Skip to content

Commit

Permalink
Merge pull request #391 from cccs-kevin/update/deprecate-fp-rules
Browse files Browse the repository at this point in the history
Deprecating rules with high false positivity
  • Loading branch information
doomedraven authored Jan 23, 2024
2 parents cae5cfd + 3861eec commit b2b5ea0
Show file tree
Hide file tree
Showing 5 changed files with 82 additions and 84 deletions.
File renamed without changes.
39 changes: 39 additions & 0 deletions data/yara/CAPE/deprecated/embedded.yar
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
rule embedded_pe
{
meta:
author = "nex"
description = "Contains an embedded PE32 file"

strings:
$a = "PE32"
$b = "This program"
$mz = { 4d 5a }
condition:
($a or $b) and not ($mz at 0)
}

rule embedded_win_api
{
meta:
author = "nex"
description = "A non-Windows executable contains win32 API functions names"

strings:
$mz = { 4d 5a }
$api1 = "CreateFileA"
$api2 = "GetProcAddress"
$api3 = "LoadLibraryA"
$api4 = "WinExec"
$api5 = "GetSystemDirectoryA"
$api6 = "WriteFile"
$api7 = "ShellExecute"
$api8 = "GetWindowsDirectory"
$api9 = "URLDownloadToFile"
$api10 = "IsBadReadPtr"
$api11 = "IsBadWritePtr"
$api12 = "SetFilePointer"
$api13 = "GetTempPath"
$api14 = "GetWindowsDirectory"
condition:
not ($mz at 0) and any of ($api*)
}
43 changes: 43 additions & 0 deletions data/yara/CAPE/deprecated/shellcodes.yar
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
rule shellcode_patterns
{
meta:
author = "nex"
description = "Matched shellcode byte patterns"

strings:
$mz = { 4d 5a }
$shell1 = { 64 8b 64 }
$shell2 = { 64 a1 30 }
$shell3 = { 64 8b 15 30 }
$shell4 = { 64 8b 35 30 }
$shell5 = { 55 8b ec 83 c4 }
$shell6 = { 55 8b ec 81 ec }
$shell7 = { 55 8b ec e8 }
$shell8 = { 55 8b ec e9 }
condition:
not ($mz at 0) and
any of ($shell*)
}

rule shellcode_get_eip
{
meta:
author = "William Ballenthin"
email = "[email protected]"
license = "Apache 2.0"
copyright = "FireEye, Inc"
description = "Match x86 that appears to fetch $PC."

strings:
// 0: e8 00 00 00 00 call 5 <_main+0x5>
// 5: 58 pop eax
// 6: 5b pop ebx
// 7: 59 pop ecx
// 8: 5a pop edx
// 9: 5e pop esi
// a: 5f pop edi
$x86 = { e8 00 00 00 00 (58 | 5b | 59 | 5a | 5e | 5f) }
condition:
$x86
}
40 changes: 0 additions & 40 deletions data/yara/binaries/embedded.yar
Original file line number Diff line number Diff line change
Expand Up @@ -15,43 +15,3 @@ rule embedded_macho
condition:
any of ($magic*) and not ($magic1 at 0) and not ($magic2 at 0) and not ($magic3 at 0)
}

rule embedded_pe
{
meta:
author = "nex"
description = "Contains an embedded PE32 file"

strings:
$a = "PE32"
$b = "This program"
$mz = { 4d 5a }
condition:
($a or $b) and not ($mz at 0)
}

rule embedded_win_api
{
meta:
author = "nex"
description = "A non-Windows executable contains win32 API functions names"

strings:
$mz = { 4d 5a }
$api1 = "CreateFileA"
$api2 = "GetProcAddress"
$api3 = "LoadLibraryA"
$api4 = "WinExec"
$api5 = "GetSystemDirectoryA"
$api6 = "WriteFile"
$api7 = "ShellExecute"
$api8 = "GetWindowsDirectory"
$api9 = "URLDownloadToFile"
$api10 = "IsBadReadPtr"
$api11 = "IsBadWritePtr"
$api12 = "SetFilePointer"
$api13 = "GetTempPath"
$api14 = "GetWindowsDirectory"
condition:
not ($mz at 0) and any of ($api*)
}
44 changes: 0 additions & 44 deletions data/yara/binaries/shellcodes.yar
Original file line number Diff line number Diff line change
Expand Up @@ -2,50 +2,6 @@
// This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
// See the file 'docs/LICENSE' for copying permission.

rule shellcode_patterns
{
meta:
author = "nex"
description = "Matched shellcode byte patterns"

strings:
$mz = { 4d 5a }
$shell1 = { 64 8b 64 }
$shell2 = { 64 a1 30 }
$shell3 = { 64 8b 15 30 }
$shell4 = { 64 8b 35 30 }
$shell5 = { 55 8b ec 83 c4 }
$shell6 = { 55 8b ec 81 ec }
$shell7 = { 55 8b ec e8 }
$shell8 = { 55 8b ec e9 }
condition:
not ($mz at 0) and
any of ($shell*)
}

rule shellcode_get_eip
{
meta:
author = "William Ballenthin"
email = "[email protected]"
license = "Apache 2.0"
copyright = "FireEye, Inc"
description = "Match x86 that appears to fetch $PC."

strings:
// 0: e8 00 00 00 00 call 5 <_main+0x5>
// 5: 58 pop eax
// 6: 5b pop ebx
// 7: 59 pop ecx
// 8: 5a pop edx
// 9: 5e pop esi
// a: 5f pop edi
$x86 = { e8 00 00 00 00 (58 | 5b | 59 | 5a | 5e | 5f) }
condition:
$x86
}

rule shellcode_peb_parsing
{
meta:
Expand Down

0 comments on commit b2b5ea0

Please sign in to comment.