imports/ImHex-Patterns
1
0
Fork 0
mirror of https://github.com/WerWolv/ImHex-Patterns.git synced 2026-03-27 23:37:04 -05:00
Code Issues Packages Projects Releases Wiki Activity

yara: Added crypto identification rules

Browse Source
This commit is contained in:
Nik
2025-05-24 23:56:56 +02:00
committed by GitHub
parent 877895741d
commit 2070c95f58
1 changed files with 269 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

269
yara/advanced_analysis/cryptography.yar Normal file
View File

@@ -0,0 +1,269 @@
rule HashMD5 {
meta:
category = "Hash Algorithms"
name = "MD5"
strings:
/* MD5("") */
$md5_magic = { d4 1d 8c d9 8f 00 b2 04 e9 80 09 98 ec f8 42 7e }
condition:
any of them
}
rule HashSHA1 {
meta:
category = "Hash Algorithms"
name = "SHA1"
strings:
/* SHA-1("") */
$sha1_example = { da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09 }
condition:
any of them
}
rule HashSHA224 {
meta:
category = "Hash Algorithms"
name = "SHA224"
strings:
/* SHA-224("") */
$sha224_empty = { d1 4a 02 8c 2a 3a 2b c9 47 61 02 bb 28 82 34 c4
15 a2 b0 1f 82 8e a6 2a c5 b3 e4 2f }
condition:
any of them
}
rule HashSHA256 {
meta:
category = "Hash Algorithms"
name = "SHA256"
strings:
/* SHA-256("") */
$sha256_empty = { e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 }
condition:
any of them
}
rule HashSHA384 {
meta:
category = "Hash Algorithms"
name = "SHA384"
strings:
/* SHA-384("") */
$sha384_empty = { 38 b0 60 a7 51 ac 96 38 4c d9 32 7e b1 b1 e3 6a
21 fd b7 11 14 be 07 43 4c 0c c7 bf 63 f6 e1 da
27 4e de bf e7 6f 65 fb d5 1a d2 f1 48 98 b9 5b }
condition:
any of them
}
rule HashSHA512 {
meta:
category = "Hash Algorithms"
name = "SHA512"
strings:
/* SHA-512("") */
$sha512_empty = { cf 83 e1 35 7e ef b8 bd f1 54 28 50 d6 6d 80 07
d6 20 e4 05 0b 57 15 dc 83 f4 a9 21 d3 6c e9 ce
47 d0 d1 3c 5d 85 f2 b0 ff 83 18 d2 87 7e ec 2f
63 b9 31 bd 47 41 7a 81 a5 38 32 7a f9 27 da 3e }
condition:
any of them
}
rule HashRIPEMD160 {
meta:
category = "Hash Algorithms"
name = "RIPEMD160"
strings:
/* RIPEMD-160("") */
$ripemd160_empty = { 9c 11 85 a5 c5 e9 fc 54 61 28 08 97 7e e8 f5 48 b2 25 8d 31 }
condition:
any of them
}
rule CryptoAES {
meta:
category = "Cryptographic Algorithms"
name = "AES"
strings:
/* First 16 bytes of the AES S-box */
$aes_sbox = { 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 }
condition:
any of them
}
rule CryptoDES {
meta:
category = "Cryptographic Algorithms"
name = "DES"
strings:
/* DES S-box 1 (first 16 entries) */
$des_sbox1 = { 0e 04 0d 01 02 0f 0b 08 03 0a 06 0c 05 09 00 07 }
condition:
any of them
}
rule Crypto3DES {
meta:
category = "Cryptographic Algorithms"
name = "3DES"
strings:
/* Pattern: two consecutive DES S-box 1 sequences often appear in 3-DES code */
$tdes_pattern = { 0e 04 0d 01 02 0f 0b 08 03 0a 06 0c 05 09 00 07 0e 04 0d 01 }
condition:
any of them
}
rule CryptoBlowfish {
meta:
category = "Cryptographic Algorithms"
name = "Blowfish"
strings:
/* Start of Blowfish P-array (Pi digits) */
$blowfish_parray = { 24 3f 6a 88 85 a3 08 d3 13 19 8a 2e 03 70 73 44 }
condition:
any of them
}
rule CryptoRC4 {
meta:
category = "Cryptographic Algorithms"
name = "RC4"
strings:
/* RC4 state array after KSA init with zero-length key */
$rc4_init = { 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f }
condition:
any of them
}
rule CryptoRSA {
meta:
category = "Cryptographic Algorithms"
name = "RSA"
strings:
/* ASN.1 OID 1.2.840.113549.1.1.1 (rsaCryptographic) */
$rsa_oid = { 06 09 2a 86 48 86 f7 0d 01 01 01 }
condition:
any of them
}
rule CryptoECDSA_P256 {
meta:
category = "Cryptographic Algorithms"
name = "ECDSA-P256"
strings:
/* ASN.1 OID 1.2.840.10045.3.1.7 (secp256r1) */
$ecdsa_p256_oid = { 06 08 2a 86 48 ce 3d 03 01 07 }
condition:
any of them
}
rule CryptoEd25519 {
meta:
category = "Cryptographic Algorithms"
name = "Ed25519"
strings:
/* ASN.1 OID 1.3.101.112 (Ed25519) */
$ed25519_oid = { 06 03 2b 65 70 }
condition:
any of them
}
rule CryptoChaCha20Poly1305 {
meta:
category = "Cryptographic Algorithms"
name = "ChaCha20-Poly1305"
strings:
/* ASCII "expand 32-byte k" ChaCha20 constant */
$chacha_sigma = "expand 32-byte k" ascii wide
$chacha_sigma_hex = { 65 78 70 61 6e 64 20 33 32 2d 62 79 74 65 20 6b }
condition:
any of them
}
rule CRC32 {
meta:
category = "CRC"
name = "CRC32"
strings:
/* First 16 entries of standard CRC32 IEEE 802.3 polynomial table (0xEDB88320) */
$crc32_table = {
00 00 00 00 77 07 30 96 ee 0e 61 2c 99 09 51 ba
07 1c c2 5d 70 1b f2 cb e9 12 a3 71 9e 15 93 e7
}
/* Little-endian and big-endian representations of 0xEDB88320 */
$crc32_poly_le = { 20 83 b8 ed }
$crc32_poly_be = { ed b8 83 20 }
condition:
any of them
}
rule CRC16CCITT {
meta:
category = "CRC"
name = "CRC16-CCITT"
strings:
/* First 16 entries of CRC16-CCITT table (poly 0x1021) */
$crc16_table = {
00 00 10 21 20 42 30 63 40 84 50 a5 60 c6 70 e7
81 08 91 29 a1 4a b1 6b c1 8c d1 ad e1 ce f1 ef
}
$crc16_poly_le = { 21 10 }
$crc16_poly_be = { 10 21 }
condition:
any of them
}
rule CRC8 {
meta:
category = "CRC"
name = "CRC8"
strings:
/* First 16 entries of CRC8 table (poly 0x07, standard) */
$crc8_table = {
00 07 0e 09 1c 1b 12 15 38 3f 36 31 24 23 2a 2d
}
condition:
any of them
}