-
Notifications
You must be signed in to change notification settings - Fork 167
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add use-bigint-function Add new `data-manipulation/encryption/use-bigint-function.yml` rule to identify bigint functions as these functions may help reverse engineers identifying crypto. Example of bigint functions identified by this rule: - `bi_copi` - `bi_permanent` - `bi_depermant` - `bi_free` Reference: - https://github.com/ezhangle/krypton/blob/147d69429bfb03cce7113dca6dba36e77f8a9325/src/bigint.c - https://github.com/bnoordhuis/mongrel2/blob/3e9b57d82aeb627be0aebfb346199bfdfd67e530/src/crypto/bigint.c * Add rsa-encrypt Add new rule `data-manipulation/encryption/rsa/rsa-encrypt.yml` that identifies the RSA encryption implementation from: - https://github.com/ezhangle/krypton/blob/147d69429bfb03cce7113dca6dba36e77f8a9325/src/rsa.c#L232 - https://github.com/bnoordhuis/mongrel2/blob/3e9b57d82aeb627be0aebfb346199bfdfd67e530/src/crypto/rsa.c#L233 Rename current RSA encryption/decryption rules in the nursery to add `via WinAPI` to prevent name conflict.
- Loading branch information
Showing
4 changed files
with
79 additions
and
2 deletions.
There are no files selected for viewing
46 changes: 46 additions & 0 deletions
46
data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| rule: | ||
| meta: | ||
| name: encrypt data using RSA via embedded library | ||
| namespace: data-manipulation/encryption/rsa | ||
| authors: | ||
| - "Ana06" | ||
| description: encrypt data using krypton RSA implementation or similar | ||
| scopes: | ||
| static: function | ||
| dynamic: unsupported # requires mnemonic, offset features | ||
| att&ck: | ||
| - Defense Evasion::Obfuscated Files or Information [T1027] | ||
| mbc: | ||
| - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05] | ||
| - Cryptography::Encrypt Data::RSA [C0027.011] | ||
| references: | ||
| - https://github.com/ezhangle/krypton/blob/147d69429bfb03cce7113dca6dba36e77f8a9325/src/rsa.c#L232 | ||
| - https://github.com/bnoordhuis/mongrel2/blob/3e9b57d82aeb627be0aebfb346199bfdfd67e530/src/crypto/rsa.c#L233 | ||
| examples: | ||
| - 009c2377b67997b0da1579f4bbc822c1:0x405CF0 | ||
| features: | ||
| - and: | ||
| # `sub eax, 3` Subtract 3 to calculate pads needed | ||
| - instruction: | ||
| - mnemonic: sub | ||
| - number: 3 | ||
| # `mov byte ptr [ecx], 0` Ensure encryption block is < modulus | ||
| - instruction: | ||
| - mnemonic: mov | ||
| - offset: 0 | ||
| - number: 0 | ||
| # `mov byte ptr [edx+1], 2` Set encryption flag | ||
| - instruction: | ||
| - mnemonic: mov | ||
| - offset: 1 | ||
| - number: 2 | ||
| # `mov byte ptr [edx+2], 0` Terminate with zero | ||
| - instruction: | ||
| - mnemonic: mov | ||
| - offset: 2 | ||
| - number: 0 | ||
| # call `get_random_nonzero`, `memcpy`, `bi_import`, `RSA_public`, `bi_export`, and `bi_clear_cache` | ||
| # if the signing code is included, also call `memcpy` and `RSA_private` | ||
| - count(mnemonic(call)): (6,8) | ||
| - optional: # likely in a subfunction | ||
| - match: use bigint function |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| rule: | ||
| meta: | ||
| name: use bigint function | ||
| namespace: data-manipulation/encryption | ||
| authors: | ||
| - "Ana06" | ||
| description: use bigint function such as bi_copy and bi_permanent. Useful to identify crypto. | ||
| scopes: | ||
| static: instruction | ||
| dynamic: unsupported # requires mnemonic, offset features | ||
| references: | ||
| # bi_copy | ||
| - https://github.com/ezhangle/krypton/blob/147d69429bfb03cce7113dca6dba36e77f8a9325/src/bigint.c#L149 | ||
| - https://github.com/bnoordhuis/mongrel2/blob/3e9b57d82aeb627be0aebfb346199bfdfd67e530/src/crypto/bigint.c#L162 | ||
| # bi_permanent | ||
| - https://github.com/ezhangle/krypton/blob/147d69429bfb03cce7113dca6dba36e77f8a9325/src/bigint.c#L161 | ||
| - https://github.com/bnoordhuis/mongrel2/blob/3e9b57d82aeb627be0aebfb346199bfdfd67e530/src/crypto/bigint.c#L176 | ||
| examples: | ||
| - 009c2377b67997b0da1579f4bbc822c1:0x404096 # bi_copy | ||
| - 009c2377b67997b0da1579f4bbc822c1:0x4040D4 # bi_permanent | ||
| - 009c2377b67997b0da1579f4bbc822c1:0x4040E6 # bi_depermanent | ||
| - 009c2377b67997b0da1579f4bbc822c1:0x404109 # bi_free | ||
| - 8333822ed41d9f2b302cf8e21b126efc:0x407933 # bi_permanent | ||
| - 8333822ed41d9f2b302cf8e21b126efc:0x407933 # bi_depermanent | ||
| features: | ||
| - and: | ||
| - or: | ||
| - mnemonic: mov | ||
| - mnemonic: cmp | ||
| - number: 0x7FFF55AA = PERMANENT | ||
| - offset: 8 = bi->refs |
2 changes: 1 addition & 1 deletion
2
nursery/decrypt-data-using-rsa.yml → ...ery/decrypt-data-using-rsa-via-winapi.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
nursery/encrypt-data-using-rsa.yml → ...ery/encrypt-data-using-rsa-via-winapi.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters