/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule DebuggerCheck__API : AntiDebug DebuggerCheck {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="IsDebuggerPresent"
condition:
any of them
}
rule DebuggerCheck__PEB : AntiDebug DebuggerCheck {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="IsDebugged"
condition:
any of them
}
rule DebuggerCheck__GlobalFlags : AntiDebug DebuggerCheck {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="NtGlobalFlags"
condition:
any of them
}
rule DebuggerCheck__QueryInfo : AntiDebug DebuggerCheck {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="QueryInformationProcess"
condition:
any of them
}
rule DebuggerCheck__RemoteAPI : AntiDebug DebuggerCheck {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="CheckRemoteDebuggerPresent"
condition:
any of them
}
rule DebuggerHiding__Thread : AntiDebug DebuggerHiding {
meta:
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
weight = 1
strings:
$ ="SetInformationThread"
condition:
any of them
}
rule DebuggerHiding__Active : AntiDebug DebuggerHiding {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="DebugActiveProcess"
condition:
any of them
}
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule DebuggerTiming__PerformanceCounter : AntiDebug DebuggerTiming {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="QueryPerformanceCounter"
condition:
any of them
}
*/
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule DebuggerTiming__Ticks : AntiDebug DebuggerTiming {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="GetTickCount"
condition:
any of them
}
*/
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule DebuggerOutput__String : AntiDebug DebuggerOutput {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="OutputDebugString"
condition:
any of them
}
*/
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule DebuggerException__UnhandledFilter : AntiDebug DebuggerException {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="SetUnhandledExceptionFilter"
condition:
any of them
}
*/
rule DebuggerException__ConsoleCtrl : AntiDebug DebuggerException {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="GenerateConsoleCtrlEvent"
condition:
any of them
}
rule DebuggerException__SetConsoleCtrl : AntiDebug DebuggerException {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="SetConsoleCtrlHandler"
condition:
any of them
}
rule ThreadControl__Context : AntiDebug ThreadControl {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="SetThreadContext"
condition:
any of them
}
rule DebuggerCheck__DrWatson : AntiDebug DebuggerCheck {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="__invoke__watson"
condition:
any of them
}
rule SEH__v3 : AntiDebug SEH {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = "____except__handler3"
$ = "____local__unwind3"
condition:
any of them
}
rule SEH__v4 : AntiDebug SEH {
// VS 8.0+
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = "____except__handler4"
$ = "____local__unwind4"
$ = "__XcptFilter"
condition:
any of them
}
rule SEH__vba : AntiDebug SEH {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = "vbaExceptHandler"
condition:
any of them
}
rule SEH__vectored : AntiDebug SEH {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = "AddVectoredExceptionHandler"
$ = "RemoveVectoredExceptionHandler"
condition:
any of them
}
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule DebuggerPattern__RDTSC : AntiDebug DebuggerPattern {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = {0F 31}
condition:
any of them
}
*/
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule DebuggerPattern__CPUID : AntiDebug DebuggerPattern {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = {0F A2}
condition:
any of them
}
*/
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule DebuggerPattern__SEH_Saves : AntiDebug DebuggerPattern {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = {64 ff 35 00 00 00 00}
condition:
any of them
}
*/
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule DebuggerPattern__SEH_Inits : AntiDebug DebuggerPattern {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = {64 89 25 00 00 00 00}
condition:
