Better SEH Detection

I have improved the @naxonez rules. These should be lower FP. Please let me know.

Better SEH Detection
I have improved the @naxonez rules. These should be lower FP. Please let me know.
ceeb3958 · Malware Utkonos · GitHub · 90cac274 · ceeb3958
Unverified Commit ceeb3958 authored Feb 21, 2019 by Malware Utkonos Committed by GitHub Feb 21, 2019
Show whitespace changes
Inline Side-by-side

Showing with 31 additions and 0 deletions

antidebug_antivm.yar Antidebug_AntiVM/antidebug_antivm.yar +31 -0

No files found.
--- a/Antidebug_AntiVM/antidebug_antivm.yar
+++ b/Antidebug_AntiVM/antidebug_antivm.yar
@@ -4,6 +4,12 @@

 import "pe"

+private rule WindowsPE
+{
+    condition:
+        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550
+}
+
 rule DebuggerCheck__PEB : AntiDebug DebuggerCheck {
 	meta:
 		weight = 1
@@ -275,6 +281,31 @@ rule DebuggerPattern__SEH_Inits : AntiDebug DebuggerPattern {
 }
 */

+rule SEH_Save : Tactic_DefensiveEvasion Technique_AntiDebugging SubTechnique_SEH
+{
+    meta:
+        author = "Malware Utkonos"
+        original_author = "naxonez"
+        source = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+    strings:
+        $a = { 64 ff 35 00 00 00 00 }
+    condition:
+        WindowsPE and $a
+}
+
+rule SEH_Init : Tactic_DefensiveEvasion Technique_AntiDebugging SubTechnique_SEH
+{
+    meta:
+        author = "Malware Utkonos"
+        original_author = "naxonez"
+        source = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+    strings:
+        $a = { 64 A3 00 00 00 00 }
+        $b = { 64 89 25 00 00 00 00 }
+    condition:
+        WindowsPE and ($a or $b)
+}
+

 rule Check_Dlls
 {