Created
March 13, 2022 15:58
-
-
Save captainGeech42/69740c00fb11826f8d62dfe3fcc1cc9b to your computer and use it in GitHub Desktop.
Yara rule looking for PE files with no manifest
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule Feature_PE_NoManifest { | |
| meta: | |
| date = "2022-03-13" | |
| author = "Zander Work (@captainGeech42)" | |
| descr = "Look for PE files that don't have a manifest. This could be indicative of malicious files trying to reduce their footprint." | |
| notes = "When building a binary with MSVC, the manifest can be disabled by passing /MANIFEST:NO to link.exe. By default, a manifest is generated when compiling via Visual Studio." | |
| ref_manifest = "https://gist.github.com/captainGeech42/5e0bf655d048a562336ce99eea23dccc" | |
| ref_sample = "ade0b06ef992926f5e5c80b69af19a70" | |
| strings: | |
| $xml = "<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>" | |
| condition: | |
| // make sure it is a PE file | |
| (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and ( | |
| // manifests are stored in a resource. if there are no resources, there is no manifest | |
| (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE].size == 0) or | |
| // maybe there are resources, but is there a resource with a manifest? | |
| (not ( | |
| for any section in pe.sections : ( | |
| section.name == ".rsrc" and $xml in (section.raw_data_offset..(section.raw_data_offset+section.raw_data_size)) | |
| ) | |
| )) | |
| ) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment