Merge pull request #743 from avast/improvement-aspack-detection

Improve the detection of ASPack executable packer.
avast · Apr 16, 2020 · 4061bde · 4061bde
2 parents 01dde42 + fc4b924
commit 4061bde
Showing 1 changed file with 54 additions and 0 deletions.
diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -2821,6 +2821,60 @@ rule aspack_uv_08 {
 		$1 at pe.entry_point
 }
 
+rule aspack_uv_09 {
+	meta:
+		tool = "P"
+		name = "ASPack"
+		pattern = "60E8000000005D81ED????????B8????????03C52B85????????8985????????80BD????????007515FE85????????E8????0000E8????0000E8????00008B85????????0385????????8944241C61FFE0"
+	strings:
+		$ep = { 75 00 E9 }
+		$1 = {
+			60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ??
+			?? ?? ?? 89 85 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? 00 75 15 FE 85 ?? ?? ??
+			?? E8 ?? ?? 00 00 E8 ?? ?? 00 00 E8 ?? ?? 00 00 8B 85 ?? ?? ?? ?? 03
+			85 ?? ?? ?? ?? 89 44 24 1C 61 FF E0
+		}
+	condition:
+		$ep in (pe.entry_point .. pe.entry_point + 2) and $1
+}
+
+rule aspack_uv_10 {
+	meta:
+		tool = "P"
+		name = "ASPack"
+		pattern = "60E803000000??EB045D4555C3E801000000??5DBB????FFFF????81EB????????83BD2204000000899D220400000F85????00008D85????000050FF95????00008985????0000????8D5D??5350FF95????00008985????00008D5D??5357FF95????00008985????00008D45??FFE0"
+	strings:
+		$1 = {
+			60 E8 03 00 00 00 ?? EB 04 5D 45 55 C3 E8 01 00 00 00 ?? 5D BB ?? ??
+			FF FF ?? ?? 81 EB ?? ?? ?? ?? 83 BD 22 04 00 00 00 89 9D 22 04 00 00
+			0F 85 ?? ?? 00 00 8D 85 ?? ?? 00 00 50 FF 95 ?? ?? 00 00 89 85 ?? ??
+			00 00 ?? ?? 8D 5D ?? 53 50 FF 95 ?? ?? 00 00 89 85 ?? ?? 00 00 8D 5D
+			?? 53 57 FF 95 ?? ?? 00 00 89 85 ?? ?? 00 00 8D 45 ?? FF E0
+		}
+	condition:
+		$1 in (pe.entry_point .. pe.entry_point + 2)
+}
+
+rule aspack_uv_11 {
+	meta:
+		tool = "P"
+		name = "ASPack"
+		pattern = "60EB0A5DEB02????45FFE5????E8??FFFFFF??81ED????????BB????????????2B9D????????8D8D????????51FF95????????8D8D????????5150FF95????????6A00546A0468????????8D8D????????51FFD058899D????????80BD????????00751AFE85????????E8??000000E8????0000E8????0000E8????00008B85????????0385????????894424??61"
+	strings:
+		$ep = { 75 01 ?? E9 }
+		$1 = {
+			60 EB 0A 5D EB 02 ?? ?? 45 FF E5 ?? ?? E8 ?? FF FF FF ?? 81 ED ?? ??
+			?? ?? BB ?? ?? ?? ?? ?? ?? 2B 9D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF
+			95 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 50 FF 95 ?? ?? ?? ?? 6A 00 54 6A
+			04 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF D0 58 89 9D ?? ?? ?? ?? 80
+			BD ?? ?? ?? ?? 00 75 1A FE 85 ?? ?? ?? ?? E8 ?? 00 00 00 E8 ?? ?? 00
+			00 E8 ?? ?? 00 00 E8 ?? ?? 00 00 8B 85 ?? ?? ?? ?? 03 85 ?? ?? ?? ??
+			89 44 24 ?? 61
+		}
+	condition:
+		$ep in (pe.entry_point .. pe.entry_point + 2) and $1
+}
+
 rule aspack_100b {
 	meta:
 		tool = "P"