Sneed-Reactivity/yara-mikesxrs/h3x2b/exe.yara
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

57 lines
1.1 KiB
Text

rule executable_au3 : info executable windows
{
meta:
author = "@h3x2b <tracker _AT h3x.eu>"
description = "Match AU3 autoit executables"
strings:
$str_au3_01 = "AU3"
$str_au3_02 = { A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D }
condition:
all of them
}
rule executable_pe : info executable windows
{
meta:
author = "@h3x2b <tracker _AT h3x.eu>"
description = "Detect PE executables"
strings:
$pe = "PE"
condition:
//MZ on the beginning of file
uint16(0) == 0x5a4d and
//PE at offset given by 0x3c
($pe at (uint32(0x3c)))
}
rule executable_elf32 : info executable linux
{
meta:
author = "@h3x2b <tracker _AT h3x.eu>"
description = "Detect ELF 32 bit executable"
condition:
//ELF magic
uint32(0) == 0x464c457f and
uint8(4) == 0x01
}
rule executable_elf64 : info executable linux
{
meta:
author = "@h3x2b <tracker _AT h3x.eu>"
description = "Detect ELF 64 bit executable"
condition:
//ELF magic
uint32(0) == 0x464c457f and
uint8(4) == 0x02
}