Skip to content

Commit

Permalink
Improved detections, added empty and corrupt
Browse files Browse the repository at this point in the history
  • Loading branch information
Ladislav Zezula committed Apr 17, 2024
1 parent a172760 commit 92e2b8d
Showing 1 changed file with 42 additions and 44 deletions.
86 changes: 42 additions & 44 deletions support/yara_patterns/tools/pe/x86/installers.yara
Original file line number Diff line number Diff line change
Expand Up @@ -443,70 +443,68 @@ rule pyinstaller_27
all of them
}

rule pyinstaller_30_38
private rule pyinstaller_3x_strings
{
strings:
$s00 = "Error loading Python DLL '%s'."
$s01 = "Cannot open self %s or archive %s"
$s02 = "Cannot open PyInstaller archive from executable (%s) or external archive (%s)"
$s10 = /PyInstalle(m|r): FormatMessageW failed\./
$s11 = /PyInstalle(m|r): pyi_win32_utils_to_utf8 failed\./
condition:
pe.number_of_sections > 0 and
any of ($s0*) and
all of ($s1*)
}

private rule pyinstaller_3x_overlay
{
strings:
$s01 = { 4D 45 49 0C 0B 0A 0B 0E } // PyInstaller magic number
$s02 = /PYZ\-\d\d\.pyz/
$s03 = /python3\d{1,2}\.dll/
condition:
pe.overlay.offset > 0 and
@s02 > pe.overlay.offset and
@s03 > pe.overlay.offset and
all of them
}

rule pyinstaller_3x
{
meta:
tool = "I"
name = "PyInstaller"
version = "3.0-3.8"
version = "3.x"
strength = "high"
strings:
$s00 = "Failed to get address for PySys_SetObject"
$s01 = "Error copying %s"
$s02 = "Error loading Python DLL '%s'"
$s03 = "pyi-windows-manifest-filename"
condition:
pe.number_of_resources > 0 and
@s00 < pe.sections[2].raw_data_offset and
all of them
pyinstaller_3x_overlay and
pyinstaller_3x_strings
}

rule pyinstaller_39
rule pyinstaller_3x_empty
{
meta:
tool = "I"
name = "PyInstaller"
version = "3.9"
name = "PyInstaller (no data)"
version = "3.x"
strength = "high"
strings:
$s00 = "Cannot open PyInstaller archive from executable (%s) or external archive (%s)"
$s01 = "Cannot open self %s or archive %s"
$s10 = "PyInstaller: FormatMessageW failed."
$s11 = "PyInstaller: pyi_win32_utils_to_utf8 failed."
$s12 = "bpython39.dll"
$s13 = /PYZ-\d\d.pyz/
$s14 = { 4D 45 49 0C 0B 0A 0B 0E } // PyInstaller magic number
condition:
pe.number_of_resources > 0 and
@s12 > pe.overlay.offset and
@s13 > pe.overlay.offset and
@s14 > pe.overlay.offset and
1 of ($s0*) and
all of ($s1*)
pe.overlay.size == 0 and
pyinstaller_3x_strings
}

rule pyinstaller_310_plus
rule pyinstaller_3x_corrupt
{
meta:
tool = "I"
name = "PyInstaller"
version = "3.10+"
name = "PyInstaller (corrupt)"
version = "3.x"
strength = "high"
strings:
$s00 = "Cannot open PyInstaller archive from executable (%s) or external archive (%s)"
$s01 = "Cannot open self %s or archive %s"
$s10 = /PyInstalle(r|m): FormatMessageW failed./
$s11 = /PyInstalle(r|m): pyi_win32_utils_to_utf8 failed./
$s12 = /bpython31\d.dll/
$s13 = /PYZ-\d\d.pyz/
$s14 = { 4D 45 49 0C 0B 0A 0B 0E } // PyInstaller magic number
condition:
pe.number_of_resources > 0 and
@s12 > pe.overlay.offset and
@s13 > pe.overlay.offset and
@s14 > pe.overlay.offset and
1 of ($s0*) and
all of ($s1*)
pe.overlay.size > 0 and
pyinstaller_3x_strings and
not pyinstaller_3x_overlay
}

rule installanywhere_61 {
Expand Down

0 comments on commit 92e2b8d

Please sign in to comment.