Created
July 30, 2021 11:43
-
-
Save wesinator/1272b602384f2cc2098b0509a8db8040 to your computer and use it in GitHub Desktop.
YARA rule that matches MS HWC signed KmdfLibrary driver PE binaries without Product resource info, like the NetFilter rootkit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "vt" | |
| rule ms_hwc_sig_kmdf_driver_no_prod_info | |
| { | |
| meta: | |
| license = "4-Clause BSD" | |
| strings: | |
| $ms_hwc_serial = { 33 00 00 00 B5 21 3F CA 1E 4A A0 3D E4 00 00 00 00 00 B5 } | |
| $kmdf_library = "KmdfLibrary" nocase wide ascii | |
| $prod_name = "ProductName" wide | |
| $prod_ver = "ProductVersion" wide | |
| condition: | |
| vt.metadata.new_file and | |
| uint16(0) == 0x5a4d and $ms_hwc_serial and not any of ($prod*) and $kmdf_library | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment