mirror of
https://github.com/horsicq/Detect-It-Easy.git
synced 2026-06-24 01:54:08 +00:00
9e621e1954
Renamed and moved numerous .sg files in the db directory to follow a more consistent naming convention and directory structure, grouping by type (e.g., compiler, cruncher, packer, protector, etc.). This improves maintainability and clarity of the signature database organization.
49 lines
No EOL
1.4 KiB
JavaScript
49 lines
No EOL
1.4 KiB
JavaScript
// Detect It Easy: detection rule file
|
|
// Author: nicholasmckinney
|
|
|
|
meta("shellcode", "Donut");
|
|
|
|
|
|
function detect() {
|
|
bDetected = false;
|
|
|
|
// https://github.com/TheWover/donut/blob/dafea1702ce2e71d5139c4d583627f7ee740f3ae/donut.c#L1235
|
|
var bInstCall = Binary.readByte(0);
|
|
if (bInstCall != 0xE8) {
|
|
return result();
|
|
}
|
|
|
|
if (Binary.readWord(1) != Binary.readWord(5)) {
|
|
return result();
|
|
}
|
|
|
|
var callDest = Binary.readDword(1)
|
|
|
|
// https://github.com/TheWover/donut/blob/dafea1702ce2e71d5139c4d583627f7ee740f3ae/donut.c#L1239
|
|
var popECXOffset = callDest + 5; // 1 byte for E8 (call opcode) and 4 bytes for destination offset
|
|
|
|
if (Binary.readByte(popECXOffset) != 0x59) {
|
|
return result();
|
|
}
|
|
|
|
bDetected = true;
|
|
|
|
var archDetectionOffset = popECXOffset + 1;
|
|
var archDetectBytes = Binary.readDword(archDetectionOffset) & 0x00ffffff;
|
|
|
|
switch (archDetectBytes) {
|
|
// https://github.com/TheWover/donut/blob/dafea1702ce2e71d5139c4d583627f7ee740f3ae/donut.c#L1242-L1248
|
|
case 0x52515a:
|
|
sOptions = "x86";
|
|
break;
|
|
|
|
// https://github.com/TheWover/donut/blob/dafea1702ce2e71d5139c4d583627f7ee740f3ae/donut.c#L1270-L1273
|
|
case 0x48c031:
|
|
sOptions = "x86 + AMD64";
|
|
break;
|
|
default:
|
|
sOptions = "AMD64";
|
|
}
|
|
|
|
return result();
|
|
} |