edeca · January 2, 2022 14:46
diff --git a/high_entropy_pe_rules.yar b/high_entropy_pe_rules.yar
 /*

 Original rule from: https://gist.github.com/g-les/0745a9d6cd7f4abb3083a8dee1eaf984

 Two variations on the original rule by @greglesnewich.

 Conversation on Twitter at: https://twitter.com/edeca/status/1477650229709225990

 */

 import "pe"
 import "math"

 rule SUSP_Very_High_Entropy_Code_Section
 {
  meta:
    description = "check for an executable with any code section that is very high entropy."
    DaysofYARA_day = "2/100"
  
  condition:
    for any var_sect in pe.sections: ( //iterate across all of the sections of the PE and for each one (we're using variable named var_sect to make it clear)
 	    var_sect.characteristics & pe.SECTION_CNT_CODE //check that this section contains executable code
 	    and
 	    math.in_range( //set a range
 		    math.entropy( //calculate entropy
 		    var_sect.raw_data_offset, var_sect.raw_data_size), // between the start (offset) of the section
 		    7.8, 8.0) //entropy caps at 8, so lets set a value close to that
 		  )
 }

 rule SUSP_Very_High_Entropy_Entry_Section
 {
  meta:
    description = "check for a PE file where the section containing the entrypoint is very high entropy."
    DaysofYARA_day = "2/100"
  
  condition:
    for any var_sect in pe.sections: ( //iterate across all of the sections of the PE and for each one (we're using variable named var_sect to make it clear)
 	    ((var_sect.virtual_address <= pe.entry_point) and pe.entry_point < (var_sect.virtual_address + var_sect.virtual_size)) //check that the entry point is within this section
 	    and
 	    math.in_range( //set a range
 		    math.entropy( //calculate entropy
 		    var_sect.raw_data_offset, var_sect.raw_data_size), // between the start (offset) of the section
 		    7.8, 8.0) //entropy caps at 8, so lets set a value close to that
 		  )
 }
	/*

	Original rule from: https://gist.github.com/g-les/0745a9d6cd7f4abb3083a8dee1eaf984

	Two variations on the original rule by @greglesnewich.

	Conversation on Twitter at: https://twitter.com/edeca/status/1477650229709225990

	*/

	import "pe"
	import "math"

	rule SUSP_Very_High_Entropy_Code_Section
	{
	meta:
	description = "check for an executable with any code section that is very high entropy."
	DaysofYARA_day = "2/100"

	condition:
	for any var_sect in pe.sections: ( //iterate across all of the sections of the PE and for each one (we're using variable named var_sect to make it clear)
	var_sect.characteristics & pe.SECTION_CNT_CODE //check that this section contains executable code
	and
	math.in_range( //set a range
	math.entropy( //calculate entropy
	var_sect.raw_data_offset, var_sect.raw_data_size), // between the start (offset) of the section
	7.8, 8.0) //entropy caps at 8, so lets set a value close to that
	)
	}

	rule SUSP_Very_High_Entropy_Entry_Section
	{
	meta:
	description = "check for a PE file where the section containing the entrypoint is very high entropy."
	DaysofYARA_day = "2/100"

	condition:
	for any var_sect in pe.sections: ( //iterate across all of the sections of the PE and for each one (we're using variable named var_sect to make it clear)
	((var_sect.virtual_address <= pe.entry_point) and pe.entry_point < (var_sect.virtual_address + var_sect.virtual_size)) //check that the entry point is within this section
	and
	math.in_range( //set a range
	math.entropy( //calculate entropy
	var_sect.raw_data_offset, var_sect.raw_data_size), // between the start (offset) of the section
	7.8, 8.0) //entropy caps at 8, so lets set a value close to that
	)
	}