164 lines
4.6 KiB
Text
164 lines
4.6 KiB
Text
|
// Copyright (C) 2013 Claudio "nex" Guarnieri
|
||
|
|
||
|
rule embedded_macho
|
||
|
{
|
||
|
meta:
|
||
|
author = "nex"
|
||
|
description = "Contains an embedded Mach-O file"
|
||
|
|
||
|
strings:
|
||
|
$magic1 = { ca fe ba be }
|
||
|
$magic2 = { ce fa ed fe }
|
||
|
$magic3 = { fe ed fa ce }
|
||
|
condition:
|
||
|
any of ($magic*) and not ($magic1 at 0) and not ($magic2 at 0) and not ($magic3 at 0)
|
||
|
}
|
||
|
|
||
|
|
||
|
// Copyright (C) 2013 Claudio "nex" Guarnieri
|
||
|
|
||
|
rule embedded_pe
|
||
|
{
|
||
|
meta:
|
||
|
author = "nex"
|
||
|
description = "Contains an embedded PE32 file"
|
||
|
|
||
|
strings:
|
||
|
$a = "PE32"
|
||
|
$b = "This program"
|
||
|
$mz = { 4d 5a }
|
||
|
condition:
|
||
|
($a and $b) and not ($mz at 0)
|
||
|
}
|
||
|
|
||
|
// Copyright (C) 2013 Claudio "nex" Guarnieri
|
||
|
|
||
|
|
||
|
rule embedded_win_api
|
||
|
{
|
||
|
meta:
|
||
|
author = "nex"
|
||
|
description = "A non-Windows executable contains win32 API functions names"
|
||
|
|
||
|
strings:
|
||
|
$mz = { 4d 5a }
|
||
|
$api1 = "CreateFileA"
|
||
|
$api2 = "GetProcAddress"
|
||
|
$api3 = "LoadLibraryA"
|
||
|
$api4 = "WinExec"
|
||
|
$api5 = "GetSystemDirectoryA"
|
||
|
$api6 = "WriteFile"
|
||
|
$api7 = "ShellExecute"
|
||
|
$api8 = "GetWindowsDirectory"
|
||
|
$api9 = "URLDownloadToFile"
|
||
|
$api10 = "IsBadReadPtr"
|
||
|
$api11 = "IsBadWritePtr"
|
||
|
$api12 = "SetFilePointer"
|
||
|
$api13 = "GetTempPath"
|
||
|
$api14 = "GetWindowsDirectory"
|
||
|
condition:
|
||
|
not ($mz at 0) and any of ($api*)
|
||
|
}
|
||
|
|
||
|
|
||
|
// Copyright (C) 2013 Claudio "nex" Guarnieri
|
||
|
|
||
|
rule vmdetect
|
||
|
{
|
||
|
meta:
|
||
|
author = "nex"
|
||
|
description = "Possibly employs anti-virtualization techniques"
|
||
|
|
||
|
strings:
|
||
|
// Binary tricks
|
||
|
$vmware = {56 4D 58 68}
|
||
|
$virtualpc = {0F 3F 07 0B}
|
||
|
$ssexy = {66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF}
|
||
|
$vmcheckdll = {45 C7 00 01}
|
||
|
$redpill = {0F 01 0D 00 00 00 00 C3}
|
||
|
|
||
|
// Random strings
|
||
|
$vmware1 = "VMXh"
|
||
|
$vmware2 = "Ven_VMware_" nocase
|
||
|
$vmware3 = "Prod_VMware_Virtual_" nocase
|
||
|
$vmware4 = "hgfs.sys" nocase
|
||
|
$vmware5 = "mhgfs.sys" nocase
|
||
|
$vmware6 = "prleth.sys" nocase
|
||
|
$vmware7 = "prlfs.sys" nocase
|
||
|
$vmware8 = "prlmouse.sys" nocase
|
||
|
