/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule DebuggerCheck__API : AntiDebug DebuggerCheck { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="IsDebuggerPresent" condition: any of them } rule DebuggerCheck__PEB : AntiDebug DebuggerCheck { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="IsDebugged" condition: any of them } rule DebuggerCheck__GlobalFlags : AntiDebug DebuggerCheck { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="NtGlobalFlags" condition: any of them } rule DebuggerCheck__QueryInfo : AntiDebug DebuggerCheck { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="QueryInformationProcess" condition: any of them } rule DebuggerCheck__RemoteAPI : AntiDebug DebuggerCheck { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="CheckRemoteDebuggerPresent" condition: any of them } rule DebuggerHiding__Thread : AntiDebug DebuggerHiding { meta: Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" weight = 1 strings: $ ="SetInformationThread" condition: any of them } rule DebuggerHiding__Active : AntiDebug DebuggerHiding { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="DebugActiveProcess" condition: any of them } // 20150909 - Issue #39 - Commented because of High FP rate /* rule DebuggerTiming__PerformanceCounter : AntiDebug DebuggerTiming { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="QueryPerformanceCounter" condition: any of them } */ // 20150909 - Issue #39 - Commented because of High FP rate /* rule DebuggerTiming__Ticks : AntiDebug DebuggerTiming { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="GetTickCount" condition: any of them } */ // 20150909 - Issue #39 - Commented because of High FP rate /* rule DebuggerOutput__String : AntiDebug DebuggerOutput { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="OutputDebugString" condition: any of them } */ // 20150909 - Issue #39 - Commented because of High FP rate /* rule DebuggerException__UnhandledFilter : AntiDebug DebuggerException { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="SetUnhandledExceptionFilter" condition: any of them } */ rule DebuggerException__ConsoleCtrl : AntiDebug DebuggerException { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="GenerateConsoleCtrlEvent" condition: any of them } rule DebuggerException__SetConsoleCtrl : AntiDebug DebuggerException { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="SetConsoleCtrlHandler" condition: any of them } rule ThreadControl__Context : AntiDebug ThreadControl { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="SetThreadContext" condition: any of them } rule DebuggerCheck__DrWatson : AntiDebug DebuggerCheck { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ ="__invoke__watson" condition: any of them } rule SEH__v3 : AntiDebug SEH { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ = "____except__handler3" $ = "____local__unwind3" condition: any of them } rule SEH__v4 : AntiDebug SEH { // VS 8.0+ meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ = "____except__handler4" $ = "____local__unwind4" $ = "__XcptFilter" condition: any of them } rule SEH__vba : AntiDebug SEH { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ = "vbaExceptHandler" condition: any of them } rule SEH__vectored : AntiDebug SEH { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ = "AddVectoredExceptionHandler" $ = "RemoveVectoredExceptionHandler" condition: any of them } // 20150909 - Issue #39 - Commented because of High FP rate /* rule DebuggerPattern__RDTSC : AntiDebug DebuggerPattern { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ = {0F 31} condition: any of them } */ // 20150909 - Issue #39 - Commented because of High FP rate /* rule DebuggerPattern__CPUID : AntiDebug DebuggerPattern { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ = {0F A2} condition: any of them } */ // 20150909 - Issue #39 - Commented because of High FP rate /* rule DebuggerPattern__SEH_Saves : AntiDebug DebuggerPattern { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ = {64 ff 35 00 00 00 00} condition: any of them } */ // 20150909 - Issue #39 - Commented because of High FP rate /* rule DebuggerPattern__SEH_Inits : AntiDebug DebuggerPattern { meta: weight = 1 Author = "naxonez" reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" strings: $ = {64 89 25 00 00 00 00} condition: any of them } */ rule Check_Dlls { meta: Author = "Nick Hoffman" Description = "Checks for common sandbox dlls" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $dll1 = "sbiedll.dll" wide nocase ascii fullword $dll2 = "dbghelp.dll" wide nocase ascii fullword $dll3 = "api_log.dll" wide nocase ascii fullword $dll4 = "dir_watch.dll" wide nocase ascii fullword $dll5 = "pstorec.dll" wide nocase ascii fullword $dll6 = "vmcheck.dll" wide nocase ascii fullword $dll7 = "wpespy.dll" wide nocase ascii fullword condition: 2 of them } rule Check_Qemu_Description { meta: Author = "Nick Hoffman" Description = "Checks for QEMU systembiosversion key" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $key = "HARDWARE\\Description\\System" nocase wide ascii $value = "SystemBiosVersion" nocase wide ascii $data = "QEMU" wide nocase ascii condition: all of them } rule Check_Qemu_DeviceMap { meta: Author = "Nick Hoffman" Description = "Checks for Qemu reg keys" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii $value = "Identifier" nocase wide ascii $data = "QEMU" wide nocase ascii condition: all of them } rule Check_VBox_Description { meta: Author = "Nick Hoffman" Description = "Checks Vbox description reg key" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $key = "HARDWARE\\Description\\System" nocase wide ascii $value = "SystemBiosVersion" nocase wide ascii $data = "VBOX" nocase wide ascii condition: all of them } rule Check_VBox_DeviceMap { meta: Author = "Nick Hoffman" Description = "Checks Vbox registry keys" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii $value = "Identifier" nocase wide ascii $data = "VBOX" nocase wide ascii condition: all of them } rule Check_VBox_Guest_Additions { meta: Author = "Nick Hoffman" Description = "Checks for the existence of the guest additions registry key" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $key = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" wide ascii nocase condition: any of them } rule Check_VBox_VideoDrivers { meta: Author = "Nick Hoffman" Description = "Checks for reg keys of Vbox video drivers" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $key = "HARDWARE\\Description\\System" nocase wide ascii $value = "VideoBiosVersion" wide nocase ascii $data = "VIRTUALBOX" nocase wide ascii condition: all of them } rule Check_VMWare_DeviceMap { meta: Author = "Nick Hoffman" Description = "Checks for the existence of VmWare Registry Keys" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" wide ascii nocase $value = "Identifier" wide nocase ascii $data = "VMware" wide nocase ascii condition: all of them } rule Check_VmTools { meta: Author = "Nick Hoffman" Description = "Checks for the existence of VmTools reg key" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $ ="SOFTWARE\\VMware, Inc.\\VMware Tools" nocase ascii wide condition: any of them } rule Check_Wine { meta: Author = "Nick Hoffman" Description = "Checks for the existence of Wine" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $ ="wine_get_unix_file_name" condition: any of them } rule vmdetect { meta: author = "nex" description = "Possibly employs anti-virtualization techniques" strings: // Binary tricks $vmware = {56 4D 58 68} $virtualpc = {0F 3F 07 0B} $ssexy = {66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF} $vmcheckdll = {45 C7 00 01} $redpill = {0F 01 0D 00 00 00 00 C3} // Random strings $vmware1 = "VMXh" $vmware2 = "Ven_VMware_" nocase $vmware3 = "Prod_VMware_Virtual_" nocase $vmware4 = "hgfs.sys" nocase $vmware5 = "mhgfs.sys" nocase $vmware6 = "prleth.sys" nocase $vmware7 = "prlfs.sys" nocase $vmware8 = "prlmouse.sys" nocase $vmware9 = "prlvideo.sys" nocase $vmware10 = "prl_pv32.sys" nocase $vmware11 = "vpc-s3.sys" nocase $vmware12 = "vmsrvc.sys" nocase $vmware13 = "vmx86.sys" nocase $vmware14 = "vmnet.sys" nocase $vmware15 = "vmicheartbeat" nocase $vmware16 = "vmicvss" nocase $vmware17 = "vmicshutdown" nocase $vmware18 = "vmicexchange" nocase $vmware19 = "vmdebug" nocase $vmware20 = "vmmouse" nocase $vmware21 = "vmtools" nocase $vmware22 = "VMMEMCTL" nocase $vmware23 = "vmx86" nocase $vmware24 = "vmware" nocase $virtualpc1 = "vpcbus" nocase $virtualpc2 = "vpc-s3" nocase $virtualpc3 = "vpcuhub" nocase $virtualpc4 = "msvmmouf" nocase $xen1 = "xenevtchn" nocase $xen2 = "xennet" nocase $xen3 = "xennet6" nocase $xen4 = "xensvc" nocase $xen5 = "xenvdb" nocase $xen6 = "XenVMM" nocase $virtualbox1 = "VBoxHook.dll" nocase $virtualbox2 = "VBoxService" nocase $virtualbox3 = "VBoxTray" nocase $virtualbox4 = "VBoxMouse" nocase $virtualbox5 = "VBoxGuest" nocase $virtualbox6 = "VBoxSF" nocase $virtualbox7 = "VBoxGuestAdditions" nocase $virtualbox8 = "VBOX HARDDISK" nocase // MAC addresses $vmware_mac_1a = "00-05-69" $vmware_mac_1b = "00:05:69" $vmware_mac_1c = "000569" $vmware_mac_2a = "00-50-56" $vmware_mac_2b = "00:50:56" $vmware_mac_2c = "005056" $vmware_mac_3a = "00-0C-29" nocase $vmware_mac_3b = "00:0C:29" nocase $vmware_mac_3c = "000C29" nocase $vmware_mac_4a = "00-1C-14" nocase $vmware_mac_4b = "00:1C:14" nocase $vmware_mac_4c = "001C14" nocase $virtualbox_mac_1a = "08-00-27" $virtualbox_mac_1b = "08:00:27" $virtualbox_mac_1c = "080027" condition: any of them } rule Check_Debugger { meta: Author = "Nick Hoffman" Description = "Looks for both isDebuggerPresent and CheckRemoteDebuggerPresent" Sample = "de1af0e97e94859d372be7fcf3a5daa5" condition: pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and pe.imports("kernel32.dll","IsDebuggerPresent") } rule Check_DriveSize { meta: Author = "Nick Hoffman" Description = "Rule tries to catch uses of DeviceIOControl being used to get the drive size" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $physicaldrive = "\\\\.\\PhysicalDrive0" wide ascii nocase $dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO condition: pe.imports("kernel32.dll","CreateFileA") and pe.imports("kernel32.dll","DeviceIoControl") and $dwIoControlCode and $physicaldrive } rule Check_FilePaths { meta: Author = "Nick Hoffman" Description = "Checks for filepaths containing popular sandbox names" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $path1 = "SANDBOX" wide ascii $path2 = "\\SAMPLE" wide ascii $path3 = "\\VIRUS" wide ascii condition: all of ($path*) and pe.imports("kernel32.dll","GetModuleFileNameA") } rule Check_UserNames { meta: Author = "Nick Hoffman" Description = "Looks for malware checking for common sandbox usernames" Sample = "de1af0e97e94859d372be7fcf3a5daa5" strings: $user1 = "MALTEST" wide ascii $user2 = "TEQUILABOOMBOOM" wide ascii $user3 = "SANDBOX" wide ascii $user4 = "VIRUS" wide ascii $user5 = "MALWARE" wide ascii condition: all of ($user*) and pe.imports("advapi32.dll","GetUserNameA") } rule Check_OutputDebugStringA_iat { meta: Author = "http://twitter.com/j0sm1" Description = "Detect in IAT OutputDebugstringA" Date = "20/04/2015" condition: pe.imports("kernel32.dll","OutputDebugStringA") } // 20150909 - Issue #39 - Commented because of High FP rate /* rule Check_unhandledExceptionFiler_iat { meta: Author = "http://twitter.com/j0sm1" Description = "it's checked if UnhandledExceptionFilter is imported" Date = "20/04/2015" Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#UnhandledExceptionFilter" condition: pe.imports("kernel32.dll","UnhandledExceptionFilter") } */ // 20150909 - Issue #39 - Commented because of High FP rate /* rule check_RaiseException_iat { meta: Author = "http://twitter.com/j0sm1" Description = "it's checked if RaiseException is imported" Date = "20/04/2015" Reference = "http://waleedassar.blogspot.com.es/2012/11/ollydbg-raiseexception-bug.html" condition: pe.imports("kernel32.dll","RaiseException") } */ rule Check_FindWindowA_iat { meta: Author = "http://twitter.com/j0sm1" Description = "it's checked if FindWindowA() is imported" Date = "20/04/2015" Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow" strings: $ollydbg = "OLLYDBG" $windbg = "WinDbgFrameClass" condition: pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg) } rule DebuggerCheck__MemoryWorkingSet : AntiDebug DebuggerCheck { meta: author = "Fernando Mercês" date = "2015-06" description = "Anti-debug process memory working set size check" reference = "http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/" condition: pe.imports("kernel32.dll", "K32GetProcessMemoryInfo") and pe.imports("kernel32.dll", "GetCurrentProcess") }