From dcb842ec3782b355e3dd8fd16953a93064b79d4f Mon Sep 17 00:00:00 2001
From: Ladislav Zezula <ladislav.zezula@avast.com>
Date: Mon, 19 Oct 2020 08:30:53 +0200
Subject: [PATCH] Added YARA rules for SmartInstall Maker

---
 .../tools/pe/x86/installers.yara              | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara
index 66b7f76c..c04e18c7 100644
--- a/support/yara_patterns/tools/pe/x86/installers.yara
+++ b/support/yara_patterns/tools/pe/x86/installers.yara
@@ -515,6 +515,42 @@ rule setup2go {
 		$1 at pe.entry_point
 }
 
+rule smart_install_maker_v4 {
+	meta:
+		tool = "I"
+		name = "Smart Install Maker"
+		version = "4.x"
+	strings:
+		$s01 = "Smart Install Maker" nocase
+		$s02 = "SMART INSTALL MAKER" nocase
+		$s03 = "c:\\delphi7\\Lib\\km\\KOL.pas"
+		$s04 = "TLZMADecompressor"
+		$s05 = "Can not create DIB section, error:"
+	condition:
+		pe.number_of_sections == 8 and
+		pe.sections[0].name == "CODE" and           // Delphi
+		pe.sections[1].name == "DATA" and
+		pe.overlay.size != 0 and
+		all of them
+}
+
+rule smart_install_maker_v5 {
+	meta:
+		tool = "I"
+		name = "Smart Install Maker"
+		version = "5.x"
+	strings:
+		$s01 = "Smart Install Maker" nocase
+		$s02 = "SMART INSTALL MAKER" nocase
+	condition:
+		pe.number_of_sections == 8 and
+		pe.sections[0].name == "CODE" and           // Delphi
+		pe.sections[1].name == "DATA" and
+		pe.overlay.size != 0 and
+		$s01 at pe.overlay.offset and
+		all of them
+}
+
 rule thinstall_uv {
 	meta:
 		tool = "I"