// Copyright (C) 2013 Claudio "nex" Guarnieri rule embedded_macho { meta: author = "nex" description = "Contains an embedded Mach-O file" strings: $magic1 = { ca fe ba be } $magic2 = { ce fa ed fe } $magic3 = { fe ed fa ce } condition: any of ($magic*) and not ($magic1 at 0) and not ($magic2 at 0) and not ($magic3 at 0) } // Copyright (C) 2013 Claudio "nex" Guarnieri rule embedded_pe { meta: author = "nex" description = "Contains an embedded PE32 file" strings: $a = "PE32" $b = "This program" $mz = { 4d 5a } condition: ($a and $b) and not ($mz at 0) } // Copyright (C) 2013 Claudio "nex" Guarnieri rule embedded_win_api { meta: author = "nex" description = "A non-Windows executable contains win32 API functions names" strings: $mz = { 4d 5a } $api1 = "CreateFileA" $api2 = "GetProcAddress" $api3 = "LoadLibraryA" $api4 = "WinExec" $api5 = "GetSystemDirectoryA" $api6 = "WriteFile" $api7 = "ShellExecute" $api8 = "GetWindowsDirectory" $api9 = "URLDownloadToFile" $api10 = "IsBadReadPtr" $api11 = "IsBadWritePtr" $api12 = "SetFilePointer" $api13 = "GetTempPath" $api14 = "GetWindowsDirectory" condition: not ($mz at 0) and any of ($api*) } // Copyright (C) 2013 Claudio "nex" Guarnieri rule vmdetect { meta: author = "nex" description = "Possibly employs anti-virtualization techniques" strings: // Binary tricks $vmware = {56 4D 58 68} $virtualpc = {0F 3F 07 0B} $ssexy = {66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF} $vmcheckdll = {45 C7 00 01} $redpill = {0F 01 0D 00 00 00 00 C3} // Random strings $vmware1 = "VMXh" $vmware2 = "Ven_VMware_" nocase $vmware3 = "Prod_VMware_Virtual_" nocase $vmware4 = "hgfs.sys" nocase $vmware5 = "mhgfs.sys" nocase $vmware6 = "prleth.sys" nocase $vmware7 = "prlfs.sys" nocase $vmware8 = "prlmouse.sys" nocase $vmware9 = "prlvideo.sys" nocase $vmware10 = "prl_pv32.sys" nocase $vmware11 = "vpc-s3.sys" nocase $vmware12 = "vmsrvc.sys" nocase $vmware13 = "vmx86.sys" nocase $vmware14 = "vmnet.sys" nocase $vmware15 = "vmicheartbeat" nocase $vmware16 = "vmicvss" nocase $vmware17 = "vmicshutdown" nocase $vmware18 = "vmicexchange" nocase $vmware19 = "vmdebug" nocase $vmware20 = "vmmouse" nocase $vmware21 = "vmtools" nocase $vmware22 = "VMMEMCTL" nocase $vmware23 = "vmx86" nocase $vmware24 = "vmware" nocase $virtualpc1 = "vpcbus" nocase $virtualpc2 = "vpc-s3" nocase $virtualpc3 = "vpcuhub" nocase $virtualpc4 = "msvmmouf" nocase $xen1 = "xenevtchn" nocase $xen2 = "xennet" nocase $xen3 = "xennet6" nocase $xen4 = "xensvc" nocase $xen5 = "xenvdb" nocase $xen6 = "XenVMM" nocase $virtualbox1 = "VBoxHook.dll" nocase $virtualbox2 = "VBoxService" nocase $virtualbox3 = "VBoxTray" nocase $virtualbox4 = "VBoxMouse" nocase $virtualbox5 = "VBoxGuest" nocase $virtualbox6 = "VBoxSF" nocase $virtualbox7 = "VBoxGuestAdditions" nocase $virtualbox8 = "VBOX HARDDISK" nocase // MAC addresses $vmware_mac_1a = "00-05-69" $vmware_mac_1b = "00:05:69" $vmware_mac_1c = "000569" $vmware_mac_2a = "00-50-56" $vmware_mac_2b = "00:50:56" $vmware_mac_2c = "005056" $vmware_mac_3a = "00-0C-29" nocase $vmware_mac_3b = "00:0C:29" nocase $vmware_mac_3c = "000C29" nocase $vmware_mac_4a = "00-1C-14" nocase $vmware_mac_4b = "00:1C:14" nocase $vmware_mac_4c = "001C14" nocase $virtualbox_mac_1a = "08-00-27" $virtualbox_mac_1b = "08:00:27" $virtualbox_mac_1c = "080027" condition: any of them } import "pe" rule shellcode { meta: author = "nex" description = "Matched shellcode byte patterns" modified = "Glenn Edwards (@hiddenillusion)" strings: $s0 = { 64 8b 64 } $s1 = { 64 a1 30 } $s2 = { 64 8b 15 30 } $s3 = { 64 8b 35 30 } $s4 = { 55 8b ec 83 c4 } $s5 = { 55 8b ec 81 ec } $s6 = { 55 8b ec e8 } $s7 = { 55 8b ec e9 } condition: for any of ($s*) : ($ at pe.entry_point) }