Merge pull request #20 from Gurummang/develop

buubb · web-flow · commit 0194264354ce · 2024-10-18T16:35:53.000+09:00
fix: custom exe yara rule
diff --git a/rules/exe/executable/grum_custom_rule/suspicious_pe.yar b/rules/exe/executable/grum_custom_rule/suspicious_pe.yar
@@ -24,36 +24,6 @@ rule EntryPointZero
         pe.entry_point == 0x0
 }
 
-rule SectionSizeGreaterThanImageSize
-{
-    meta:
-        atk_type= "suspicious_section"
-        description = "Detects if any section size is greater than image size"
-
-    condition:
-        uint16(0) == 0x5A4D and
-        pe.is_pe and
-        for any i in (0..pe.number_of_sections - 1) : (
-            pe.sections[i].raw_data_size > pe.size_of_image
-        )
-}
-
-rule TextSectionLargerThanHalfImageSize
-{
-    meta:
-        atk_type= "suspicious_section"
-        description = "Detects if .text section is larger than half of the image size"
-
-    condition:
-        uint16(0) == 0x5A4D and
-        pe.is_pe and
-        (pe.characteristics & 0x2000 == 0) and // .dll 파일이 아닌지 확인
-        (pe.characteristics & 0x0002 != 0) and // .exe 파일인지 확인
-        for any i in (0..pe.number_of_sections - 1) : (
-                pe.sections[i].name == ".text" and pe.sections[i].raw_data_size > pe.size_of_image * 0.5
-        )
-}
-
 rule MissingDigitalSignature
 {
     meta:
