Skip to content
This repository was archived by the owner on Mar 5, 2026. It is now read-only.

YARA rule cleanup #3

Merged
blacktop merged 4 commits into from
Dec 4, 2018
Merged

YARA rule cleanup #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5e43146
Convert PEiD yara signatures encoding to UTF-8
wesinator Oct 30, 2018
f6e3423
Fix file permissions of yara rules
wesinator Oct 30, 2018
a3774c9
Space out userdb_panda rules
wesinator Oct 30, 2018
0bedca3
Comment out PEiD Armadillo v1.71 yara rules
wesinator Oct 30, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Empty file modified rules/JPEG_EXIF_Contains_eval.yara
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified rules/contains_pe_file.yara
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified rules/contains_vbe_file.yara
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified rules/embedded.yar
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified rules/maldoc.yara
100755 → 100644
View file
Open in desktop
Empty file.
Empty file modified rules/pe_file_pyinstaller.yara
100755 → 100644
View file
Open in desktop
Empty file.
31 changes: 16 additions & 15 deletions rules/peid-userdb-rules-with-pe-module.yara
100755 → 100644
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1519,7 +1519,8 @@ rule PEiD_00137_Armadillo_v1_60a_
$a at pe.entry_point
}

rule PEiD_00138_Armadillo_v1_71_
// Disabled due to false positives
/*rule PEiD_00138_Armadillo_v1_71_
{
meta:
description = "[Armadillo v1.71]"
Expand All @@ -1528,7 +1529,7 @@ rule PEiD_00138_Armadillo_v1_71_
$a = {55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1}
condition:
$a
}
}*/

