Sneed-Reactivity/yara-mikesxrs/EmersonElectricCo/misc_no_dosmode_header.yara

52 lines
2.3 KiB
Text
Raw Normal View History

// Source: http://yara.readthedocs.org/en/v3.4.0/writingrules.html#conditions
private rule ft_strict_exe
{
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}
/*
Example target...
00000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 |MZ..............|
00000010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |........@.......|
00000020 20 20 20 20 00 00 00 00 00 00 00 00 00 00 00 00 | ............|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000100 50 45 00 00 4c 01 03 00 bc 7c b1 47 00 00 00 00 |PE..L....|.G....|
00000110 00 00 00 00 e0 00 0f 01 0b 01 07 04 00 e0 00 00 |................|
*/
rule misc_no_dosmode_header : suspicious
{
meta:
author = "Jason Batchelor"
created = "2016-03-02"
modified = "2016-03-02"
university = "Carnegie Mellon University"
description = "Detect on absence of 'DOS Mode' heaader between MZ and PE boundries"
strings:
$dosmode = "This program cannot be run in DOS mode."
condition:
// (0 .. (uint32(0x3C))) = between end of MZ and start of PE headers
// 0x3C = e_lfanew = offset of PE header
ft_strict_exe and not $dosmode in (0x3C .. (uint32(0x3C)))
}