 00 68 ?? ?? ?? 00 E8 ?? ?? ?? 00 83 C4 0C 68 00 00 00 00 E8 ?? ?? ?? 00 A3 ?? ?? ?? 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? ?? ?? 00 A3 } 461 | $aa0 = "\x00MSVCRT.dll\x00" ascii 462 | $aa1 = "\x00CRTDLL.dll\x00" ascii 463 | condition: 464 | (for any of ($c0,$c1) : ( $ at pe.entry_point )) and 465 | (any of ($aa*) ) and 466 | ((pe.linker_version.major == 2) and (pe.linker_version.minor == 50 )) 467 | } 468 | 469 | rule PureBasicDLL : Neil Hodgson 470 | { 471 | meta: 472 | author="malware-lu" 473 | strings: 474 | $a0 = { 83 7C 24 08 01 75 ?? 8B 44 24 04 A3 ?? ?? ?? 10 E8 } 475 | 476 | condition: 477 | $a0 at pe.entry_point 478 | } 479 | 480 | rule PureBasic4xDLL : Neil Hodgson 481 | { 482 | meta: 483 | author="malware-lu" 484 | strings: 485 | $a0 = { 83 7C 24 08 01 75 0E 8B 44 24 04 A3 ?? ?? ?? 10 E8 22 00 00 00 83 7C 24 08 02 75 00 83 7C 24 08 00 75 05 E8 ?? 00 00 00 83 7C 24 08 03 75 00 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? 0F 00 00 A3 } 486 | 487 | condition: 488 | $a0 at pe.entry_point 489 | } 490 | 491 | rule SkDUndetectabler : SkDrat { 492 | meta: 493 | author = "_pusher_" 494 | condition: 495 | ( 496 | borland_delphi or (pe.timestamp == 0x21475346) or //check All FSG or 497 | ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0 )) 498 | ) 499 | and 500 | (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size < filesize) and 501 | //is overlay at offset 2A00,1A00,C00,745,739 502 | //pe.overlay & pe.overlay_size would have been prettier 503 | ( 504 | (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000739) or 505 | (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000745) or 506 | //Uncompressed 507 | (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000C00) or 508 | (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00002A00) or 509 | (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00001A00) 510 | ) 511 | and 512 | //is xored MZ ? 513 | ( 514 | uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x6275 or 515 | uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x4057 516 | ) 517 | } 518 | 519 | /* usefull ? 18:53 2016-08-12 520 | rule MicrosoftVisualCV80 521 | { 522 | meta: 523 | author="malware-lu" 524 | strings: 525 | $a0 = { 6A 14 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BB 94 00 00 00 53 6A 00 8B ?? ?? ?? ?? ?? FF D7 50 FF ?? ?? ?? ?? ?? 8B F0 85 F6 75 0A 6A 12 E8 ?? ?? ?? ?? 59 EB 18 89 1E 56 FF ?? ?? ?? ?? ?? 56 85 C0 75 14 50 FF D7 50 FF ?? ?? ?? ?? ?? B8 } 526 | 527 | condition: 528 | $a0 at pe.entry_point 529 | } 530 | */ 531 | 532 | rule Cygwin : Red Hat 533 | { 534 | meta: 535 | author = "_pusher_" 536 | date = "2016-07" 537 | strings: 538 | $a0 = "cygwin1.dll" ascii nocase 539 | $aa1 = "cygwin_internal" 540 | $aa2 = "cygwin_detach_dll" 541 | condition: 542 | ( 543 | (pe.linker_version.major == 2) and (pe.linker_version.minor == 56 ) or 544 | (pe.linker_version.major == 2) and (pe.linker_version.minor == 24 ) or 545 | (pe.linker_version.major == 2) and (pe.linker_version.minor == 25 ) 546 | ) 547 | and 548 | ($a0 and (any of ($aa*) )) 549 | } 550 | 551 | rule MinGW 552 | { 553 | meta: 554 | author = "_pusher_" 555 | date = "2016-09" 556 | strings: 557 | $a0 = "msvcrt.dll" ascii nocase 558 | $a1 = "msvcr100.dll" ascii nocase 559 | 560 | $aa1 = "Mingw-w64 runtime failure:" 561 | $aa3 = "_mingw32_init_mainargs" 562 | //too wild ? 