imports/ImHex-Patterns
1
0
Fork 0
mirror of https://github.com/WerWolv/ImHex-Patterns.git synced 2026-03-27 23:37:04 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
ImHex-Patterns/yara/advanced_analysis/cryptography.yar
Nik 2070c95f58 yara: Added crypto identification rules
2025-05-24 23:56:56 +02:00

270 lines
6.0 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
rule HashMD5 {
meta:
category = "Hash Algorithms"
name = "MD5"
strings:
/* MD5("") */
$md5_magic = { d4 1d 8c d9 8f 00 b2 04 e9 80 09 98 ec f8 42 7e }
condition:
any of them
}
rule HashSHA1 {
meta:
category = "Hash Algorithms"
name = "SHA1"
strings:
/* SHA-1("") */
$sha1_example = { da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09 }
condition:
any of them
}
rule HashSHA224 {
meta:
category = "Hash Algorithms"
name = "SHA224"
strings:
/* SHA-224("") */
$sha224_empty = { d1 4a 02 8c 2a 3a 2b c9 47 61 02 bb 28 82 34 c4
15 a2 b0 1f 82 8e a6 2a c5 b3 e4 2f }
condition:
any of them
}
rule HashSHA256 {
meta:
category = "Hash Algorithms"
name = "SHA256"
strings:
/* SHA-256("") */
$sha256_empty = { e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 }
condition:
any of them
}
rule HashSHA384 {
meta:
category = "Hash Algorithms"
name = "SHA384"
strings:
/* SHA-384("") */
$sha384_empty = { 38 b0 60 a7 51 ac 96 38 4c d9 32 7e b1 b1 e3 6a
21 fd b7 11 14 be 07 43 4c 0c c7 bf 63 f6 e1 da
27 4e de bf e7 6f 65 fb d5 1a d2 f1 48 98 b9 5b }
condition:
any of them
}
rule HashSHA512 {
meta:
category = "Hash Algorithms"
name = "SHA512"
strings:
/* SHA-512("") */
$sha512_empty = { cf 83 e1 35 7e ef b8 bd f1 54 28 50 d6 6d 80 07
d6 20 e4 05 0b 57 15 dc 83 f4 a9 21 d3 6c e9 ce
47 d0 d1 3c 5d 85 f2 b0 ff 83 18 d2 87 7e ec 2f
63 b9 31 bd 47 41 7a 81 a5 38 32 7a f9 27 da 3e }
condition:
any of them
}
rule HashRIPEMD160 {
meta:
category = "Hash Algorithms"
name = "RIPEMD160"
strings:
/* RIPEMD-160("") */
$ripemd160_empty = { 9c 11 85 a5 c5 e9 fc 54 61 28 08 97 7e e8 f5 48 b2 25 8d 31 }
condition:
any of them
}
rule CryptoAES {
meta:
category = "Cryptographic Algorithms"
name = "AES"
strings:
/* First 16 bytes of the AES S-box */
$aes_sbox = { 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 }
condition:
any of them
}
rule CryptoDES {
meta:
category = "Cryptographic Algorithms"
name = "DES"
strings:
/* DES S-box 1 (first 16 entries) */
$des_sbox1 = { 0e 04 0d 01 02 0f 0b 08 03 0a 06 0c 05 09 00 07 }
condition:
any of them
}
rule Crypto3DES {
meta:
category = "Cryptographic Algorithms"
name = "3DES"
strings:
/* Pattern: two consecutive DES S-box 1 sequences often appear in 3-DES code */
$tdes_pattern = { 0e 04 0d 01 02 0f 0b 08 03 0a 06 0c 05 09 00 07 0e 04 0d 01 }
condition:
any of them
}
rule CryptoBlowfish {
meta:
category = "Cryptographic Algorithms"
name = "Blowfish"
strings:
/* Start of Blowfish P-array (Pi digits) */
$blowfish_parray = { 24 3f 6a 88 85 a3 08 d3 13 19 8a 2e 03 70 73 44 }
condition:
any of them
}
rule CryptoRC4 {
meta:
category = "Cryptographic Algorithms"
name = "RC4"
strings:
/* RC4 state array after KSA init with zero-length key */
$rc4_init = { 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f }
condition:
any of them
}
rule CryptoRSA {
meta:
category = "Cryptographic Algorithms"
name = "RSA"
strings:
/* ASN.1 OID 1.2.840.113549.1.1.1 (rsaCryptographic) */
$rsa_oid = { 06 09 2a 86 48 86 f7 0d 01 01 01 }
condition:
any of them
}
rule CryptoECDSA_P256 {
meta:
category = "Cryptographic Algorithms"
name = "ECDSA-P256"
strings:
/* ASN.1 OID 1.2.840.10045.3.1.7 (secp256r1) */
$ecdsa_p256_oid = { 06 08 2a 86 48 ce 3d 03 01 07 }
condition:
any of them
}
rule CryptoEd25519 {
meta:
category = "Cryptographic Algorithms"
name = "Ed25519"
strings:
/* ASN.1 OID 1.3.101.112 (Ed25519) */
$ed25519_oid = { 06 03 2b 65 70 }
condition:
any of them
}
rule CryptoChaCha20Poly1305 {
meta:
category = "Cryptographic Algorithms"
name = "ChaCha20-Poly1305"
strings:
/* ASCII "expand 32-byte k" ChaCha20 constant */
$chacha_sigma = "expand 32-byte k" ascii wide
$chacha_sigma_hex = { 65 78 70 61 6e 64 20 33 32 2d 62 79 74 65 20 6b }
condition:
any of them
}
rule CRC32 {
meta:
category = "CRC"
name = "CRC32"
strings:
/* First 16 entries of standard CRC32 IEEE 802.3 polynomial table (0xEDB88320) */
$crc32_table = {
00 00 00 00 77 07 30 96 ee 0e 61 2c 99 09 51 ba
07 1c c2 5d 70 1b f2 cb e9 12 a3 71 9e 15 93 e7
}
/* Little-endian and big-endian representations of 0xEDB88320 */
$crc32_poly_le = { 20 83 b8 ed }
$crc32_poly_be = { ed b8 83 20 }
condition:
any of them
}
rule CRC16CCITT {
meta:
category = "CRC"
name = "CRC16-CCITT"
strings:
/* First 16 entries of CRC16-CCITT table (poly 0x1021) */
$crc16_table = {
00 00 10 21 20 42 30 63 40 84 50 a5 60 c6 70 e7
81 08 91 29 a1 4a b1 6b c1 8c d1 ad e1 ce f1 ef
}
$crc16_poly_le = { 21 10 }
$crc16_poly_be = { 10 21 }
condition:
any of them
}
rule CRC8 {
meta:
category = "CRC"
name = "CRC8"
strings:
/* First 16 entries of CRC8 table (poly 0x07, standard) */
$crc8_table = {
00 07 0e 09 1c 1b 12 15 38 3f 36 31 24 23 2a 2d
}
condition:
any of them
}
Reference in New Issue View Git Blame Copy Permalink