Modified AutoHotKey's Yara rule

avast · Aug 5, 2021 · a192dc2 · a192dc2
1 parent e066e93
commit a192dc2
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 22 deletions.
diff --git a/support/yara_patterns/tools/pe/x64/compilers.yara b/support/yara_patterns/tools/pe/x64/compilers.yara
@@ -143,17 +143,26 @@ rule autohotkey_uv_01 {
 		language = "AutoHotKey"
 		bytecode = true
 	strings:
-		$1 = ">AUTOHOTKEY SCRIPT<"
-		$2 = ">AUTOHOTKEY SCRIPT<" wide
-	condition:
-		pe.is_64bit() and
-		for 1 of them : (
-			@ > pe.sections[pe.section_index(".rdata")].raw_data_offset and
-			@ < pe.sections[pe.section_index(".rdata")].raw_data_offset +
-			pe.sections[pe.section_index(".rdata")].raw_data_size
-		) or
-		for 1 i in (0 .. pe.number_of_resources) : (
-			pe.resources[i].name_string matches />AUTOHOTKEY SCRIPT</
+		$0 = "Hotkeys/hotstrings are not allowed inside functions." wide ascii
+		$1 = "IfWin should be #IfWin." wide ascii
+		$2 = "This hotstring is missing its abbreviation." wide ascii
+		$3 = "Duplicate hotkey." wide ascii
+		$4 = ">AUTOHOTKEY SCRIPT<" wide ascii
+    condition:
+        pe.is_64bit() 
+		and 
+		pe.number_of_resources > 0 
+		and ((
+					(@4 > pe.sections[pe.section_index(".rdata")].raw_data_offset 
+					and
+					@4 < pe.sections[pe.section_index(".rdata")].raw_data_offset +
+					pe.sections[pe.section_index(".rdata")].raw_data_size) 
+				or
+				(for 1 i in (0 .. pe.number_of_resources) : (
+					pe.resources[i].name_string matches />AUTOHOTKEY SCRIPT</))
+			)
+			or 
+			(3 of ($0,$1,$2,$3))
 		)
 }
 

diff --git a/support/yara_patterns/tools/pe/x86/compilers.yara b/support/yara_patterns/tools/pe/x86/compilers.yara
@@ -254,17 +254,26 @@ rule autohotkey_uv_01 {
 		language = "AutoHotKey"
 		bytecode = true
 	strings:
-		$1 = ">AUTOHOTKEY SCRIPT<"
-		$2 = ">AUTOHOTKEY SCRIPT<" wide
-	condition:
-		pe.is_32bit() and
-		for 1 of them : (
-			@ > pe.sections[pe.section_index(".rdata")].raw_data_offset and
-			@ < pe.sections[pe.section_index(".rdata")].raw_data_offset +
-			pe.sections[pe.section_index(".rdata")].raw_data_size
-		) or
-		for 1 i in (0 .. pe.number_of_resources) : (
-			pe.resources[i].name_string matches />AUTOHOTKEY SCRIPT</
+		$0 = "Hotkeys/hotstrings are not allowed inside functions." wide ascii
+		$1 = "IfWin should be #IfWin." wide ascii
+		$2 = "This hotstring is missing its abbreviation." wide ascii
+		$3 = "Duplicate hotkey." wide ascii
+		$4 = ">AUTOHOTKEY SCRIPT<" wide ascii
+    condition:
+        pe.is_32bit() 
+		and 
+		pe.number_of_resources > 0 
+		and ((
+					(@4 > pe.sections[pe.section_index(".rdata")].raw_data_offset 
+					and
+					@4 < pe.sections[pe.section_index(".rdata")].raw_data_offset +
+					pe.sections[pe.section_index(".rdata")].raw_data_size) 
+				or
+				(for 1 i in (0 .. pe.number_of_resources) : (
+					pe.resources[i].name_string matches />AUTOHOTKEY SCRIPT</))
+			)
+			or 
+			(3 of ($0,$1,$2,$3))
 		)
 }