563 | $aa4 = "mingw32" 564 | $aa7 = "-LIBGCCW32-EH-SJLJ-GTHR-MINGW32" wide ascii nocase 565 | $aa5 = "-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32" wide ascii nocase 566 | $aa2 = "-LIBGCCW32-EH-3-SJLJ-GTHR-MINGW32" wide ascii nocase 567 | $aa6 = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32" wide ascii nocase 568 | $aa9 = "Mingw runtime failure:" 569 | condition: 570 | ( 571 | (pe.linker_version.major == 2) and (pe.linker_version.minor == 56 ) or 572 | (pe.linker_version.major == 2) and ((pe.linker_version.minor >= 21) and (pe.linker_version.minor <= 25)) 573 | ) 574 | and 575 | ( ($a0 or $a1) and (any of ($aa*) )) 576 | } 577 | 578 | rule FASM : flat assembler { 579 | //abit weak, needs more targets & testing 580 | meta: 581 | author = "_pusher_" 582 | date = "2016-01" 583 | description = "http://flatassembler.net" 584 | //strings: 585 | //$c0 = { 55 89 E5 83 EC 1C 8D 45 E4 6A 1C 50 FF 75 08 FF 15 ?? ?? ?? ?? 8B 45 E8 C9 C2 04 00 } 586 | condition: 587 | ( 588 | //linker 1.60..1.79 589 | (pe.linker_version.major == 1) and ((pe.linker_version.minor >= 60) and (pe.linker_version.minor < 80)) 590 | ) 591 | //and $c0 592 | } 593 | 594 | rule AutoIt 595 | { 596 | meta: 597 | author = "_pusher_" 598 | date = "2016-07" 599 | description = "www.autoitscript.com/site/autoit/" 600 | strings: 601 | $aa0 = "AutoIt has detected the stack has become corrupt.\n\nStack corruption typically occurs when either the wrong calling convention is used or when the function is called with the wrong number of arguments.\n\nAutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention." wide ascii nocase 602 | $aa1 = "AutoIt Error" wide ascii nocase 603 | $aa2 = "Missing right bracket ')' in expression." wide ascii nocase 604 | $aa3 = "Missing operator in expression." wide ascii nocase 605 | $aa4 = "Unbalanced brackets in expression." wide ascii nocase 606 | $aa5 = "Error parsing function call." wide ascii nocase 607 | 608 | $aa6 = ">>>AUTOIT NO CMDEXECUTE<<<" wide ascii nocase 609 | $aa7 = "#requireadmin" wide ascii nocase 610 | $aa8 = "#OnAutoItStartRegister" wide ascii nocase 611 | $aa9 = "#notrayicon" wide ascii nocase 612 | $aa10 = "Cannot parse #include" wide ascii nocase 613 | condition: 614 | 5 of ($aa*) 615 | } 616 | 617 | 618 | rule PellesC : Pelle Orinius 619 | { 620 | meta: 621 | author = "_pusher_" 622 | date = "2016-08" 623 | description = "www.smorgasbordet.com/pellesc" 624 | strings: 625 | $aa0 = " -- terminating\x0D\x0A\x00 -- terminating\x0A\x00CRT: \x00unexpected error\x00" wide ascii nocase 626 | $aa1 = "unhandled exception (main)\x00unhandled exception in thread\x00unable to create thread\x00unable to destroy semaphore\x00" wide ascii nocase 627 | $aa2 = "unable to wait on semaphore\x00unable to post semaphore\x00unable to init semaphore\x00unable to unlock mutex\x00unable to lock mutex\x00unable to init mutex\x00" wide ascii nocase 628 | $aa3 = "invalid stream lock