26 lines
No EOL
1 KiB
Text
26 lines
No EOL
1 KiB
Text
rule HeapLib
|
|
{
|
|
meta:
|
|
author = "adnan.shukor@gmail.com"
|
|
description = "Detection of HeapLib which commonly used in heap spray related exploit"
|
|
ref = "http://www.phreedom.org/research/heap-feng-shui/heap-feng-shui.html"
|
|
cve = "NA"
|
|
version = "1"
|
|
impact = 3
|
|
hide = false
|
|
strings:
|
|
$heaplib_1 = /\.ie\s?=\s?function\s?\(maxAlloc,/
|
|
$heaplib_2 = /\.ie\.prototype\.round\s?=\s?function\s?\(num,\s?round\)/
|
|
$heaplib_3 = /\.ie\.prototype\.hex\s?=\s?function\s?\(num,\s?width\)/
|
|
$heaplib_4 = /\.ie\.prototype\.addr\s?=\s?function\s?\(addr\)/
|
|
$heaplib_5 = /\.ie\.prototype\.allocOleaut32\s?=\s?function\s?\(arg,\s?tag\)/
|
|
$heaplib_6 = /\.ie\.prototype\.freeOleaut32/
|
|
|
|
$heaplib_7 = /\.maxAlloc\s?=\s?\(maxAlloc\s?\?\s?maxAlloc\s?:\s?65535\s?\)/
|
|
$heaplib_8 = "return unescape(\"%u\" + this.hex(addr & 0xFFFF, 4) + \"%u\" + this.hex((addr >> 16) & 0xFFFF, 4))"
|
|
$heaplib_9 = /\.(free|flush)Oleaut32\(/
|
|
$heaplib_10 = "return this.heapBase + 0x688 + ((size+8)/8)*48"
|
|
$heaplib_11 = /vtable\s?\+=\s?unescape\("%u0028%u0028"\)/
|
|
condition:
|
|
5 of them
|
|
} |