Magic-Mirror/retdec
1
0
Fork 0
mirror of https://github.com/avast/retdec.git synced 2024-11-27 06:40:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added detection of 'Clickteam Fusion tool'

Browse Source
This commit is contained in:
Ladislav Zezula 2023-08-07 15:32:51 +02:00 committed by Peter Matula
parent 885364e1de
commit a7574e14b8
1 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
support/yara_patterns/tools/pe/x86/packers.yara
View File

@ -9,9 +9,8 @@ import "dotnet"
rule blizzard_protector {
meta:
tool = "P"
name = "!EP"
name = "BlizzardProtector"
version = "1.0"
extra = "BlizzardProtector"
condition:
filesize > 5MB and
(pe.sections[4].name == "_RDATA" or pe.sections[5].name == "_RDATA" or pe.sections[6].name == "_RDATA" or pe.sections[7].name == "_RDATA") and
@ -42,6 +41,23 @@ rule blizzard_protector {
)
}
rule cfusion_app_25
{
meta:
tool = "P"
name = "Clickteam Fusion"
version = "2.5"
strings:
$s01 = "cf25appsync" wide // Created mutex
$s02 = ".00.FusionApp" wide // Temporary directory suffix
$s03 = "Mf2MainClassTh" wide // Window class
condition:
pe.is_32bit() and
pe.exports("NvOptimusEnablement") and // Causes AMD drivers to select the most optimal GPU
pe.exports("AmdPowerXpressRequestHighPerformance") and
all of them
}
rule ep_exepack_10 {
meta:
tool = "P"