number\x00corrupt per-thread data\x00out of memory\x00unable to init threads\x00unable to init HEAP" wide ascii nocase 629 | condition: 630 | 3 of ($aa*) and 631 | (pe.linker_version.major == 2) and (pe.linker_version.minor == 50 ) 632 | } 633 | 634 | rule PyInstaller 635 | { 636 | meta: 637 | author="_pusher_" 638 | date = "2016-09" 639 | description = "www.pyinstaller.org" 640 | strings: 641 | $a0 = { 4D 45 49 0C 0B 0A 0B 0E ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 70 79 74 68 6F 6E } 642 | $aa0 = "Py_SetProgramName" ascii 643 | $aa1 = "Py_SetPythonHome" ascii 644 | $aa2 = "Py_Initialize" ascii 645 | $aa3 = "Py_Finalize" ascii 646 | $aa4 = "PyImport_ImportModule" ascii 647 | condition: 648 | $a0 and 649 | all of ($aa*) 650 | } 651 | 652 | 653 | rule GoLang : Google 654 | { 655 | meta: 656 | author="_pusher_" 657 | date = "2016-09" 658 | description = "www.golang.org" 659 | strings: 660 | //x64 661 | $a0 = { 48 C7 83 00 00 00 00 23 01 00 00 48 8B 05 ?? ?? ?? ?? 48 3D 23 01 00 00 74 07 89 04 25 00 00 00 00 65 48 8B 1C 25 28 00 00 00 48 8D 0D ?? ?? ?? ?? 48 89 8B 00 00 00 00 48 8D 05 ?? ?? ?? ?? 48 89 08 48 89 41 30 FC E8 ?? ?? ?? ?? 8B 44 24 10 89 04 24 48 8B 44 24 18 48 89 44 24 08 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 50 6A 00 E8 ?? ?? ?? ?? 58 58 E8 } 662 | //x86 663 | $a1 = { C7 83 00 00 00 00 23 01 00 00 8B 05 ?? ?? ?? ?? 3D 23 01 00 00 74 06 89 05 00 00 00 00 64 8B 1D 14 00 00 00 8D 15 ?? ?? ?? ?? 89 93 00 00 00 00 8D 05 ?? ?? ?? ?? 89 10 89 42 18 E8 ?? ?? ?? ?? FC E8 ?? ?? ?? ?? 8B 44 24 78 89 04 24 8B 44 24 7C 89 44 24 04 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? 58 58 E8 } 664 | condition: 665 | $a0 or $a1 666 | } 667 | 668 | 669 | rule QtFrameWork 670 | { 671 | meta: 672 | author="_pusher_" 673 | date="2016-08" 674 | strings: 675 | $aa0 = "\x00Qt5Core.dll\x00" ascii 676 | $aa1 = "\x00QtCore4.dll\x00" ascii 677 | condition: 678 | (any of ($aa*) ) 679 | } 680 | 681 | /* usefull ? 18:32 2016-08-10 682 | rule masm32_tasm32 683 | { 684 | meta: 685 | author = "PEiD" 686 | description = "MASM32 / TASM32" 687 | group = "20" 688 | function = "0" 689 | strings: 690 | $a0 = { 6A ?? E8 ?? ?? ?? ?? A3 } 691 | condition: 692 | $a0 693 | } 694 | */ 695 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Yara Signatures 2 | 3 | This repository includes some Yara signatures, possibly to be included with [x64dbg](http://x64dbg.com). 4 | 5 | Please be so kind to use TABS when formatting your signatures, thanks. 6 | 7 | #Yara-GUI 8 | Window GUI tool with drag and drop interface and directory scanning with multible rules [Yara GUI](http://sigint9.github.io/yaragui/) 9 | ![alt tag](http://sigint9.github.io/yaragui/yaragui.png) 10 | -------------------------------------------------------------------------------- /rich.yara: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule MASM 4 | { 5 | meta: 6 | author="_pusher_" 7 | date = "2016-08" 8 | linker = "5.12" 9 | //drop linker checks and allow collissions ? :\ 10 | condition: 11 | (pe.rich_signature.version(8078) and pe.rich_signature.version(8444) and pe.rich_signature.toolid(19) ) 12 | or //and ((pe.linker_version.major == 