Magic-Mirror/retdec
1
0
Fork 0
mirror of https://github.com/avast/retdec.git synced 2025-02-17 04:08:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added more generic detection of WiX Toolset 3.x

Browse Source
This commit is contained in:
Ladislav Zezula 2023-03-29 12:37:37 +02:00
parent fcc5924156
commit fc7e323732
1 changed files with 8 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
support/yara_patterns/tools/pe/x86/installers.yara
View File

@ -3411,144 +3411,21 @@ rule winrar_sfx_console_550
$1 at pe.entry_point
}
rule wix_toolset_36
rule wix_toolset_3x
{
meta:
tool = "I"
name = "WiX Toolset"
version = "3.6"
version = "3.x"
source = "Made by RetDec Team"
pattern = "E8AC140000E979FEFFFF8BFF558BEC8B45088B00813863736DE0752A8378100375248B40143D2005931974153D21059319740E3D2205931974073D004099017505E80115000033C05DC204006855474000FF157C11400033C0C38BFF558BEC57BFE80300"
strings:
$1 = { E8 AC 14 00 00 E9 79 FE FF FF 8B FF 55 8B EC 8B 45 08 8B 00 81 38 63 73 6D E0 75 2A 83 78 10 03 75 24 8B 40 14 3D 20 05 93 19 74 15 3D 21 05 93 19 74 0E 3D 22 05 93 19 74 07 3D 00 40 99 01 75 05 E8 01 15 00 00 33 C0 5D C2 04 00 68 55 47 40 00 FF 15 7C 11 40 00 33 C0 C3 8B FF 55 8B EC 57 BF E8 03 00 }
$s01 = ".wixburn"
$s02 = "Failed to find Burn section"
$s03 = "Failed to read section info, data to short: %u"
$h04 = {00 43 F1 00 02 00 00 00} // Wix section header + version
condition:
$1 at pe.entry_point
}
rule wix_toolset_37
{
meta:
tool = "I"
name = "WiX Toolset"
version = "3.7"
source = "Made by RetDec Team"
pattern = "E81E1F0000E989FEFFFFCCCCCCCCCCCCCCCCCCCC8B54240C8B4C240485D2746933C08A44240884C0751681FA80000000720E833DE83E4500007405E97E1F0000578BF983FA047231F7D983E103740C2BD1880783C70183E90175F68BC8C1E00803C18BC8"
strings:
$1 = { E8 1E 1F 00 00 E9 89 FE FF FF CC CC CC CC CC CC CC CC CC CC 8B 54 24 0C 8B 4C 24 04 85 D2 74 69 33 C0 8A 44 24 08 84 C0 75 16 81 FA 80 00 00 00 72 0E 83 3D E8 3E 45 00 00 74 05 E9 7E 1F 00 00 57 8B F9 83 FA 04 72 31 F7 D9 83 E1 03 74 0C 2B D1 88 07 83 C7 01 83 E9 01 75 F6 8B C8 C1 E0 08 03 C1 8B C8 }
condition:
$1 at pe.entry_point
}
rule wix_toolset_38
{
meta:
tool = "I"
name = "WiX Toolset"
version = "3.8"
source = "Made by RetDec Team"
pattern = "E8C9390000E97FFEFFFF3B0DD06045007502F3C3E9C4400000CCCC8B54240C8B4C240485D2747F0FB64424080FBA25447C450001730D8B4C240C578B7C2408F3AAEB5D8B54240C81FA800000007C0E0FBA2580614500010F8279410000578BF983FA0472"
strings:
