Sneed-Reactivity/yara-mikesxrs/nex/nex_index.yara

164 lines
4.6 KiB
Text
Raw Normal View History

// Copyright (C) 2013 Claudio "nex" Guarnieri
rule embedded_macho
{
meta:
author = "nex"
description = "Contains an embedded Mach-O file"
strings:
$magic1 = { ca fe ba be }
$magic2 = { ce fa ed fe }
$magic3 = { fe ed fa ce }
condition:
any of ($magic*) and not ($magic1 at 0) and not ($magic2 at 0) and not ($magic3 at 0)
}
// Copyright (C) 2013 Claudio "nex" Guarnieri
rule embedded_pe
{
meta:
author = "nex"
description = "Contains an embedded PE32 file"
strings:
$a = "PE32"
$b = "This program"
$mz = { 4d 5a }
condition:
($a and $b) and not ($mz at 0)
}
// Copyright (C) 2013 Claudio "nex" Guarnieri
rule embedded_win_api
{
meta:
author = "nex"
description = "A non-Windows executable contains win32 API functions names"
strings:
$mz = { 4d 5a }
$api1 = "CreateFileA"
$api2 = "GetProcAddress"
$api3 = "LoadLibraryA"
$api4 = "WinExec"
$api5 = "GetSystemDirectoryA"
$api6 = "WriteFile"
$api7 = "ShellExecute"
$api8 = "GetWindowsDirectory"
$api9 = "URLDownloadToFile"
$api10 = "IsBadReadPtr"
$api11 = "IsBadWritePtr"
$api12 = "SetFilePointer"
$api13 = "GetTempPath"
$api14 = "GetWindowsDirectory"
condition:
not ($mz at 0) and any of ($api*)
}
// Copyright (C) 2013 Claudio "nex" Guarnieri
rule vmdetect
{
meta:
author = "nex"
description = "Possibly employs anti-virtualization techniques"
strings:
// Binary tricks
$vmware = {56 4D 58 68}
$virtualpc = {0F 3F 07 0B}
$ssexy = {66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF}
$vmcheckdll = {45 C7 00 01}
$redpill = {0F 01 0D 00 00 00 00 C3}
// Random strings
$vmware1 = "VMXh"
$vmware2 = "Ven_VMware_" nocase
$vmware3 = "Prod_VMware_Virtual_" nocase
$vmware4 = "hgfs.sys" nocase
$vmware5 = "mhgfs.sys" nocase
$vmware6 = "prleth.sys" nocase
$vmware7 = "prlfs.sys" nocase
$vmware8 = "prlmouse.sys" nocase
$vmware9 = "prlvideo.sys" nocase
$vmware10 = "prl_pv32.sys" nocase
$vmware11 = "vpc-s3.sys" nocase
$vmware12 = "vmsrvc.sys" nocase
$vmware13 = "vmx86.sys" nocase
$vmware14 = "vmnet.sys" nocase
$vmware15 = "vmicheartbeat" nocase
$vmware16 = "vmicvss" nocase
$vmware17 = "vmicshutdown" nocase
$vmware18 = "vmicexchange" nocase
$vmware19 = "vmdebug" nocase
$vmware20 = "vmmouse" nocase
$vmware21 = "vmtools" nocase
$vmware22 = "VMMEMCTL" nocase
$vmware23 = "vmx86" nocase
$vmware24 = "vmware" nocase
$virtualpc1 = "vpcbus" nocase
$virtualpc2 = "vpc-s3" nocase
$virtualpc3 = "vpcuhub" nocase
$virtualpc4 = "msvmmouf" nocase
$xen1 = "xenevtchn" nocase
$xen2 = "xennet" nocase
$xen3 = "xennet6" nocase
$xen4 = "xensvc" nocase
$xen5 = "xenvdb" nocase
$xen6 = "XenVMM" nocase
$virtualbox1 = "VBoxHook.dll" nocase
$virtualbox2 = "VBoxService" nocase
$virtualbox3 = "VBoxTray" nocase
$virtualbox4 = "VBoxMouse" nocase
$virtualbox5 = "VBoxGuest" nocase
$virtualbox6 = "VBoxSF" nocase
$virtualbox7 = "VBoxGuestAdditions" nocase
$virtualbox8 = "VBOX HARDDISK" nocase
// MAC addresses
$vmware_mac_1a = "00-05-69"
$vmware_mac_1b = "00:05:69"
$vmware_mac_1c = "000569"
$vmware_mac_2a = "00-50-56"
$vmware_mac_2b = "00:50:56"
$vmware_mac_2c = "005056"
$vmware_mac_3a = "00-0C-29" nocase
$vmware_mac_3b = "00:0C:29" nocase
$vmware_mac_3c = "000C29" nocase
$vmware_mac_4a = "00-1C-14" nocase
$vmware_mac_4b = "00:1C:14" nocase
$vmware_mac_4c = "001C14" nocase
$virtualbox_mac_1a = "08-00-27"
$virtualbox_mac_1b = "08:00:27"
$virtualbox_mac_1c = "080027"
condition:
any of them
}
import "pe"
rule shellcode
{
meta:
author = "nex"
description = "Matched shellcode byte patterns"
modified = "Glenn Edwards (@hiddenillusion)"
strings:
$s0 = { 64 8b 64 }
$s1 = { 64 a1 30 }
$s2 = { 64 8b 15 30 }
$s3 = { 64 8b 35 30 }
$s4 = { 55 8b ec 83 c4 }
$s5 = { 55 8b ec 81 ec }
$s6 = { 55 8b ec e8 }
$s7 = { 55 8b ec e9 }
condition:
for any of ($s*) : ($ at pe.entry_point)
}