Telsy's Awesome Donut Shellcode YARA Rule

donut_shellcode_fixed.yar

rule donut_shellcode_fixed
{
meta:
description = "Tested against shellcodes x86/x64 generated by Donut v0.9.3"
author = "Telsy CTI team"
date = "18/11/2021"
condition:
uint8(0) == 0xe8 and // shellcode starts with a call
uint32(1) == uint32(5) and
// xor generator key and xor initial key cannot be null it is 32 bytes
uint32(9) != 0 and uint32(13) != 0 and uint32(17) != 0 and uint32(21) != 0 and uint32(25) != 0 and uint32(29) != 0 and uint32(33) != 0 and uint32(37) != 0 and

// after the two keys null uint32
uint32(41) == 0 and

// config space
uint32(469) == 0 and uint32(473) == 0 and uint32(477) == 0 and uint32(481) == 0 and uint32(485) == 0 and uint32(489) == 0 and uint32(493) == 0 and uint32(497) == 0 and uint32(501) == 0 and uint32(505) == 0 and uint32(509) == 0 and uint32(513) == 0 and uint32(517) == 0 and uint32(521) == 0 and uint32(525) == 0 and uint32(529) == 0 and uint32(533) == 0 and uint32(537) == 0 and uint32(541) == 0 and uint32(545) == 0 and uint32(549) == 0 and uint32(553) == 0 and uint32(557) == 0 and uint32(561) == 0 and

// exiting process -> [1-2]
(uint32(565) == 1 or uint32(565) == 2) and
// entropy choosen at config -> [1-3]
(uint32( 569) == 1 or uint32(569) == 2 or uint32(569) == 3) and

uint32(571) == 0 and
uint32(575) == 0
}