any of them
}
*/
rule Check_Dlls
{
meta:
Author = "Nick Hoffman"
Description = "Checks for common sandbox dlls"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$dll1 = "sbiedll.dll" wide nocase ascii fullword
$dll2 = "dbghelp.dll" wide nocase ascii fullword
$dll3 = "api_log.dll" wide nocase ascii fullword
$dll4 = "dir_watch.dll" wide nocase ascii fullword
$dll5 = "pstorec.dll" wide nocase ascii fullword
$dll6 = "vmcheck.dll" wide nocase ascii fullword
$dll7 = "wpespy.dll" wide nocase ascii fullword
condition:
2 of them
}
rule Check_Qemu_Description
{
meta:
Author = "Nick Hoffman"
Description = "Checks for QEMU systembiosversion key"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$key = "HARDWARE\\Description\\System" nocase wide ascii
$value = "SystemBiosVersion" nocase wide ascii
$data = "QEMU" wide nocase ascii
condition:
all of them
}
rule Check_Qemu_DeviceMap
{
meta:
Author = "Nick Hoffman"
Description = "Checks for Qemu reg keys"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii
$value = "Identifier" nocase wide ascii
$data = "QEMU" wide nocase ascii
condition:
all of them
}
rule Check_VBox_Description
{
meta:
Author = "Nick Hoffman"
Description = "Checks Vbox description reg key"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$key = "HARDWARE\\Description\\System" nocase wide ascii
$value = "SystemBiosVersion" nocase wide ascii
$data = "VBOX" nocase wide ascii
condition:
all of them
}
rule Check_VBox_DeviceMap
{
meta:
Author = "Nick Hoffman"
Description = "Checks Vbox registry keys"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii
$value = "Identifier" nocase wide ascii
$data = "VBOX" nocase wide ascii
condition:
all of them
}
rule Check_VBox_Guest_Additions
{
meta:
Author = "Nick Hoffman"
Description = "Checks for the existence of the guest additions registry key"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$key = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" wide ascii nocase
condition:
any of them
}
rule Check_VBox_VideoDrivers
{
meta:
Author = "Nick Hoffman"
Description = "Checks for reg keys of Vbox video drivers"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$key = "HARDWARE\\Description\\System" nocase wide ascii
$value = "VideoBiosVersion" wide nocase ascii
$data = "VIRTUALBOX" nocase wide ascii
condition:
all of them
}
rule Check_VMWare_DeviceMap
{
meta:
Author = "Nick Hoffman"
Description = "Checks for the existence of VmWare Registry Keys"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" wide ascii nocase
$value = "Identifier" wide nocase ascii
$data = "VMware" wide nocase ascii
condition:
all of them
}
rule Check_VmTools
{
meta:
Author = "Nick Hoffman"
Description = "Checks for the existence of VmTools reg key"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$ ="SOFTWARE\\VMware, Inc.\\VMware Tools" nocase ascii wide
condition:
any of them
}
rule Check_Wine
{
meta:
Author = "Nick Hoffman"
Description = "Checks for the existence of Wine"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$ ="wine_get_unix_file_name"
condition:
any of them
}
rule vmdetect
{
meta:
author = "nex"
description = "Possibly employs anti-virtualization techniques"
strings:
// Binary tricks
$vmware = {56 4D 58 68}
$virtualpc = {0F 3F 07 0B}
$ssexy = {66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF}
$vmcheckdll = {45 C7 00 01}
$redpill = {0F 01 0D 00 00 00 00 C3}
// Random strings
$vmware1 = "VMXh"
$vmware2 = "Ven_VMware_" nocase
$vmware3 = "Prod_VMware_Virtual_" nocase
$vmware4 = "hgfs.sys" nocase
$vmware5 = "mhgfs.sys" nocase
$vmware6 = "prleth.sys" nocase
$vmware7 = "prlfs.sys" nocase
$vmware8 = "prlmouse.sys" nocase
$vmware9 = "prlvideo.sys" nocase
$vmware10 = "prl_pv32.sys" nocase
$vmware11 = "vpc-s3.sys" nocase
$vmware12 = "vmsrvc.sys" nocase
$vmware13 = "vmx86.sys" nocase
$vmware14 = "vmnet.sys" nocase
$vmware15 = "vmicheartbeat" nocase
$vmware16 = "vmicvss" nocase
$vmware17 = "vmicshutdown" nocase
$vmware18 = "vmicexchange" nocase
$vmware19 = "vmdebug" nocase
$vmware20 = "vmmouse" nocase
$vmware21 = "vmtools" nocase
$vmware22 = "VMMEMCTL" nocase
$vmware23 = "vmx86" nocase
$vmware24 = "vmware" nocase
$virtualpc1 = "vpcbus" nocase
