Skip to content

Instantly share code, notes, and snippets.

@secrary

secrary/drsemu_detection.lua Secret

Created Aug 14, 2019
Embed
What would you like to do?
-- json = require "json"
utils = require "utils"
-- detection logic
function check(report_directory)
local status = "CLEAN"
-- open the first JSON file and read content
local first_dynamic = utils.get_first_process_json(report_directory)
local first_static = utils.get_first_static(report_directory)
--
-- your code starts from here
--
-- static information
local is_x86 = false
if first_static ~= nil then
is_x86 = first_static.generic.is_x86
end
-- dynamic information
if first_dynamic ~= nil then
-- enumerate json
for index, win_func in pairs(first_dynamic) do
-- Get information from a syscall, e.g. NtCreateUserProcess
if win_func.NtCreateUserProcess then
if win_func.NtCreateUserProcess.before.image_path ~= nil then
if win_func.NtCreateUserProcess.before.image_path:find("drsemu_eicar%.exe") then
return "WIN32.EICAR.DR"
end
end
end
end
end
return status
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment