inquest / yara-rules Goto Github PK
View Code? Open in Web Editor NEWA collection of YARA rules we wish to share with the world, most probably referenced from http://blog.inquest.net.
License: MIT License
A collection of YARA rules we wish to share with the world, most probably referenced from http://blog.inquest.net.
License: MIT License
Hello!
Currently, Embedded_PE will match on any PE header, which means it will always match when scanning an executable. It might be more useful to have it exclude the PE header at offset zero so that the rule can be used to detect PEs embedded within PEs. The following logic should achieve this:
for any i in (1..#mz):
(
@mz[i] != 0 and uint32(@mz[i] + uint32(@mz[i] + 0x3C)) == 0x00004550
)
Hi!
Great work with this ๐
I've found that the current Yara rule can easily be bypassed as it misses an optional property that can easily be added to the w:fldChar element. I wrote about it here: staaldraad.github.io
The following should be modified:
I think this should work:
<w:fldChar\s+?w:fldCharType="begin"\s+?(w:dirty="(true|false)")?\s+?\/>.+?\b[Dd][Dd][Ee]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>
The real main thing is to check for the optional w:dirty="true"
attribute.
I've also added another way that DDE can be embedded, with the fldSimple element (also in the blog). I don't think any Yara rules currently exist for this. My regex is bad and I've got no Yara experience but I think this should be ok:
/w:fldSimple\s*w:instr="\s*([Dd][Dd][Ee])/
Thanks for the hard work!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.