From 3f44a743e8fa892a295863f04b6293ad9010734e Mon Sep 17 00:00:00 2001 From: WerWolv Date: Sun, 25 Feb 2024 11:29:59 +0100 Subject: [PATCH] yara: Added advanced analysis rules --- yara/advanced_analysis/compiler.yar | 40 +++++++++++++++++ yara/advanced_analysis/environment.yar | 36 +++++++++++++++ yara/advanced_analysis/language.yar | 61 ++++++++++++++++++++++++++ 3 files changed, 137 insertions(+) create mode 100644 yara/advanced_analysis/compiler.yar create mode 100644 yara/advanced_analysis/environment.yar create mode 100644 yara/advanced_analysis/language.yar diff --git a/yara/advanced_analysis/compiler.yar b/yara/advanced_analysis/compiler.yar new file mode 100644 index 0000000..e1894d5 --- /dev/null +++ b/yara/advanced_analysis/compiler.yar @@ -0,0 +1,40 @@ +rule CompilerMSVC { + meta: + category = "Compiler" + name = "MSVC" + + strings: + $iostreams_mangled_name = "$basic_iostream@DU" ascii + $std_namespace = "@@std@@" ascii + + condition: + any of them +} + +rule CompilerGCC { + meta: + category = "Compiler" + name = "GCC" + + strings: + $iostreams_mangled_name = "_ZSt4cout" ascii + $std_namespace = "_ZSt" ascii + $gcc_version = "GCC: (GNU) " ascii + + condition: + 2 of them +} + +rule CompilerClang { + meta: + category = "Compiler" + name = "Clang" + + strings: + $iostreams_mangled_name = "_ZSt4cout" ascii + $std_namespace = "_ZSt" ascii + $clang_version = "clang version " ascii + + condition: + 2 of them +} \ No newline at end of file diff --git a/yara/advanced_analysis/environment.yar b/yara/advanced_analysis/environment.yar new file mode 100644 index 0000000..799b189 --- /dev/null +++ b/yara/advanced_analysis/environment.yar @@ -0,0 +1,36 @@ +rule EnvironmentMingw { + meta: + category = "Environment" + name = "MinGW" + + strings: + $mingw_runtime = "Mingw runtime failure" ascii + $mingw64_runtime = "Mingw-w64 runtime failure:" ascii fullword + $msys2 = "Built by MSYS2 project" ascii + + condition: + 2 of them +} + +rule EnvironmentWin32 { + meta: + category = "Environment" + name = "Win32" + + strings: + $kernel32 = "KERNEL32.dll" ascii + $user32 = "USER32.dll" ascii + $advapi32 = "ADVAPI32.dll" ascii + $ole32 = "OLE32.dll" ascii + $oleaut32 = "OLEAUT32.dll" ascii + $shell32 = "SHELL32.dll" ascii + $shlwapi = "SHLWAPI.dll" ascii + $comctl32 = "COMCTL32.dll" ascii + $comdlg32 = "COMDLG32.dll" ascii + $gdi32 = "GDI32.dll" ascii + $imm32 = "IMM32.dll" ascii + $msvcrt = "MSVCRT.dll" ascii + + condition: + 4 of them +} \ No newline at end of file diff --git a/yara/advanced_analysis/language.yar b/yara/advanced_analysis/language.yar new file mode 100644 index 0000000..0fbc037 --- /dev/null +++ b/yara/advanced_analysis/language.yar @@ -0,0 +1,61 @@ +rule LanguageCpp { + meta: + category = "Programming Language" + name = "C++" + + strings: + $exception_windows = "_CxxThrowException" ascii fullword + $iostreams = "iostream" ascii + + condition: + any of them +} + +rule LanguageC { + meta: + category = "Programming Language" + name = "C++" + + strings: + $printf = "printf" ascii + $scanf = "scanf" ascii + $malloc = "malloc" ascii + $calloc = "calloc" ascii + $realloc = "realloc" ascii + $free = "free" ascii + + condition: + any of them and not LanguageCpp +} + +rule LanguageRust { + meta: + category = "Programming Language" + name = "Rust" + + strings: + $option_unwrap = "called `Option::unwrap()` on a `None`" ascii + $result_unwrap = "called `Result::unwrap()` on an `Err`" ascii + $panic_1 = "panicked at" ascii + $panic_2 = "thread '' panicked at" ascii + $panic_3 = "thread panicked while processing panic. aborting." ascii + $panicking_file = "panicking.rs" ascii fullword + + condition: + any of them +} + +rule LanguageGo { + meta: + category = "Programming Language" + name = "Go" + + strings: + $max_procs = "runtime.GOMAXPROCS" ascii fullword + $panic = "runtime.gopanic" ascii fullword + $go_root = "runtime.GOROOT" ascii fullword + + condition: + any of them + +} \ No newline at end of file