mace 0.1.4

Automated extration of malware configuration, focusing on C2 communication
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

pub static RULE_PRIMES: &str = r#"
rule primes {
    meta:
        author = "Frondorf, Niklas"

    strings:
        $sequence_eax = {
            (
                b8 ?? ?? ?? ??      // mov      eax, prime
                f7 e7               // mul      edi 
                |
                8d 04 bf            // lea      eax, [edi + edi * 0x4]
            )  
            89 45 ??                // mov      dword ptr [ebp + local], eax
            50                      // push     eax
            e8 ?? ?? ?? ??          // call     halve_until_smaller_24
        }

        $sequence_edi = {
            57                      // push     edi
            e8 ?? ?? ?? ??          // call     halve_until_smaller_24
        }

        $sequence_shift = {
            (
                d1 e6               // shl      esi, 0x1
                56                  // push     esi
                |
                d1 e7               // shl      edi, 0x1
                57                  // push     edi
            )
            e8 ?? ?? ?? ??          // call     halve_until_smaller_24
        }

    condition:
        any of them
}"#;

pub static RULE_PREFIX: &str = r#"
rule prefix {
    meta:
        author = "Frondorf, Niklas"

    strings:
        $prefix = {
           c6 05 ?? ?? ?? ?? ??     // mov      byte ptr [DAT], char
        }

    condition:
        all of them
}"#;

pub static RULE_COUNTER: &str = r#"
rule counter {
    meta:
        author = "Frondorf, Niklas"

    strings:
        $counter = {
            (
                b8 ?? ?? ?? ??      // mov      eax, counter_max
                3b 85 ?? ?? ?? ??   // cmp      eax, dword ptr [ebp + counter]
                0f 83 ?? ?? ?? ??   // jnc      lab
            |
                83 bd ?? ?? ?? ??   // cmp      dword ptr [ebp + counter], 0x32
                ??
                0f 86 ?? ?? ?? ??   // jbe
            )
            c7 85                   // mov      dword ptr [ebp + counter], 0x1
            ?? ?? ?? ?? 
            01 00 00 00
            e9 ?? ?? ?? ??          // jmp      lab
        }

    condition:
        all of them
}"#;

pub static RULE_TLDS: &str = r#"
rule tlds {
    meta:
        author = "Frondorf, Niklas"

    strings:
        $tds = {
            (
                73 ??               // jnc      label
            |
                76 ??               // jbe      label
            |
                eb ??               // jmp      label
            )
            68 ?? ?? ?? ??          // push     encrypted_tld
            e8 ?? ?? ?? ??          // call     decrypt_string
        }

    condition:
        all of them
}"#;

pub static RULE_KEYS: &str = r#"
rule keys {
    meta:
        author = "Frondorf, Niklas"

    strings:
        $keys = {
            (
                83 e2 ??            // and      edx, key1
            |
                b9 ?? ?? ?? ??      // mov      ecx, key1
                31 d2               // xor      edx, edx
                f7 f1               // div      ecx
            )
            0f b6 ?? ??             // movzx
            ?? ?? ?? ??
        }

    condition:
        all of them
}"#;