stvemillertime · January 28, 2024 20:25
diff --git a/regopenparams_rule_writer.yar b/regopenparams_rule_writer.yar
 import "pe"
 import "console"

 private rule rulewriter_regopenparams_miner {
    meta:
        author = "Greg Lesnewich"
        description = "mine out API calls that are x-ref'd from things that might be registry values being pushed to the stack "
        reference = "https://learn.microsoft.com/en-us/windows/win32/sysinfo/predefined-keys"
        date = "2024-01-28"
        version = "1"
        DaysofYARA = "28/100"
    strings:
        $params = {680?000080ff15}
    condition:
        uint16be(0) == 0x4d5a and (
            $params and
            for any i in (1..#params) :
            (
                for any imp in pe.import_details : (
                for any func in imp.functions : (
                    uint32(@params[i]+!params[i])&0xfffff == func.rva
                    and console.log("rule TTP_",func.name)
                    and console.log("{")
                    and console.log("   meta:")
                    and console.log("       author = \"glesnwich\"")
                    and console.log("   strings:")
                    and console.log("       $params = {680?000080ff15}")
                    and console.log("   condition:")
                    and console.log("        uint16be(0) == 0x4d5a and (")
                    and console.log("            $params and")
                    and console.log("            for any i in (1..#params) :")
                    and console.log("            (")
                    and console.log("                for any imp in pe.import_details : (")
                    and console.log("                for any func in imp.functions : (")
                    and console.log("                    uint32(@params[i]+!params[i])&0xfffff == func.rva")
                    and console.log("                    and func.name == \"",func.name) and console.log("\"")
                    and console.log("                )")
                    and console.log("            )")
                    and console.log("        )")
                    and console.log("    )")
                    and console.log("}")
                )
            )
        )
    )
 }
	import "pe"
	import "console"

	private rule rulewriter_regopenparams_miner {
	meta:
	author = "Greg Lesnewich"
	description = "mine out API calls that are x-ref'd from things that might be registry values being pushed to the stack "
	reference = "https://learn.microsoft.com/en-us/windows/win32/sysinfo/predefined-keys"
	date = "2024-01-28"
	version = "1"
	DaysofYARA = "28/100"
	strings:
	$params = {680?000080ff15}
	condition:
	uint16be(0) == 0x4d5a and (
	$params and
	for any i in (1..#params) :
	(
	for any imp in pe.import_details : (
	for any func in imp.functions : (
	uint32(@params[i]+!params[i])&0xfffff == func.rva
	and console.log("rule TTP_",func.name)
	and console.log("{")
	and console.log(" meta:")
	and console.log(" author = \"glesnwich\"")
	and console.log(" strings:")
	and console.log(" $params = {680?000080ff15}")
	and console.log(" condition:")
	and console.log(" uint16be(0) == 0x4d5a and (")
	and console.log(" $params and")
	and console.log(" for any i in (1..#params) :")
	and console.log(" (")
	and console.log(" for any imp in pe.import_details : (")
	and console.log(" for any func in imp.functions : (")
	and console.log(" uint32(@params[i]+!params[i])&0xfffff == func.rva")
	and console.log(" and func.name == \"",func.name) and console.log("\"")
	and console.log(" )")
	and console.log(" )")
	and console.log(" )")
	and console.log(" )")
	and console.log("}")
	)
	)
	)
	)
	}
No results found