From 43d45b5d01e0da57e2641811489d154e440d6ecf Mon Sep 17 00:00:00 2001 From: Piotr Szczepanski Date: Wed, 29 Apr 2020 12:19:40 +0200 Subject: [PATCH] Add detection of AutoHotKey compiler. AutoHotKey is a script compiler similar to AutoIt that aims at automating and imitating the behaviour of an end user via series of macros, hotkeys, and software automations. --- .../yara_patterns/tools/pe/x64/compilers.yara | 21 +++++++++++++++++++ .../yara_patterns/tools/pe/x86/compilers.yara | 21 +++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/support/yara_patterns/tools/pe/x64/compilers.yara b/support/yara_patterns/tools/pe/x64/compilers.yara index a20c3d4e9..245e5f7b0 100644 --- a/support/yara_patterns/tools/pe/x64/compilers.yara +++ b/support/yara_patterns/tools/pe/x64/compilers.yara @@ -117,6 +117,27 @@ rule aut2exe_33143 { $1 at 0x400 } +rule autohotkey_uv_01 { + meta: + tool = "C" + name = "AHK2Exe" + language = "AutoHotKey" + bytecode = true + strings: + $1 = ">AUTOHOTKEY SCRIPT<" + $2 = ">AUTOHOTKEY SCRIPT<" wide + condition: + pe.is_64bit() and + for 1 of them : ( + @ > pe.sections[pe.section_index(".rdata")].raw_data_offset and + @ < pe.sections[pe.section_index(".rdata")].raw_data_offset + + pe.sections[pe.section_index(".rdata")].raw_data_size + ) or + for 1 i in (0 .. pe.number_of_resources) : ( + pe.resources[i].name_string matches />AUTOHOTKEY SCRIPTAUTOHOTKEY SCRIPT<" + $2 = ">AUTOHOTKEY SCRIPT<" wide + condition: + pe.is_32bit() and + for 1 of them : ( + @ > pe.sections[pe.section_index(".rdata")].raw_data_offset and + @ < pe.sections[pe.section_index(".rdata")].raw_data_offset + + pe.sections[pe.section_index(".rdata")].raw_data_size + ) or + for 1 i in (0 .. pe.number_of_resources) : ( + pe.resources[i].name_string matches />AUTOHOTKEY SCRIPT