rule PEiD_00139_Armadillo_v1_72___v1_73_
{
Expand Down Expand Up @@ -7308,7 +7309,7 @@ rule PEiD_00663_ExeTools_v2_1_Encruptor_by_DISMEMBER_
rule PEiD_00664_EXE______________Liuli_
{
meta:
description = "[EXE�ļ��ϲ��� -> Liuli]"
description = "[EXE文件合并器 -> Liuli]"
ep_only = "false"
strings:
$a = {E8 53 03 00 00 8B F0 56 56 E8 98 03 00 00 8B C8}
Expand Down Expand Up @@ -7715,7 +7716,7 @@ rule PEiD_00700_EZIP_v1_0_
rule PEiD_00701_E___________________
{
meta:
description = "[E�εش� -> �ºڷ��]"
description = "[E游地带 -> 月黑风高]"
ep_only = "true"
strings:
$a = {55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 56 57 0F 31 8B D8 0F 31 8B D0 2B D3 C1 EA 10 B8 ?? ?? ?? ?? 0F 6E C0 B8 ?? ?? ?? ?? 0F 6E C8 0F F5 C1 0F 7E C0 0F 77 03 C2 ?? ?? ?? ?? ?? FF E0}
Expand Down Expand Up @@ -8331,7 +8332,7 @@ rule PEiD_00756_FreePascal_2_0_0_Win32_____Berczi_Gabor__Pierre_Muller___Peter_V
rule PEiD_00757_FreePascal_2_0_0_Win32_____B_rczi_G_bor__Pierre_Muller___Peter_Vreman__
{
meta:
description = "[FreePascal 2.0.0 Win32 -> (B�rczi G�bor, Pierre Muller & Peter Vreman)]"
description = "[FreePascal 2.0.0 Win32 -> (B閞czi G醔or, Pierre Muller & Peter Vreman)]"
ep_only = "true"
strings:
$a = {C6 05 00 80 40 00 01 E8 74 00 00 00 C6 05 00 80 40 00 00 E8 68 00 00 00 50 E8 00 00 00 00 FF 25 D8 A1 40 00 90 90 90 90 90 90 90 90 90 90 90 90 55 89 E5 83 EC 04 89 5D FC E8 92 00 00 00 E8 ED 00 00 00 89 C3 B9 ?? 70 40 00 89 DA B8 00 00 00 00 E8 0A 01 00 00 E8 C5 01 00 00 89 D8 E8 3E 02 00 00 E8 B9 01 00 00 E8 54 02 00 00 8B 5D FC C9 C3 8D 76 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 E5 C6 05 10 80 40 00 00 E8 D1 03 00 00 6A 00 64 FF 35 00 00 00 00 89 E0 A3 ?? 70 40 00 55 31 ED 89 E0 A3 20 80 40 00 66 8C D5 89 2D 30 80 40 00 E8 B9 03 00 00 31 ED E8 72 FF FF FF 5D E8 BC 03 00 00 C9 C3 00 00 00 00 00 00 00 00 00 00 55 89 E5 83 EC 08 E8 15 04 00 00 A1 ?? 70 40 00 89 45 F8 B8 01 00 00 00 89 45 FC 3B 45 F8 7F 2A FF 4D FC 90 FF 45 FC 8B 45 FC 83 3C C5 ?? 70 40 00 00 74 09 8B 04 C5 ?? 70 40}
Expand Down Expand Up @@ -16306,7 +16307,7 @@ rule PEiD_01481_PCrypt_v3_51_
rule PEiD_01482_PcShare____________v4_0_____________
{
meta:
description = "[PcShare �ļ������� v4.0 -> �޿ɷ���]"
description = "[PcShare 文件捆绑器 v4.0 -> 无可非议]"
ep_only = "true"
strings:
$a = {55 8B EC 6A FF 68 90 34 40 00 68 B6 28 40 00 64 A1}
Expand Down Expand Up @@ -22411,7 +22412,7 @@ rule PEiD_02036_SDProtect____Randy_Li_
rule PEiD_02037_SDProtect________________Randy_Li_
{
meta:
description = "[SDProtect(����������) -> Randy Li]"
description = "[SDProtect(软件保护神) -> Randy Li]"
ep_only = "false"
strings:
$a = {55 8B EC 6A FF 68 ?? ?? ?? ?? 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? 00 00 00}
Expand Down Expand Up @@ -27064,7 +27065,7 @@ rule PEiD_02459_Upx_Lock_1_0___1_2____CyberDoom___Team_X___BoB___BobSoft_
rule PEiD_02460_UPX_SCRAMBLER_3_06_____OnT_oL_
{
meta:
description = "[UPX-SCRAMBLER 3.06 -> �OnT�oL]"
description = "[UPX-SCRAMBLER 3.06 -> ㎡nT畂L]"
ep_only = "true"
strings:
$a = {E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6}
Expand Down Expand Up @@ -39142,7 +39143,7 @@ rule PEiD_03557_Zurenava_DOS_Extender_v0_45__v0_49_
rule PEiD_03558_______EXE______________________________
{
meta:
description = "[�ؾ���EXE�ļ������ ��Աר�� -> �¾��]"
description = "[藏鲸阁EXE文件捆绑机 会员专版 -> 陈经韬]"
ep_only = "true"
strings:
$a = {55 8B EC 83 C4 E4 53 56 57 33 C0 89 45 E4 89 45}
Expand All @@ -39153,7 +39154,7 @@ rule PEiD_03558_______EXE______________________________
rule PEiD_03559_____EXE___________v1_0_________
{
meta:
description = "[����EXE�ļ������� v1.0 -> ����]"
description = "[教主EXE文件捆绑器 v1.0 -> 教主]"
ep_only = "true"
strings:
$a = {55 8B EC 6A FF 68 08 4B 40 00 68 36 3A 40 00 64 A1}
Expand All @@ -39164,7 +39165,7 @@ rule PEiD_03559_____EXE___________v1_0_________
rule PEiD_03560____v1_0____Li_Jianjun_
{
meta:
description = "[�� v1.0 -> Li-Jianjun]"
description = "[ v1.0 -> Li-Jianjun]"
ep_only = "true"
strings:
$a = {60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44}
Expand All @@ -39175,7 +39176,7 @@ rule PEiD_03560____v1_0____Li_Jianjun_
rule PEiD_03561____________v1_0_________
{
meta:
description = "[�ļ������� v1.0 -> ����]"
description = "[文件捆绑器 v1.0 -> 许云]"
ep_only = "true"
strings:
$a = {64 A1 00 00 00 00 55 89 E5 6A FF 68 1C 30 40 00}
Expand All @@ -39186,7 +39187,7 @@ rule PEiD_03561____________v1_0_________
rule PEiD_03562_____EXE__________yy66_
{
meta:
description = "[����EXE�ϲ��� -> yy66]"
description = "[心奇EXE合并器 -> yy66]"
ep_only = "true"
strings:
$a = {68 78 18 40 00 E8 F0 FF FF FF 00 00 00 00 00 00 30}
Expand All @@ -39197,7 +39198,7 @@ rule PEiD_03562_____EXE__________yy66_
rule PEiD_03563__________2_2b____Shoooo_
{
meta:
description = "[ܥ��ѹ�� 2.2b -> Shoooo]"
description = "[堀北压缩 2.2b -> Shoooo]"
ep_only = "true"
strings:
$a = {68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 11 55 07 8B EC B8 14 80 0E 03 E8 D1 09 00 0A 57 33 D2 FF 75 18 B9 E8 1F DE 16 81 C0 8D BD EE 7F FB F8}
Expand All @@ -39208,7 +39209,7 @@ rule PEiD_03563__________2_2b____Shoooo_
rule PEiD_03564__________2_2b_Anti____xiaohui_
{
meta:
description = "[ܥ��ѹ�� 2.2b Anti -> xiaohui]"
description = "[堀北压缩 2.2b Anti -> xiaohui]"
ep_only = "true"
strings:
$a = {EB F4 11 55 07 8B EC B8 14 80 0E 03 E8 D1 09 00 0A 57 33 D2 FF 75 18 B9 E8 1F DE 16 81 C0 8D BD EE 7F FB F8}
Expand Down
Empty file modified rules/rats.yar
100755 → 100644
View file
Open in desktop
Empty file.
Loading