Thread: Is this RSA algorithm?
View Single Post
  #12  
Old 08-09-2014, 17:36
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
  
Join Date: Jun 2014
Posts: 283
Rept. Given: 186
Rept. Rcvd 192 Times in 79 Posts
Thanks Given: 144
Thanks Rcvd at 254 Times in 98 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
make a file called Rsa.yar
remember to add it to the index file


Code:
rule Rsa
{
	strings:
		$a = {30 82 ?? ?? 30 82 ?? ??} // x509 OpenSSL 1024 Cert public key
		$b = {30 82 ?? ?? 02 01 00} // pkcs OpenSSL 1024 bit RSA Private Key

	condition:
		$a or $b
}
it is fully possible to find rsa signatures from memory http://www.trapkit.de/research/sslke...0_20060205.pdf

Bridge found the public rsa key that way in post 16
http://forum.exetools.com/showpost.p...7&postcount=16

but offcause it could be ofuscated and embedded in other files these days, and very hard to find

https://b161268c3bf5a87bc67309e7c870...ARA-Manual.pdf

Yara is almost a own script langueg by itself.
Last edited by Storm Shadow; 08-09-2014 at 17:42.
Reply With Quote