From c4f3ea901a6787e58357b7777763a09838a8fb0b Mon Sep 17 00:00:00 2001 From: WerWolv Date: Sun, 25 Feb 2024 11:20:35 +0100 Subject: [PATCH] feat: Added more yara detection rules for languages, compilers and envs --- plugins/yara_rules/romfs/rules/compiler.yar | 40 +++++++++++++++ .../yara_rules/romfs/rules/environment.yar | 36 +++++++++++++ plugins/yara_rules/romfs/rules/language.yar | 50 ++++++++++++++++--- 3 files changed, 119 insertions(+), 7 deletions(-) create mode 100644 plugins/yara_rules/romfs/rules/compiler.yar create mode 100644 plugins/yara_rules/romfs/rules/environment.yar diff --git a/plugins/yara_rules/romfs/rules/compiler.yar b/plugins/yara_rules/romfs/rules/compiler.yar new file mode 100644 index 000000000..e1894d5b4 --- /dev/null +++ b/plugins/yara_rules/romfs/rules/compiler.yar @@ -0,0 +1,40 @@ +rule CompilerMSVC { + meta: + category = "Compiler" + name = "MSVC" + + strings: + $iostreams_mangled_name = "$basic_iostream@DU" ascii + $std_namespace = "@@std@@" ascii + + condition: + any of them +} + +rule CompilerGCC { + meta: + category = "Compiler" + name = "GCC" + + strings: + $iostreams_mangled_name = "_ZSt4cout" ascii + $std_namespace = "_ZSt" ascii + $gcc_version = "GCC: (GNU) " ascii + + condition: + 2 of them +} + +rule CompilerClang { + meta: + category = "Compiler" + name = "Clang" + + strings: + $iostreams_mangled_name = "_ZSt4cout" ascii + $std_namespace = "_ZSt" ascii + $clang_version = "clang version " ascii + + condition: + 2 of them +} \ No newline at end of file diff --git a/plugins/yara_rules/romfs/rules/environment.yar b/plugins/yara_rules/romfs/rules/environment.yar new file mode 100644 index 000000000..799b1898b --- /dev/null +++ b/plugins/yara_rules/romfs/rules/environment.yar @@ -0,0 +1,36 @@ +rule EnvironmentMingw { + meta: + category = "Environment" + name = "MinGW" + + strings: + $mingw_runtime = "Mingw runtime failure" ascii + $mingw64_runtime = "Mingw-w64 runtime failure:" ascii fullword + $msys2 = "Built by MSYS2 project" ascii + + condition: + 2 of them +} + +rule EnvironmentWin32 { + meta: + category = "Environment" + name = "Win32" + + strings: + $kernel32 = "KERNEL32.dll" ascii + $user32 = "USER32.dll" ascii + $advapi32 = "ADVAPI32.dll" ascii + $ole32 = "OLE32.dll" ascii + $oleaut32 = "OLEAUT32.dll" ascii + $shell32 = "SHELL32.dll" ascii + $shlwapi = "SHLWAPI.dll" ascii + $comctl32 = "COMCTL32.dll" ascii + $comdlg32 = "COMDLG32.dll" ascii + $gdi32 = "GDI32.dll" ascii + $imm32 = "IMM32.dll" ascii + $msvcrt = "MSVCRT.dll" ascii + + condition: + 4 of them +} \ No newline at end of file diff --git a/plugins/yara_rules/romfs/rules/language.yar b/plugins/yara_rules/romfs/rules/language.yar index 1b5af9567..0fbc0379d 100644 --- a/plugins/yara_rules/romfs/rules/language.yar +++ b/plugins/yara_rules/romfs/rules/language.yar @@ -1,4 +1,4 @@ -rule CppExecutable { +rule LanguageCpp { meta: category = "Programming Language" name = "C++" @@ -11,15 +11,51 @@ rule CppExecutable { any of them } -rule CppMSVC { +rule LanguageC { meta: - category = "Compiler" - name = "MSVC" + category = "Programming Language" + name = "C++" strings: - $iostreams_mangled_name = "$basic_iostream@DU" ascii - $std_namespace = "@@std@@" ascii + $printf = "printf" ascii + $scanf = "scanf" ascii + $malloc = "malloc" ascii + $calloc = "calloc" ascii + $realloc = "realloc" ascii + $free = "free" ascii condition: - any of them and CppExecutable + any of them and not LanguageCpp +} + +rule LanguageRust { + meta: + category = "Programming Language" + name = "Rust" + + strings: + $option_unwrap = "called `Option::unwrap()` on a `None`" ascii + $result_unwrap = "called `Result::unwrap()` on an `Err`" ascii + $panic_1 = "panicked at" ascii + $panic_2 = "thread '' panicked at" ascii + $panic_3 = "thread panicked while processing panic. aborting." ascii + $panicking_file = "panicking.rs" ascii fullword + + condition: + any of them +} + +rule LanguageGo { + meta: + category = "Programming Language" + name = "Go" + + strings: + $max_procs = "runtime.GOMAXPROCS" ascii fullword + $panic = "runtime.gopanic" ascii fullword + $go_root = "runtime.GOROOT" ascii fullword + + condition: + any of them + } \ No newline at end of file