$1 = { E8 C9 39 00 00 E9 7F FE FF FF 3B 0D D0 60 45 00 75 02 F3 C3 E9 C4 40 00 00 CC CC 8B 54 24 0C 8B 4C 24 04 85 D2 74 7F 0F B6 44 24 08 0F BA 25 44 7C 45 00 01 73 0D 8B 4C 24 0C 57 8B 7C 24 08 F3 AA EB 5D 8B 54 24 0C 81 FA 80 00 00 00 7C 0E 0F BA 25 80 61 45 00 01 0F 82 79 41 00 00 57 8B F9 83 FA 04 72 }
condition:
$1 at pe.entry_point
}
rule wix_toolset_39
{
meta:
tool = "I"
name = "WiX Toolset"
version = "3.9"
source = "Made by RetDec Team"
pattern = "E8FC390000E97FFEFFFF3B0D002046007502F3C3E985410000CCCCCCCC8B54240C8B4C240485D2747F0FB64424080FBA255C3F460001730D8B4C240C578B7C2408F3AAEB5D8B54240C81FA800000007C0E0FBA2560204600010F823A420000578BF983FA"
strings:
$1 = { E8 FC 39 00 00 E9 7F FE FF FF 3B 0D 00 20 46 00 75 02 F3 C3 E9 85 41 00 00 CC CC CC CC 8B 54 24 0C 8B 4C 24 04 85 D2 74 7F 0F B6 44 24 08 0F BA 25 5C 3F 46 00 01 73 0D 8B 4C 24 0C 57 8B 7C 24 08 F3 AA EB 5D 8B 54 24 0C 81 FA 80 00 00 00 7C 0E 0F BA 25 60 20 46 00 01 0F 82 3A 42 00 00 57 8B F9 83 FA }
condition:
$1 at pe.entry_point
}
rule wix_toolset_39r2
{
meta:
tool = "I"
name = "WiX Toolset"
version = "3.9r2"
source = "Made by RetDec Team"
pattern = "E8003A0000E97FFEFFFF3B0D002046007502F3C3E989410000CCCCCCCCCCCCCCCC8B54240C8B4C240485D2747F0FB64424080FBA255C3F460001730D8B4C240C578B7C2408F3AAEB5D8B54240C81FA800000007C0E0FBA2560204600010F823A42000057"
strings:
$1 = { E8 00 3A 00 00 E9 7F FE FF FF 3B 0D 00 20 46 00 75 02 F3 C3 E9 89 41 00 00 CC CC CC CC CC CC CC CC 8B 54 24 0C 8B 4C 24 04 85 D2 74 7F 0F B6 44 24 08 0F BA 25 5C 3F 46 00 01 73 0D 8B 4C 24 0C 57 8B 7C 24 08 F3 AA EB 5D 8B 54 24 0C 81 FA 80 00 00 00 7C 0E 0F BA 25 60 20 46 00 01 0F 82 3A 42 00 00 57 }
condition:
$1 at pe.entry_point
}
rule wix_toolset_310
{
meta:
tool = "I"
name = "WiX Toolset"
version = "3.10"
source = "Made by RetDec Team"
pattern = "E895030000E980FEFFFF3B0D04904600F27502F2C3F2E91F070000558BECEB1FFF7508E8AD6C00005985C07512837D08FF7507E8F6080000EB05E8D2080000FF7508E8246D00005985C074D45DC3558BECFF7508E8FF080000595DC3558BECF645080156"
strings:
$1 = { E8 95 03 00 00 E9 80 FE FF FF 3B 0D 04 90 46 00 F2 75 02 F2 C3 F2 E9 1F 07 00 00 55 8B EC EB 1F FF 75 08 E8 AD 6C 00 00 59 85 C0 75 12 83 7D 08 FF 75 07 E8 F6 08 00 00 EB 05 E8 D2 08 00 00 FF 75 08 E8 24 6D 00 00 59 85 C0 74 D4 5D C3 55 8B EC FF 75 08 E8 FF 08 00 00 59 5D C3 55 8B EC F6 45 08 01 56 }
condition:
$1 at pe.entry_point
}
rule wix_toolset_3101
{
meta:
tool = "I"
name = "WiX Toolset"
version = "3.10.1"
source = "Made by RetDec Team"
pattern = "E891030000E980FEFFFF3B0D04904600F27502F2C3F2E95B070000558BECEB1FFF7508E8C56C00005985C07512837D08FF7507E832090000EB05E80E090000FF7508E83C6D00005985C074D45DC3558BECFF7508E83B090000595DC3558BECF645080156"
