diff --git a/src/cpdetect/compiler_detector/compiler_detector.cpp b/src/cpdetect/compiler_detector/compiler_detector.cpp index 216807abe..fc967cf8e 100644 --- a/src/cpdetect/compiler_detector/compiler_detector.cpp +++ b/src/cpdetect/compiler_detector/compiler_detector.cpp @@ -434,7 +434,7 @@ ReturnCode CompilerDetector::getAllSignatures() { toolInfo.addTool( DetectionMethod::YARA_RULE, - metaToStrength(rule.getMeta("language")), + metaToStrength(rule.getMeta("strength")), toolType, nameMeta->getStringValue(), version, diff --git a/support/yara_patterns/tools/pe/x64/installers.yara b/support/yara_patterns/tools/pe/x64/installers.yara index 582ed8e80..f64350efc 100644 --- a/support/yara_patterns/tools/pe/x64/installers.yara +++ b/support/yara_patterns/tools/pe/x64/installers.yara @@ -5,6 +5,42 @@ import "pe" +rule pyinstaller_27 +{ + meta: + tool = "I" + name = "PyInstaller" + version = "2.7" + strength = "high" + strings: + $s00 = "Cannot GetProcAddress for PySys_SetObject" + $s01 = "Error coping %s" + $s02 = "Error loading Python DLL: %s (error code %d)" + $s03 = "PYTHONHOME" + condition: + pe.number_of_resources > 0 and + @s00 < pe.sections[2].raw_data_offset and + all of them +} + +rule pyinstaller_3x +{ + meta: + tool = "I" + name = "PyInstaller" + version = "3.x" + strength = "high" + strings: + $s00 = "Failed to get address for PySys_SetObject" + $s01 = "Error copying %s" + $s02 = "Error loading Python DLL '%s'" + $s03 = "pyi-windows-manifest-filename" + condition: + pe.number_of_resources > 0 and + @s00 < pe.sections[2].raw_data_offset and + all of them +} + rule winrar_sfx_392b1 { meta: diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara index 93863e618..64b45124d 100644 --- a/support/yara_patterns/tools/pe/x86/installers.yara +++ b/support/yara_patterns/tools/pe/x86/installers.yara @@ -110,6 +110,42 @@ rule exemplar_installer { $1 at pe.entry_point } +rule pyinstaller_27 +{ + meta: + tool = "I" + name = "PyInstaller" + version = "2.7" + strength = "high" + strings: + $s00 = "Cannot GetProcAddress for PySys_SetObject" + $s01 = "Error coping %s" + $s02 = "Error loading Python DLL: %s (error code %d)" + $s03 = "PYTHONHOME" + condition: + pe.number_of_resources > 0 and + @s00 < pe.sections[2].raw_data_offset and + all of them +} + +rule pyinstaller_3x +{ + meta: + tool = "I" + name = "PyInstaller" + version = "3.x" + strength = "high" + strings: + $s00 = "Failed to get address for PySys_SetObject" + $s01 = "Error copying %s" + $s02 = "Error loading Python DLL '%s'" + $s03 = "pyi-windows-manifest-filename" + condition: + pe.number_of_resources > 0 and + @s00 < pe.sections[2].raw_data_offset and + all of them +} + rule installanywhere_61 { meta: tool = "I"