JPEG_EXIF_Contains_eval.yara

/*
  Version 0.0.3 2015/02/15
  Source code put in public domain by Didier Stevens, no Copyright
  https://DidierStevens.com
  Use at your own risk

  Shortcomings, or todo's ;-) :
    Constant 0x06 in the condition is the minimum length of the string matched by regex $b.
    Ideally, this should be an expression and not a constant, for example len($d).

  History:
    2014/12/23: start
    2015/01/01: continued
    2015/01/11: changed regex to \W
    2015/02/15: replaced regex \W with \b (available in YARA 3.3.0)
*/

rule JPEG_EXIF_Contains_eval
{
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
        description = "Detect eval function inside JPG EXIF header (http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html)"
        method = "Detect JPEG file and EXIF header ($a) and eval function ($b) inside EXIF data"
    strings:
        $a = {FF E1 ?? ?? 45 78 69 66 00}
        $b = /\beval\s*\(/
    condition:
        uint16be(0x00) == 0xFFD8 and $a and $b in (@a + 0x12 .. @a + 0x02 + uint16be(@a + 0x02) - 0x06)
}