strings:
$1 = { E8 91 03 00 00 E9 80 FE FF FF 3B 0D 04 90 46 00 F2 75 02 F2 C3 F2 E9 5B 07 00 00 55 8B EC EB 1F FF 75 08 E8 C5 6C 00 00 59 85 C0 75 12 83 7D 08 FF 75 07 E8 32 09 00 00 EB 05 E8 0E 09 00 00 FF 75 08 E8 3C 6D 00 00 59 85 C0 74 D4 5D C3 55 8B EC FF 75 08 E8 3B 09 00 00 59 5D C3 55 8B EC F6 45 08 01 56 }
condition:
$1 at pe.entry_point
}
rule wix_toolset_3102
{
meta:
tool = "I"
name = "WiX Toolset"
version = "3.10.2"
source = "Made by RetDec Team"
pattern = "E8A3040000E980FEFFFFCCCCCCCCCCCCCCCC8B4424088B4C24100BC88B4C240C75098B442404F7E1C2100053F7E18BD88B442408F764241403D88B442408F7E103D35BC21000558BECEB1FFF7508E86B6C00005985C07512837D08FF7507E8B3080000EB"
strings:
$1 = { E8 A3 04 00 00 E9 80 FE FF FF CC CC CC CC CC CC CC CC 8B 44 24 08 8B 4C 24 10 0B C8 8B 4C 24 0C 75 09 8B 44 24 04 F7 E1 C2 10 00 53 F7 E1 8B D8 8B 44 24 08 F7 64 24 14 03 D8 8B 44 24 08 F7 E1 03 D3 5B C2 10 00 55 8B EC EB 1F FF 75 08 E8 6B 6C 00 00 59 85 C0 75 12 83 7D 08 FF 75 07 E8 B3 08 00 00 EB }
condition:
$1 at pe.entry_point
}
rule wix_toolset_3103
{
meta:
tool = "I"
name = "WiX Toolset"
version = "3.10.3"
source = "Made by RetDec Team"
pattern = "E8C4040000E980FEFFFFCCCCCCCCCCCCCCCCCCCCCCCC8B4424088B4C24100BC88B4C240C75098B442404F7E1C2100053F7E18BD88B442408F764241403D88B442408F7E103D35BC21000558BECEB1FFF7508E87D6C00005985C07512837D08FF7507E813"
strings:
$1 = { E8 C4 04 00 00 E9 80 FE FF FF CC CC CC CC CC CC CC CC CC CC CC CC 8B 44 24 08 8B 4C 24 10 0B C8 8B 4C 24 0C 75 09 8B 44 24 04 F7 E1 C2 10 00 53 F7 E1 8B D8 8B 44 24 08 F7 64 24 14 03 D8 8B 44 24 08 F7 E1 03 D3 5B C2 10 00 55 8B EC EB 1F FF 75 08 E8 7D 6C 00 00 59 85 C0 75 12 83 7D 08 FF 75 07 E8 13 }
condition:
$1 at pe.entry_point
}
rule wix_toolset_311
{
meta:
tool = "I"
name = "WiX Toolset"
version = "3.11"
source = "Made by RetDec Team"
pattern = "E801050000E98EFEFFFFCCCCCCCCCCCCCCCCCC8B4424088B4C24100BC88B4C240C75098B442404F7E1C2100053F7E18BD88B442408F764241403D88B442408F7E103D35BC21000CCCCCCCCCCCCCCCCCCCCCCCC80F940731580F92073060FADD0D3EAC38B"
strings:
$1 = { E8 01 05 00 00 E9 8E FE FF FF CC CC CC CC CC CC CC CC CC 8B 44 24 08 8B 4C 24 10 0B C8 8B 4C 24 0C 75 09 8B 44 24 04 F7 E1 C2 10 00 53 F7 E1 8B D8 8B 44 24 08 F7 64 24 14 03 D8 8B 44 24 08 F7 E1 03 D3 5B C2 10 00 CC CC CC CC CC CC CC CC CC CC CC CC 80 F9 40 73 15 80 F9 20 73 06 0F AD D0 D3 EA C3 8B }
condition:
$1 at pe.entry_point
for any i in (0 .. pe.number_of_sections) : (pe.sections[i].name == ".wixburn") and
all of them
}
rule xt_app_launcher