Sneed-Reactivity/yara-mikesxrs/h3x2b/injection.yara

import "pe"

//Detect capabilities needed for the DLL injection
// ProcessA -> OpenProcess(); -> ProcessB
// ProcessA -> VirtualAlloc(); -> ProcessB
// ProcessA -> WriteProcessMemory(); -> ProcessB
// LoadLibraryExA()
// Get..Offset()
// CreateRemoteThread();
// NtCreateThreadEx();
// RtlCreateUserThread;


rule dll_injection_thread : feature dll injection windows
{
meta:
	description = "Injection using kernel32.dll:VirtualAllocEx"

strings:
	$load_01 = "LoadLibraryA"

	$remote_01 = "NtCreateThreadEx"

condition:
	// MZ at the beginning of file
        uint16(0) == 0x5a4d and

	// Access other process
	//(
	//	pe.imports("kernel32.dll","OpenProcess")
	//) and

	// Allocate memory in remote process
	(
		pe.imports("kernel32.dll","VirtualAllocEx")
	)and

	// Write code section to the remote process
	(
		pe.imports("kernel32.dll","WriteProcessMemory") or
		pe.imports("kernel32.dll","LoadLibraryExA") or
		pe.imports("kernel32.dll","LoadLibraryExW") or
		(
			pe.imports("kernel32.dll","GetProcAddress") and
			( pe.imports("kernel32.dll","GetModuleHandleA") or pe.imports("kernel32.dll","GetModuleHandleA") ) and
			$load_01
		)
	) and

	//Execute
	(
		pe.imports("kernel32.dll","CreateRemoteThread") or
		pe.imports("ntdll.dll","NtCreateThreadEx") or
		(
			pe.imports("kernel32.dll","GetProcAddress") and
			( pe.imports("kernel32.dll","GetModuleHandleA") or pe.imports("kernel32.dll","GetModuleHandleA") ) and
			$remote_01
		)
	)

}


rule dll_injection_hook : feature dll injection windows
{
meta:
	description = "Injection using User32.dll:VirtualAllocEx"


condition:
	// MZ at the beginning of file
        uint16(0) == 0x5a4d and

	(
		pe.imports("user32.dll","SetWindowsHookExA") or
		pe.imports("user32.dll","SetWindowsHookExW")
	)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`import "pe"`

			`//Detect capabilities needed for the DLL injection`
			`// ProcessA -> OpenProcess(); -> ProcessB`
			`// ProcessA -> VirtualAlloc(); -> ProcessB`
			`// ProcessA -> WriteProcessMemory(); -> ProcessB`
			`// LoadLibraryExA()`
			`// Get..Offset()`
			`// CreateRemoteThread();`
			`// NtCreateThreadEx();`
			`// RtlCreateUserThread;`


			`rule dll_injection_thread : feature dll injection windows`
			`{`
			`meta:`
			`description = "Injection using kernel32.dll:VirtualAllocEx"`

			`strings:`
			`$load_01 = "LoadLibraryA"`

			`$remote_01 = "NtCreateThreadEx"`

			`condition:`
			`// MZ at the beginning of file`
			`uint16(0) == 0x5a4d and`

			`// Access other process`
			`//(`
			`// pe.imports("kernel32.dll","OpenProcess")`
			`//) and`

			`// Allocate memory in remote process`
			`(`
			`pe.imports("kernel32.dll","VirtualAllocEx")`
			`)and`

			`// Write code section to the remote process`
			`(`
			`pe.imports("kernel32.dll","WriteProcessMemory") or`
			`pe.imports("kernel32.dll","LoadLibraryExA") or`
			`pe.imports("kernel32.dll","LoadLibraryExW") or`
			`(`
			`pe.imports("kernel32.dll","GetProcAddress") and`
			`( pe.imports("kernel32.dll","GetModuleHandleA") or pe.imports("kernel32.dll","GetModuleHandleA") ) and`
			`$load_01`
			`)`
			`) and`

			`//Execute`
			`(`
			`pe.imports("kernel32.dll","CreateRemoteThread") or`
			`pe.imports("ntdll.dll","NtCreateThreadEx") or`
			`(`
			`pe.imports("kernel32.dll","GetProcAddress") and`
			`( pe.imports("kernel32.dll","GetModuleHandleA") or pe.imports("kernel32.dll","GetModuleHandleA") ) and`
			`$remote_01`
			`)`
			`)`

			`}`


			`rule dll_injection_hook : feature dll injection windows`
			`{`
			`meta:`
			`description = "Injection using User32.dll:VirtualAllocEx"`


			`condition:`
			`// MZ at the beginning of file`
			`uint16(0) == 0x5a4d and`

			`(`
			`pe.imports("user32.dll","SetWindowsHookExA") or`
			`pe.imports("user32.dll","SetWindowsHookExW")`
			`)`
			`}`