29 lines
No EOL
747 B
Text
29 lines
No EOL
747 B
Text
// Copyright (C) 2013 Claudio "nex" Guarnieri
|
|
|
|
|
|
rule embedded_win_api
|
|
{
|
|
meta:
|
|
author = "nex"
|
|
description = "A non-Windows executable contains win32 API functions names"
|
|
|
|
strings:
|
|
$mz = { 4d 5a }
|
|
$api1 = "CreateFileA"
|
|
$api2 = "GetProcAddress"
|
|
$api3 = "LoadLibraryA"
|
|
$api4 = "WinExec"
|
|
$api5 = "GetSystemDirectoryA"
|
|
$api6 = "WriteFile"
|
|
$api7 = "ShellExecute"
|
|
$api8 = "GetWindowsDirectory"
|
|
$api9 = "URLDownloadToFile"
|
|
$api10 = "IsBadReadPtr"
|
|
$api11 = "IsBadWritePtr"
|
|
$api12 = "SetFilePointer"
|
|
$api13 = "GetTempPath"
|
|
$api14 = "GetWindowsDirectory"
|
|
condition:
|
|
not ($mz at 0) and any of ($api*)
|
|
}
|
|
|