5) and (pe.linker_version.minor == 12 ) or (pe.linker_version.major == 12) and (pe.linker_version.minor == 0 ) ) or 13 | (pe.rich_signature.version(8078) and pe.rich_signature.version(30319) and pe.rich_signature.toolid(19) ) 14 | or //and (pe.linker_version.major == 5) and (pe.linker_version.minor == 12 ) or 15 | (pe.rich_signature.version(1735) and pe.rich_signature.version(8803) and pe.rich_signature.toolid(6) ) 16 | or 17 | (pe.rich_signature.version(1735) and pe.rich_signature.version(8444) and pe.rich_signature.toolid(6) and not pe.rich_signature.version(9782) ) 18 | 19 | or 20 | pe.rich_signature.version(1735) and pe.rich_signature.version(8447) and pe.rich_signature.toolid(6) and not ( (pe.rich_signature.version(8168) and not pe.rich_signature.version(9782) )) 21 | 22 | or //and (pe.linker_version.major == 5) and (pe.linker_version.minor == 12 ) or 23 | (pe.rich_signature.version(1735) and pe.rich_signature.version(8078) and pe.rich_signature.toolid(19) ) 24 | or 25 | //this one causes trouble: //does not with 9782 check 26 | (pe.rich_signature.version(8444) and pe.rich_signature.toolid(18) and not pe.rich_signature.version(30319) and not pe.rich_signature.version(9782) ) 27 | 28 | //or //and ((pe.linker_version.major == 5) and (pe.linker_version.minor == 12 )) 29 | or 30 | (pe.rich_signature.version(7274) and pe.rich_signature.version(9049) and pe.rich_signature.toolid(19) ) 31 | } 32 | 33 | rule MSVC5 34 | { 35 | meta: 36 | author="_pusher_" 37 | date = "2016-08" 38 | linker = "5.10" 39 | //need more samples 40 | condition: 41 | pe.rich_signature.version(1668) and pe.rich_signature.toolid(6) 42 | } 43 | 44 | rule MSVC6 45 | { 46 | meta: 47 | author="_pusher_" 48 | date = "2016-08" 49 | linker = "6.00" 50 | condition: 51 | pe.rich_signature.version(8447) and pe.rich_signature.version(7299) and pe.rich_signature.toolid(10) or 52 | pe.rich_signature.version(9782) and pe.rich_signature.version(7299) and pe.rich_signature.toolid(10) or 53 | pe.rich_signature.version(8168) and pe.rich_signature.version(1720) and pe.rich_signature.toolid(10) or 54 | pe.rich_signature.version(8168) and pe.rich_signature.version(7299) and pe.rich_signature.toolid(10) 55 | and ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0 )) or 56 | pe.rich_signature.version(8047) and pe.rich_signature.version(8034) and (pe.rich_signature.toolid(10) or pe.rich_signature.toolid(19)) or 57 | 58 | pe.rich_signature.version(8047) and pe.rich_signature.version(9044) and pe.rich_signature.toolid(10) and not pe.rich_signature.version(50727) or 59 | 60 | pe.rich_signature.version(4035) and pe.rich_signature.version(9044) and pe.rich_signature.toolid(95) and not pe.rich_signature.version(50727) or 61 | pe.rich_signature.version(8966) and pe.rich_signature.version(8047) and pe.rich_signature.toolid(10) or 62 | pe.rich_signature.version(8168) and pe.rich_signature.version(2179) and pe.rich_signature.toolid(10) or 63 | pe.rich_signature.version(8168) and pe.rich_signature.version(8034) and pe.rich_signature.toolid(11) or 64 | pe.rich_signature.version(8034) and pe.rich_signature.version(7299) and pe.rich_signature.toolid(19) or 65 | pe.rich_signature.version(8034) and pe.rich_signature.version(8966) and pe.rich_signature.toolid(19) or 66 | pe.rich_signature.version(9049) and pe.rich_signature.version(8966) and pe.rich_signature.toolid(19) 67 | } 68 | 69 | rule MSVC7 70 | { 71 | meta: 72 | author="_pusher_" 73 | date = "2016-08" 74 | linker = "7.00" 75 | condition: 76 | pe.rich_signature.version(9210) and (pe.rich_signature.version(9178) or pe.rich_signature.version(9466)) and pe.rich_signature.toolid(29) or //29 because of collisions with msvc6 77 | pe.rich_signature.version(8078) and pe.rich_signature.version(9210) and pe.rich_signature.toolid(19) 78 | } 79 | 80 | 81 | rule MSVC2003 82 | { 83 | meta: 84 | author="_pusher_" 85 | date = "2016-08" 86 | linker = "7.10" 87 | condition: //change 100 to something 88 | pe.rich_signature.version(4035) and pe.rich_signature.version(50727) and pe.rich_signature.toolid(100) or 89 | pe.rich_signature.version(3052) and pe.rich_signature.version(9210) and pe.rich_signature.toolid(95) or 90 | pe.rich_signature.version(6030) and pe.rich_signature.version(2179) and pe.rich_signature.toolid(100) or 91 | pe.rich_signature.version(3077) and pe.rich_signature.version(2179) and (pe.rich_signature.toolid(95) or pe.rich_signature.toolid(96) ) or 92 | pe.rich_signature.version(4035) and pe.rich_signature.version(4031) and pe.rich_signature.toolid(95) 93 | } 94 | 95 | 96 | rule MSVC2005 97 | { 98 | meta: 99 | author="_pusher_" 100 | date = "2016-08" 101 | linker = "8.00" 102 | condition: 103 | pe.rich_signature.version(40310) and (pe.rich_signature.version(21022) or pe.rich_signature.version(30729)) and pe.rich_signature.toolid(124) or 104 | pe.rich_signature.version(3094) and pe.rich_signature.version(50736) and pe.rich_signature.toolid(113) or 105 | pe.rich_signature.version(40310) and pe.rich_signature.version(4035) and pe.rich_signature.toolid(125) 106 | //more samples needed 00:21 2017-05-19 107 | or ( 108 | pe.rich_signature.version(50727) 109 | ) 110 | and ((pe.linker_version.major == 8) and (pe.linker_version.minor == 0 )) 111 | } 112 | 113 | rule MSVC2008 114 | { 115 | meta: 116 | author="_pusher_" 117 | date = "2016-08" 118 | linker = "9.00" 119 | condition: 120 | (pe.rich_signature.version(30729) and pe.rich_signature.version(50727) and pe.rich_signature.version(8078) and pe.rich_signature.toolid(131)) or 121 | ((pe.rich_signature.version(30729) or pe.rich_signature.version(21022)) and ((pe.linker_version.major == 9) and (pe.linker_version.minor == 0 ))) 122 | 123 | } 124 | 125 | rule MSVC2010 126 | { 127 | meta: 128 | author="_pusher_" 129 | date = "2016-08" 130 | linker = "10.00" 131 | condition: 132 | pe.rich_signature.version(40219) and 133 | //dunno why this is avoided 22:53 2017-06-27 134 | //not (pe.rich_signature.version(40629)) and 135 | 136 | ( pe.rich_signature.version(30729) or pe.rich_signature.version(40310) or pe.rich_signature.version(4035) ) and 137 | (pe.rich_signature.toolid(171) or pe.rich_signature.toolid(174) or pe.rich_signature.toolid(175) or pe.rich_signature.toolid(170) ) or 138 | 139 | pe.rich_signature.version(20804) and pe.rich_signature.version(50727) and