Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: YARA Rules For Shellcode - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
YARA Rules For Shellcode

I had a guest diary entry about my XORSearch tool using shellcode detection rules from Frank Boldewin's OfficeMalScanner. To detect malicious documents, Frank coded rules to detect shellcode and other indicators of executable code inside documents.

I also translated Frank's detection rules to YARA rules. You can find them here, the file is maldoc.yara.

This is an example:

rule maldoc_API_hashing
        author = "Didier Stevens ("
        $a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF}
        $a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF}
        any of them


652 Posts
ISC Handler
Mar 30th 2015

Sign Up for Free or Log In to start participating in the conversation!