This repository has been archived by the owner on Jan 15, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathcompiler.yar
executable file
·91 lines (73 loc) · 2.4 KB
/
compiler.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
/*
URL: https://github.com/0pc0deFR/YaraRules
Developpeur: 0pc0deFR (alias Kevin Falcoz)
compiler.yar contient plusieurs règles permettant d'identifier un compilateur
*/
rule visual_basic_5_6 : Compiler
{
meta:
author="Kevin Falcoz"
date_create="24/02/2013"
description="Miscrosoft Visual Basic 5.0/6.0"
strings:
$str1={68 ?? ?? ?? 00 E8 ?? FF FF FF 00 00 ?? 00 00 00 30 00 00 00 ?? 00 00 00 00 00 00 00 [16] 00 00 00 00 00 00 01 00} /*EntryPoint*/
condition:
$str1 at entrypoint
}
rule visual_studio_net : Compiler
{
meta:
author="Kevin Falcoz"
date_create="24/02/2013"
description="Miscrosoft Visual Studio .NET/C#"
strings:
$str1={FF 25 00 20 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00} /*EntryPoint*/
condition:
$str1 at entrypoint
}
rule visual_c_plus_plus_6 : Compiler
{
meta:
author="Kevin Falcoz"
date_create="25/02/2013"
description="Miscrosoft Visual C++ 6.0"
strings:
$str1={55 8B EC 6A FF 68 [3] 00 68 [3] 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC [1] 53 56 57 89 65 E8} /*EntryPoint*/
condition:
$str1 at entrypoint
}
rule visual_c_plus_plus_6_sp : Compiler
{
meta:
author="Kevin Falcoz"
date_create="25/02/2013"
description="Miscrosoft Visual C++ 6.0 SPx"
strings:
$str1={55 8B EC 83 EC 44 56 FF 15 ?? 10 40 00 8B F0 8A 06 3C 22 75 14 8A 46 01 46 84 C0 74 04 3C 22 75 F4 80 3E} /*EntryPoint*/
condition:
$str1 at entrypoint
}
rule visual_c_plus_plus_7 : Compiler
{
meta:
author="Kevin Falcoz"
date_create="25/02/2013"
description="Miscrosoft Visual C++ 7.0"
strings:
$str1={6A 60 68 [2] 40 00 E8 [2] 00 00 BF 94 00 00 00 8B C7 E8 [4] 89 65 E8 8B F4 89 3E 56 FF 15 [2] 40 00 8B 4E 10 89 0D} /*EntryPoint*/
$str2={6A 0C 68 [4] E8 [4] 33 C0 40 89 45 E4}
condition:
$str1 at entrypoint or $str2 at entrypoint
}
rule borland_delphi_6_7 : Compiler
{
meta:
author="Kevin Falcoz"
date_create="25/02/2013"
description="Borland Delphi 6.0 - 7.0"
strings:
$str1={55 8B EC 83 C4 F0 53 B8 [3] 00 E8 [3] FF 8B 1D [3] 00 8B 03 BA [2] 52 00 E8 [2] F6 FF B8 [2] 52 00 E8 [2] FF FF 8B 03 E8} /*EntryPoint*/
$str2={55 8B EC B9 ?? 00 00 00 6A 00 6A 00 49 75 F9 [0-1] 53 [9-11] FF 33 C0 55 68 [3] 00 64 FF 30 64 89 20} /*EntryPoint*/
condition:
$str1 at entrypoint or $str2 at entrypoint
}