Skip to content

Instantly share code, notes, and snippets.

@secrary secrary/drsemu_detection.lua Secret

Created Aug 14, 2019
Embed
What would you like to do?
-- json = require "json"
utils = require "utils"
-- detection logic
function check(report_directory)
local status = "CLEAN"
-- open the first JSON file and read content
local first_dynamic = utils.get_first_process_json(report_directory)
local first_static = utils.get_first_static(report_directory)
--
-- your code starts from here
--
-- static information
local is_x86 = false
if first_static ~= nil then
is_x86 = first_static.generic.is_x86
end
-- dynamic information
if first_dynamic ~= nil then
-- enumerate json
for index, win_func in pairs(first_dynamic) do
-- Get information from a syscall, e.g. NtCreateUserProcess
if win_func.NtCreateUserProcess then
if win_func.NtCreateUserProcess.before.image_path ~= nil then
if win_func.NtCreateUserProcess.before.image_path:find("drsemu_eicar%.exe") then
return "WIN32.EICAR.DR"
end
end
end
end
end
return status
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.