From 17751c17819b97423a7e963d3f594cc3c1559b55 Mon Sep 17 00:00:00 2001 From: Thomas Roccia Date: Wed, 21 Jul 2021 10:25:43 +0200 Subject: [PATCH 1/2] adding InnoSetup 6.1.0 --- .../yara_patterns/tools/pe/x86/installers.yara | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara index 034683700..e523c9fb4 100644 --- a/support/yara_patterns/tools/pe/x86/installers.yara +++ b/support/yara_patterns/tools/pe/x86/installers.yara @@ -3566,3 +3566,20 @@ rule xt_app_launcher pe.overlay.size != 0 and any of them } + +private rule inno_610 +{ + meta: + tool = "I" + name = "Inno Setup" + version = "6.1.0" + author = "Thomas Roccia" + pattern = "entry-point: 55 8B EC 83 C4 A4 53 56 57 33 C0 89 45 C4 89 45 C0 89 45 A4 89 45 D0 89 45 C8 89 45 CC 89 45 D4 89 " + strings: + $s1 = { 55 8B EC 83 C4 A4 53 56 57 33 C0 89 45 C4 89 45 C0 89 45 A4 89 45 D0 89 45 C8 89 45 CC 89 45 D4 89 } + $s2 = "Inno Setup Setup Data (6.1.0) (u)" fullword wide ascii + $s3 = "Inno Setup Messages (6.0.0) (u)" fullword wide ascii + condition: + $s1 at pe.entry_point and + all of ($s*) +} From 8c3f7bfba95d9e0934a5a9f3ff4f8aa6232343c9 Mon Sep 17 00:00:00 2001 From: Thomas Roccia Date: Wed, 21 Jul 2021 10:26:29 +0200 Subject: [PATCH 2/2] Update installers.yara --- support/yara_patterns/tools/pe/x86/installers.yara | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara index e523c9fb4..64794e2f7 100644 --- a/support/yara_patterns/tools/pe/x86/installers.yara +++ b/support/yara_patterns/tools/pe/x86/installers.yara @@ -3567,7 +3567,7 @@ rule xt_app_launcher any of them } -private rule inno_610 +rule inno_610 { meta: tool = "I"