58 lines
1.1 KiB
Text
58 lines
1.1 KiB
Text
|
rule executable_au3 : info executable windows
|
||
|
{
|
||
|
meta:
|
||
|
author = "@h3x2b <tracker _AT h3x.eu>"
|
||
|
description = "Match AU3 autoit executables"
|
||
|
|
||
|
strings:
|
||
|
$str_au3_01 = "AU3"
|
||
|
$str_au3_02 = { A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D }
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|
||
|
|
||
|
|
||
|
rule executable_pe : info executable windows
|
||
|
{
|
||
|
meta:
|
||
|
author = "@h3x2b <tracker _AT h3x.eu>"
|
||
|
description = "Detect PE executables"
|
||
|
|
||
|
strings:
|
||
|
$pe = "PE"
|
||
|
|
||
|
condition:
|
||
|
//MZ on the beginning of file
|
||
|
uint16(0) == 0x5a4d and
|
||
|
//PE at offset given by 0x3c
|
||
|
($pe at (uint32(0x3c)))
|
||
|
}
|
||
|
|
||
|
|
||
|
|
||
|
rule executable_elf32 : info executable linux
|
||
|
{
|
||
|
meta:
|
||
|
author = "@h3x2b <tracker _AT h3x.eu>"
|
||
|
description = "Detect ELF 32 bit executable"
|
||
|
|
||
|
condition:
|
||
|
//ELF magic
|
||
|
uint32(0) == 0x464c457f and
|
||
|
uint8(4) == 0x01
|
||
|
}
|
||
|
|
||
|
|
||
|
rule executable_elf64 : info executable linux
|
||
|
{
|
||
|
meta:
|
||
|
author = "@h3x2b <tracker _AT h3x.eu>"
|
||
|
description = "Detect ELF 64 bit executable"
|
||
|
|
||
|
condition:
|
||
|
//ELF magic
|
||
|
uint32(0) == 0x464c457f and
|
||
|
uint8(4) == 0x02
|
||
|
}
|