From 6122a6b48c262b008fe36727749693d868c7350e Mon Sep 17 00:00:00 2001 From: Tobias Michalski Date: Wed, 11 May 2022 13:49:24 +0200 Subject: [PATCH 1/3] feat: More Header Snippets --- yara/snippets/yara.json | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/yara/snippets/yara.json b/yara/snippets/yara.json index f4666b8..3276e43 100644 --- a/yara/snippets/yara.json +++ b/yara/snippets/yara.json @@ -47,6 +47,47 @@ "body": "uint32(0) == 0xFEEDFACF ", "description": "Generate a condition to check for a Mach-O file header" }, + "LNK Header": { + "prefix": "header_LNK", + "body": "uint16(0) == 0x004c and uint32(4) == 0x00021401 ", + "description": "Generate a condition to check for a LNK file header" + }, + "Doc Header": { + "prefix": "header_Doc", + "body": [ + "\t\tuint32be(0) == 0x09081000 or // XLS", + "\t\t// uint32be(0) == 0x25504446 or // PDF", + "\t\t// DOCX, XLSX, PPTX - Microsoft Office Open XML Format (OOXML)", + "\t\t( uint32be(0) == 0x504b0304 and $s1 in (0..100) ) or", + "\t\tuint32be(0) == 0x7b5c7274 or // RTF", + "\t\t// DOC, DOT, PPS, PPT, XLA, XLS, WIZ", + "\t\t( uint32be(0) == 0xd0cf11e0 and not $r1 ) or", + "\t\tuint32be(512) == 0xeca5c100 or // DOC", + "\t\tuint32be(512) == 0xa0461df0 or // PPT", + "\t\tuint32be(512) == 0x0f00e803 // PPT" + ], + "description": "Generate a condition to check for a Doc file header" + }, + "PDF Header": { + "prefix": "header_PDF", + "body": "uint32(0) == 0x46445025 ", + "description": "Generate a condition to check for a PDF file header" + }, + "RTF Header": { + "prefix": "header_RTF", + "body": "uint32be(0) == 0x7B5C7274 ", + "description": "Generate a condition to check for a RTF file header" + }, + "gzip Header": { + "prefix": "header_gzip", + "body": "uint16(0) == 0x8B1F ", + "description": "Generate a condition to check for a gzip file header" + }, + "pkzip Header": { + "prefix": "header_pkzip", + "body": "uint16(0) == 0x4b50 ", + "description": "Generate a condition to check for a pkzip file header" + }, "string": { "prefix": "$s", "body": [ From b072123a90d0b62419af7ba5c802ac3b8d785ee4 Mon Sep 17 00:00:00 2001 From: Tobias Michalski Date: Wed, 11 May 2022 14:02:45 +0200 Subject: [PATCH 2/3] fix: Escape $ Sign --- yara/snippets/yara.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yara/snippets/yara.json b/yara/snippets/yara.json index 3276e43..144a7fd 100644 --- a/yara/snippets/yara.json +++ b/yara/snippets/yara.json @@ -58,10 +58,10 @@ "\t\tuint32be(0) == 0x09081000 or // XLS", "\t\t// uint32be(0) == 0x25504446 or // PDF", "\t\t// DOCX, XLSX, PPTX - Microsoft Office Open XML Format (OOXML)", - "\t\t( uint32be(0) == 0x504b0304 and $s1 in (0..100) ) or", + "\t\t( uint32be(0) == 0x504b0304 and \\$s1 in (0..100) ) or", "\t\tuint32be(0) == 0x7b5c7274 or // RTF", "\t\t// DOC, DOT, PPS, PPT, XLA, XLS, WIZ", - "\t\t( uint32be(0) == 0xd0cf11e0 and not $r1 ) or", + "\t\t( uint32be(0) == 0xd0cf11e0 and not \\$r1 ) or", "\t\tuint32be(512) == 0xeca5c100 or // DOC", "\t\tuint32be(512) == 0xa0461df0 or // PPT", "\t\tuint32be(512) == 0x0f00e803 // PPT" From 61d1eefcbf48a9c57686c0fee5f224836555ce3e Mon Sep 17 00:00:00 2001 From: Tobias Michalski Date: Fri, 13 May 2022 15:30:36 +0200 Subject: [PATCH 3/3] fix: Added additional Macho Header, --- yara/snippets/yara.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yara/snippets/yara.json b/yara/snippets/yara.json index 144a7fd..7a9b320 100644 --- a/yara/snippets/yara.json +++ b/yara/snippets/yara.json @@ -44,7 +44,7 @@ }, "Mach-O Header": { "prefix": "header_macho", - "body": "uint32(0) == 0xFEEDFACF ", + "body": "(uint16(0) == 0xfeca or uint16(0) == 0xfacf) ", "description": "Generate a condition to check for a Mach-O file header" }, "LNK Header": {