$virtualpc2 = "vpc-s3" nocase
$virtualpc3 = "vpcuhub" nocase
$virtualpc4 = "msvmmouf" nocase
$xen1 = "xenevtchn" nocase
$xen2 = "xennet" nocase
$xen3 = "xennet6" nocase
$xen4 = "xensvc" nocase
$xen5 = "xenvdb" nocase
$xen6 = "XenVMM" nocase
$virtualbox1 = "VBoxHook.dll" nocase
$virtualbox2 = "VBoxService" nocase
$virtualbox3 = "VBoxTray" nocase
$virtualbox4 = "VBoxMouse" nocase
$virtualbox5 = "VBoxGuest" nocase
$virtualbox6 = "VBoxSF" nocase
$virtualbox7 = "VBoxGuestAdditions" nocase
$virtualbox8 = "VBOX HARDDISK" nocase
// MAC addresses
$vmware_mac_1a = "00-05-69"
$vmware_mac_1b = "00:05:69"
$vmware_mac_1c = "000569"
$vmware_mac_2a = "00-50-56"
$vmware_mac_2b = "00:50:56"
$vmware_mac_2c = "005056"
$vmware_mac_3a = "00-0C-29" nocase
$vmware_mac_3b = "00:0C:29" nocase
$vmware_mac_3c = "000C29" nocase
$vmware_mac_4a = "00-1C-14" nocase
$vmware_mac_4b = "00:1C:14" nocase
$vmware_mac_4c = "001C14" nocase
$virtualbox_mac_1a = "08-00-27"
$virtualbox_mac_1b = "08:00:27"
$virtualbox_mac_1c = "080027"
condition:
any of them
}
rule Check_Debugger
{
meta:
Author = "Nick Hoffman"
Description = "Looks for both isDebuggerPresent and CheckRemoteDebuggerPresent"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
condition:
pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and
pe.imports("kernel32.dll","IsDebuggerPresent")
}
rule Check_DriveSize
{
meta:
Author = "Nick Hoffman"
Description = "Rule tries to catch uses of DeviceIOControl being used to get the drive size"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$physicaldrive = "\\\\.\\PhysicalDrive0" wide ascii nocase
$dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO
condition:
pe.imports("kernel32.dll","CreateFileA") and
pe.imports("kernel32.dll","DeviceIoControl") and
$dwIoControlCode and
$physicaldrive
}
rule Check_FilePaths
{
meta:
Author = "Nick Hoffman"
Description = "Checks for filepaths containing popular sandbox names"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$path1 = "SANDBOX" wide ascii
$path2 = "\\SAMPLE" wide ascii
$path3 = "\\VIRUS" wide ascii
condition:
all of ($path*) and pe.imports("kernel32.dll","GetModuleFileNameA")
}
rule Check_UserNames
{
meta:
Author = "Nick Hoffman"
Description = "Looks for malware checking for common sandbox usernames"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$user1 = "MALTEST" wide ascii
$user2 = "TEQUILABOOMBOOM" wide ascii
$user3 = "SANDBOX" wide ascii
$user4 = "VIRUS" wide ascii
$user5 = "MALWARE" wide ascii
condition:
all of ($user*) and pe.imports("advapi32.dll","GetUserNameA")
}
rule Check_OutputDebugStringA_iat
{
meta:
Author = "http://twitter.com/j0sm1"
Description = "Detect in IAT OutputDebugstringA"
Date = "20/04/2015"
condition:
pe.imports("kernel32.dll","OutputDebugStringA")
}
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule Check_unhandledExceptionFiler_iat {
meta:
Author = "http://twitter.com/j0sm1"
Description = "it's checked if UnhandledExceptionFilter is imported"
Date = "20/04/2015"
Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#UnhandledExceptionFilter"
condition:
pe.imports("kernel32.dll","UnhandledExceptionFilter")
}
*/
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule check_RaiseException_iat {
meta:
Author = "http://twitter.com/j0sm1"
Description = "it's checked if RaiseException is imported"
Date = "20/04/2015"
Reference = "http://waleedassar.blogspot.com.es/2012/11/ollydbg-raiseexception-bug.html"
condition:
pe.imports("kernel32.dll","RaiseException")
}
*/
rule Check_FindWindowA_iat {
meta:
Author = "http://twitter.com/j0sm1"
Description = "it's checked if FindWindowA() is imported"
Date = "20/04/2015"
Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow"
strings:
$ollydbg = "OLLYDBG"
$windbg = "WinDbgFrameClass"
condition:
pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg)
}
rule DebuggerCheck__MemoryWorkingSet : AntiDebug DebuggerCheck {
meta:
author = "Fernando Mercês"
date = "2015-06"
description = "Anti-debug process memory working set size check"
reference = "http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/"
condition:
pe.imports("kernel32.dll", "K32GetProcessMemoryInfo") and
pe.imports("kernel32.dll", "GetCurrentProcess")
}