-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathgoinject.yar
45 lines (41 loc) · 1.21 KB
/
goinject.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
/*
Yara Rule Set
Author: Zane Gittins
Date: 2022-07-01
Identifier: GO-Inject Binary
Reference: https://github.com/zaneGittins/go-inject
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule GOInject_Malware_Jul01_1 {
meta:
description = "Detects GOInject"
author = "Zane Gittins"
reference = "https://github.com/zaneGittins/go-inject"
date = "2022-07-01"
strings:
$s1 = "go-inject/inject.init" fullword ascii
$s2 = "go-inject/inject/kernel32.go" fullword ascii
$s3 = "go-inject/inject/ntdll.go" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500MB and (
pe.section_index(".symtab") and
any of them
)
}
rule GOInject_Malware_Jul01_2 {
meta:
description = "Detects GOInject"
author = "Zane Gittins"
reference = "https://github.com/zaneGittins/go-inject"
date = "2022-07-01"
strings:
$s1 = "fc4883e4f0e8c" nocase
$s2 = "fce8820000006" nocase
$s3 = "golang.org/x/sys/windows" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500MB and (
pe.section_index(".symtab") and
($s1 or $s2) and $s3
)
}