pe.rich_signature.toolid(170) or 140 | pe.rich_signature.version(30319) and (pe.linker_version.major == 10) and (pe.linker_version.minor == 0 ) 141 | } 142 | 143 | rule MSVC2010sp1 144 | { 145 | meta: 146 | author="_pusher_" 147 | date = "2016-08" 148 | linker = "10.10" 149 | condition: 150 | pe.rich_signature.version(30716) and (pe.linker_version.major == 10) and (pe.linker_version.minor == 10 ) 151 | } 152 | 153 | rule MSVC2012 154 | { 155 | meta: 156 | author="_pusher_" 157 | date = "2016-08" 158 | linker = "11.00" 159 | condition: 160 | pe.rich_signature.version(65501) and pe.rich_signature.version(65500) and pe.rich_signature.toolid(211) or 161 | pe.rich_signature.version(50929) and pe.rich_signature.version(61030) and pe.rich_signature.toolid(206) or 162 | (pe.rich_signature.version(50929) or pe.rich_signature.version(65501)) and (pe.linker_version.major == 11) and (pe.linker_version.minor == 0 ) 163 | } 164 | 165 | rule MSVC2013 166 | { 167 | meta: 168 | author = "mrexodia & _pusher_" 169 | date = "2016-08" 170 | linker = "12.00" 171 | condition: 172 | pe.rich_signature.version(21005) and ( pe.rich_signature.version(40629) or pe.rich_signature.version(31101) or pe.rich_signature.version(30723) or pe.rich_signature.version(41118) ) and (pe.rich_signature.toolid(221) or pe.rich_signature.toolid(224) ) or 173 | pe.rich_signature.version(31101) and pe.rich_signature.version(20806) and (pe.rich_signature.toolid(221) or pe.rich_signature.toolid(225)) or 174 | pe.rich_signature.version(20806) and pe.rich_signature.version(21005) and pe.rich_signature.toolid(224) or 175 | // 176 | //pe.rich_signature.version(31101) and pe.rich_signature.toolid(229) or 177 | pe.rich_signature.version(65501) and pe.rich_signature.version(20806) and pe.rich_signature.toolid(224) 178 | } 179 | 180 | rule MSVC2013sp1 181 | { 182 | meta: 183 | author = "_pusher_" 184 | date = "2016-08" 185 | linker = "12.10" 186 | condition: 187 | pe.rich_signature.version(30102) and pe.rich_signature.version(30102) and pe.rich_signature.toolid(242) or 188 | pe.rich_signature.version(40116) and pe.rich_signature.toolid(240) and pe.rich_signature.toolid(237) 189 | 190 | } 191 | 192 | 193 | rule MSVC2015 194 | { 195 | meta: 196 | author = "_pusher_" 197 | date = "2016-08" 198 | linker = "14.00" 199 | condition: 200 | (pe.rich_signature.version(24123) or pe.rich_signature.version(23907) ) and pe.rich_signature.version(40116) and (pe.rich_signature.toolid(239) or pe.rich_signature.toolid(243) ) or 201 | pe.rich_signature.version(24123) and pe.rich_signature.version(30729) and pe.rich_signature.toolid(147) or 202 | pe.rich_signature.version(24123) and pe.rich_signature.toolid(255) and ((pe.linker_version.major == 14) and (pe.linker_version.minor == 0 )) 203 | 204 | } 205 | 206 | rule MSVB6 207 | { 208 | meta: 209 | author="_pusher_" 210 | date = "2016-08" 211 | linker = "6.00" 212 | condition: 213 | pe.rich_signature.version(8041) and pe.rich_signature.version(8169) and pe.rich_signature.toolid(9) or 214 | pe.rich_signature.version(8169) and pe.rich_signature.toolid(13) 215 | } 216 | --------------------------------------------------------------------------------