Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Small improvements to detections of binary tools. #831

Merged
merged 2 commits into from
Jul 31, 2020
Merged

Small improvements to detections of binary tools. #831

merged 2 commits into from
Jul 31, 2020

Conversation

tamaroth
Copy link
Contributor

@tamaroth tamaroth commented Jul 30, 2020
edited
Loading

This PR introduces two changes:

  • an overzealous YARA rule that detected InstallShield has been removed. Many files that were detected were not InstallShield files but contained a generic entry point code.
  • Gentee was reclassified from installer to compiler. Gentee is a programming language that utilizes bytecode to execute code and stores the payload alongside engine in a single file. It is possible to extract the bytecode and engine libraries, but that does not make it an installer. Therefore I have taken it upon myself to reclassify it from installer to compiler.

This PR does not come with an attached bug report or with tests. However, if need be I can provide a single test for the Gentee change.

@tamaroth
Remove incorrect InstallShield detection.
2b9536a 
That specific YARA rule detects a generic EntryPoint code generated by
old MSVC compilers.
@tamaroth
Reclassify Gentee as a compiler.
72a9503 
Gentee is a programming language that uses its own byte code withing a
static binary shell. All samples containing the '.gentee' sections are
usually just compiled Gentee binaries and not packed by Gentee (which is
a misnomer).
@tamaroth tamaroth requested a review from s3rvac July 30, 2020 15:42
s3rvac
s3rvac approved these changes Jul 31, 2020
View reviewed changes
Copy link
Member

@s3rvac s3rvac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the improvements 👍 I see no issues with the changes and all builds and tests pass, so I am going to merge the PR.

@s3rvac s3rvac merged commit 387a698 into master Jul 31, 2020
@s3rvac s3rvac deleted the improvement-packer-detections branch July 31, 2020 06:18
s3rvac added a commit that referenced this pull request Jul 31, 2020
@s3rvac
Add a CHANGELOG entry for #831.
5c377e1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@s3rvac s3rvac s3rvac approved these changes

Assignees

@s3rvac s3rvac

Labels
C-cpdetect enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tamaroth @s3rvac