$vmware9 = "prlvideo.sys" nocase
|
||
|
$vmware10 = "prl_pv32.sys" nocase
|
||
|
$vmware11 = "vpc-s3.sys" nocase
|
||
|
$vmware12 = "vmsrvc.sys" nocase
|
||
|
$vmware13 = "vmx86.sys" nocase
|
||
|
$vmware14 = "vmnet.sys" nocase
|
||
|
$vmware15 = "vmicheartbeat" nocase
|
||
|
$vmware16 = "vmicvss" nocase
|
||
|
$vmware17 = "vmicshutdown" nocase
|
||
|
$vmware18 = "vmicexchange" nocase
|
||
|
$vmware19 = "vmdebug" nocase
|
||
|
$vmware20 = "vmmouse" nocase
|
||
|
$vmware21 = "vmtools" nocase
|
||
|
$vmware22 = "VMMEMCTL" nocase
|
||
|
$vmware23 = "vmx86" nocase
|
||
|
$vmware24 = "vmware" nocase
|
||
|
$virtualpc1 = "vpcbus" nocase
|
||
|
$virtualpc2 = "vpc-s3" nocase
|
||
|
$virtualpc3 = "vpcuhub" nocase
|
||
|
$virtualpc4 = "msvmmouf" nocase
|
||
|
$xen1 = "xenevtchn" nocase
|
||
|
$xen2 = "xennet" nocase
|
||
|
$xen3 = "xennet6" nocase
|
||
|
$xen4 = "xensvc" nocase
|
||
|
$xen5 = "xenvdb" nocase
|
||
|
$xen6 = "XenVMM" nocase
|
||
|
$virtualbox1 = "VBoxHook.dll" nocase
|
||
|
$virtualbox2 = "VBoxService" nocase
|
||
|
$virtualbox3 = "VBoxTray" nocase
|
||
|
$virtualbox4 = "VBoxMouse" nocase
|
||
|
$virtualbox5 = "VBoxGuest" nocase
|
||
|
$virtualbox6 = "VBoxSF" nocase
|
||
|
$virtualbox7 = "VBoxGuestAdditions" nocase
|
||
|
$virtualbox8 = "VBOX HARDDISK" nocase
|
||
|
|
||
|
// MAC addresses
|
||
|
$vmware_mac_1a = "00-05-69"
|
||
|
$vmware_mac_1b = "00:05:69"
|
||
|
$vmware_mac_1c = "000569"
|
||
|
$vmware_mac_2a = "00-50-56"
|
||
|
$vmware_mac_2b = "00:50:56"
|
||
|
$vmware_mac_2c = "005056"
|
||
|
$vmware_mac_3a = "00-0C-29" nocase
|
||
|
$vmware_mac_3b = "00:0C:29" nocase
|
||
|
$vmware_mac_3c = "000C29" nocase
|
||
|
$vmware_mac_4a = "00-1C-14" nocase
|
||
|
$vmware_mac_4b = "00:1C:14" nocase
|
||
|
$vmware_mac_4c = "001C14" nocase
|
||
|
$virtualbox_mac_1a = "08-00-27"
|
||
|
$virtualbox_mac_1b = "08:00:27"
|
||
|
$virtualbox_mac_1c = "080027"
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
import "pe"
|
||
|
|
||
|
rule shellcode
|
||
|
{
|
||
|
meta:
|
||
|
author = "nex"
|
||
|
description = "Matched shellcode byte patterns"
|
||
|
modified = "Glenn Edwards (@hiddenillusion)"
|
||
|
strings:
|
||
|
$s0 = { 64 8b 64 }
|
||
|
$s1 = { 64 a1 30 }
|
||
|
$s2 = { 64 8b 15 30 }
|
||
|
$s3 = { 64 8b 35 30 }
|
||
|
$s4 = { 55 8b ec 83 c4 }
|
||
|
$s5 = { 55 8b ec 81 ec }
|
||
|
$s6 = { 55 8b ec e8 }
|
||
|
$s7 = { 55 8b ec e9 }
|
||
|
condition:
|
||
|
for any of ($s*) : ($ at pe.entry_point)
|
||
|
}
|