From 1e95eb106ece707c004d81856a219e2e10056a36 Mon Sep 17 00:00:00 2001 From: Piotr Szczepanski Date: Wed, 29 Apr 2020 13:24:05 +0200 Subject: [PATCH] Improve the detection of AutoIT files compiled to binary. AutoIT files compiled to binary using Aut2Exe are a regular PE file that has its script embedded. This commit adds additional checks to catch and detect previously undetected version of the compiler. --- .../yara_patterns/tools/pe/x64/compilers.yara | 19 +++++++++++++++++++ .../yara_patterns/tools/pe/x86/compilers.yara | 19 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/support/yara_patterns/tools/pe/x64/compilers.yara b/support/yara_patterns/tools/pe/x64/compilers.yara index 245e5f7b0..8b15f1a5d 100644 --- a/support/yara_patterns/tools/pe/x64/compilers.yara +++ b/support/yara_patterns/tools/pe/x64/compilers.yara @@ -117,6 +117,25 @@ rule aut2exe_33143 { $1 at 0x400 } +rule aut2exe_uv_01 { + meta: + tool = "C" + name = "Aut2Exe" + language = "AutoIt" + bytecode = true + strings: + $1 = ">AUTOIT SCRIPT<" + $2 = ">AUTOIT SCRIPT<" wide + $3 = ">AUTOIT UNICODE SCRIPT<" wide + condition: + pe.is_64bit() and + for 1 of them : ( + @ > pe.sections[pe.section_index(".rdata")].raw_data_offset and + @ < pe.sections[pe.section_index(".rdata")].raw_data_offset + + pe.sections[pe.section_index(".rdata")].raw_data_size + ) +} + rule autohotkey_uv_01 { meta: tool = "C" diff --git a/support/yara_patterns/tools/pe/x86/compilers.yara b/support/yara_patterns/tools/pe/x86/compilers.yara index 28af3df2f..54816f1c6 100644 --- a/support/yara_patterns/tools/pe/x86/compilers.yara +++ b/support/yara_patterns/tools/pe/x86/compilers.yara @@ -228,6 +228,25 @@ rule aut2exe_33143 { $1 at pe.entry_point } +rule aut2exe_uv_01 { + meta: + tool = "C" + name = "Aut2Exe" + language = "AutoIt" + bytecode = true + strings: + $1 = ">AUTOIT SCRIPT<" + $2 = ">AUTOIT SCRIPT<" wide + $3 = ">AUTOIT UNICODE SCRIPT<" wide + condition: + pe.is_32bit() and + for 1 of them : ( + @ > pe.sections[pe.section_index(".rdata")].raw_data_offset and + @ < pe.sections[pe.section_index(".rdata")].raw_data_offset + + pe.sections[pe.section_index(".rdata")].raw_data_size + ) +} + rule autohotkey_uv_01 { meta: tool = "C"