29 lines
1 KiB
Text
29 lines
1 KiB
Text
|
/*
|
||
|
|
Version 0.0.3 2015/02/15
|
||
|
|
Source code put in public domain by Didier Stevens, no Copyright
|
||
|
|
https://DidierStevens.com
|
||
|
|
Use at your own risk
|
||
|
|
|
||
|
|
Shortcomings, or todo's ;-) :
|
||
|
|
Constant 0x06 in the condition is the minimum length of the string matched by regex $b.
|
||
|
|
Ideally, this should be an expression and not a constant, for example len($d).
|
||
|
|
|
||
|
|
History:
|
||
|
|
2014/12/23: start
|
||
|
|
2015/01/01: continued
|
||
|
|
2015/01/11: changed regex to \W
|
||
|
|
2015/02/15: replaced regex \W with \b (available in YARA 3.3.0)
|
||
|
|
*/
|
||
|
|
|
||
|
|
rule JPEG_EXIF_Contains_eval
|
||
|
|
{
|
||
|
|
meta:
|
||
|
|
author = "Didier Stevens (https://DidierStevens.com)"
|
||
|
|
description = "Detect eval function inside JPG EXIF header (http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html)"
|
||
|
|
method = "Detect JPEG file and EXIF header ($a) and eval function ($b) inside EXIF data"
|
||
|
|
strings:
|
||
|
|
$a = {FF E1 ?? ?? 45 78 69 66 00}
|
||
|
|
$b = /\beval\s*\(/
|
||
|
|
condition:
|
||
|
|
uint16be(0x00) == 0xFFD8 and $a and $b in (@a + 0x12 .. @a + 0x02 + uint16be(@a + 0x02) - 0x06)
|
||
|
|
}
|