Is this RSA algorithm?

[Storm Shadow]

if you do a yara scan
you will quickly see if the scanner is set proberly.

you will see the yara rules load after push button peform yara scan

Code:

loading rules from file: C:\yara\cve.yar (3)
loading rules from file: C:\yara\index.yar (0)
loading rules from file: C:\yara\xplug.yar (2)
loading rules from file: C:\yara\AlienVault\apt.yar (72)
loading rules from file: C:\yara\AlienVault\avdetect.yar (1)
loading rules from file: C:\yara\AlienVault\dbgdetect.yar (3)
loading rules from file: C:\yara\AlienVault\hangover.yar (16)
loading rules from file: C:\yara\AlienVault\sandboxdetect.yar (1)
loading rules from file: C:\yara\AlienVault\vmdetect.yar (1)
loading rules from file: C:\yara\AlienVault\APT_NGO_wuaclt\yara\APT_NGO_wuaclt.yar (1)
loading rules from file: C:\yara\AlienVault\APT_NGO_wuaclt\yara\APT_NGO_wuaclt_PDF.yar (1)
loading rules from file: C:\yara\AlienVault\Georbot\GeorBotBinary.yara (1)
loading rules from file: C:\yara\AlienVault\Georbot\GeorBotMemory.yara (1)
[!] Performing YARA scan...

Also you can add you own sigs to yara
read this post https://hacking.ventures/rsa-keys-in-heartbleed-memory/


he adds the RSA headers to the scanner

Code:

rules = yara.compile(sources = {  
  'x509' : 'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}',
  'pkcs' : 'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}',
  })

[bridgeic]

Quote:

Originally Posted by Storm Shadow

if you do a yara scan
you will quickly see if the scanner is set proberly.

you will see the yara rules load after push button peform yara scan
RL]

I'm sorry I didn't notice there is a push button, yes, I see the yara rules loaded when push the button, thank you so much.

Quote:

Originally Posted by Storm Shadow

he adds the RSA headers to the scanner

Code:

rules = yara.compile(sources = {  
  'x509' : 'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}',
  'pkcs' : 'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}',
  })

Which file I should put this rule into? I try name a new rule file as rsa.yar, but seems failed to load.

[Kerlingen]

A RSA modulus has no special format and cannot be found by looking for some signature, since there is none. It is just a block of random looking bytes and the only way to know it is a modulus would be either finding a reference to it as an RSA parameter or by trying to factorize it (including all possible memory encodings) and not finding any factors after some minutes.

Did you yet find out if RSA is even used in your software and not just included as part of the library? It's a bit pointless to search for something which is not there, isn't it?