find pusha popa sequences

BitsOfBinary · Nov 23, 2020 · 824bb51 · 824bb51
1 parent 8078d3f
commit 824bb51
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 0 deletions.
diff --git a/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml b/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml
@@ -0,0 +1,11 @@
+rule:
+  meta:
+    name: contain anti-disasm techniques
+    namespace: anti-analysis/anti-disasm
+    author: [email protected]
+    scope: file
+    examples:
+      - a5c70086b3bc4fe64f4e7a0aa452e620
+  features:
+    - or:
+      - count(match(contain pusha popa sequence)): 10 or more
diff --git a/anti-analysis/packer/generic/packed-with-generic-packer.yml b/anti-analysis/packer/generic/packed-with-generic-packer.yml
@@ -19,3 +19,5 @@ rule:
         - mnemonic: popa
         - mnemonic: popad  # vivisect
       - characteristic: cross section flow
+      - not:
+        - match: contain pusha popa sequence
diff --git a/lib/contain-pusha-popa-sequence.yml b/lib/contain-pusha-popa-sequence.yml
@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: contain pusha popa sequence
+    author: [email protected]
+    lib: true
+    scope: function
+    examples:
+      - a5c70086b3bc4fe64f4e7a0aa452e620:0x35007200
+  features:
+    - and:
+      - or:
+        - count(mnemonic(pusha)): 2 or more
+        # vivisect
+        - count(mnemonic(pushad)): 2 or more
+      - or:
+        - count(mnemonic(popa)): 2 or more
+        # vivisect
+        - count(mnemonic(popad)): 2 or more