From 2b9536a47cb329b2f6daaf9c51215cd69f66ca1c Mon Sep 17 00:00:00 2001 From: tamaroth Date: Wed, 29 Jul 2020 16:47:03 +0200 Subject: [PATCH 1/2] Remove incorrect InstallShield detection. That specific YARA rule detects a generic EntryPoint code generated by old MSVC compilers. --- support/yara_patterns/tools/pe/x86/installers.yara | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara index 51664980a..32ce91e2c 100644 --- a/support/yara_patterns/tools/pe/x86/installers.yara +++ b/support/yara_patterns/tools/pe/x86/installers.yara @@ -239,18 +239,6 @@ rule installshield_uv_05 { $1 at pe.entry_point } -rule installshield_2000 { - meta: - tool = "I" - name = "InstallShield" - version = "2000" - pattern = "558BEC6AFF68????????68????????64A1????????50648925????????83C4??535657" - strings: - $1 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 C4 ?? 53 56 57 } - condition: - $1 at pe.entry_point -} - rule instyler_uv_01 { meta: tool = "I" From 72a9503e885759b5901b30a7240d270b84c2e885 Mon Sep 17 00:00:00 2001 From: tamaroth Date: Thu, 30 Jul 2020 16:13:21 +0200 Subject: [PATCH 2/2] Reclassify Gentee as a compiler. Gentee is a programming language that uses its own byte code withing a static binary shell. All samples containing the '.gentee' sections are usually just compiled Gentee binaries and not packed by Gentee (which is a misnomer). --- src/cpdetect/heuristics/pe_heuristics.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cpdetect/heuristics/pe_heuristics.cpp b/src/cpdetect/heuristics/pe_heuristics.cpp index bc4bbf231..75d73fedd 100644 --- a/src/cpdetect/heuristics/pe_heuristics.cpp +++ b/src/cpdetect/heuristics/pe_heuristics.cpp @@ -2117,7 +2117,7 @@ void PeHeuristics::getPeSectionHeuristics() } if (secondLastName == ".gentee") { - addPacker(source, strength, "Gentee"); + addCompiler(source, strength, "Gentee"); } } if (firstName == "pec1"