YARA - FOLLOWING FALLCHILL'S E8 CALL
Contents
YARA - Following FALLCHILL's E8 Call
Following a near relative call address
Summary
This article covers how to follow a near relative call instruction,
0xE8 in YARA.
TL;DR
Calculation:
Address of the instruction following the call instruction +
the int32 value passed to the 0xE8 opcode == Function Start Address
Near Relative Call - Explained
The
0xE8 instruction on c9x is defined as: Call near, relative, displacement relative to next instruction . This means that the address passed to the call instruction is added to the next instruction address in order to calculate the location of the function being called.
Let’s demonstrate how this call is resolved using the following code snippet from this x86 FALLCHILL sample:
d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3
.text:1000107D E8 DE 0C 00 00 call sub_10001D60 .text:10001082 83 C4 0C add esp, 0Ch
The value
0xCDE is passed to the call instruction, so to find the location of this function we just add
0xCDE to
0x10001082 and that resolves to
0x10001D60.
YARA
Now let’s translate these steps to YARA. First create …
Following a near relative call address
Summary
This article covers how to follow a near relative call instruction,
0xE8 in YARA.
TL;DR
Calculation:
Address of the instruction following the call instruction +
the int32 value passed to the 0xE8 opcode == Function Start Address
Near Relative Call - Explained
The
0xE8 instruction on c9x is defined as: Call near, relative, displacement relative to next instruction . This means that the address passed to the call instruction is added to the next instruction address in order to calculate the location of the function being called.
Let’s demonstrate how this call is resolved using the following code snippet from this x86 FALLCHILL sample:
d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3
.text:1000107D E8 DE 0C 00 00 call sub_10001D60 .text:10001082 83 C4 0C add esp, 0Ch
The value
0xCDE is passed to the call instruction, so to find the location of this function we just add
0xCDE to
0x10001082 and that resolves to
0x10001D60.
YARA
Now let’s translate these steps to YARA. First create …
IoC
d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3
rule follow_the_fallchill_call { /* 0x10001030 C645EC78 mov byte ptr [ebp - 0x14], 0x78 0x10001034 C645ED29 mov byte ptr [ebp - 0x13], 0x29 0x10001038 C645EE2E mov byte ptr [ebp - 0x12], 0x2e 0x1000103c C645EF4C mov byte ptr [ebp - 0x11], 0x4c 0x10001040 C645F05D mov byte ptr [ebp - 0x10], 0x5d 0x10001044 C645F1A3 mov byte ptr [ebp - 0xf], 0xa3 0x10001048 C645F2B5 mov byte ptr [ebp - 0xe], 0xb5 0x1000104c C645F3D0 mov byte ptr [ebp - 0xd], 0xd0 0x10001050 C645F467 mov byte ptr [ebp - 0xc], 0x67 0x10001054 C645F5F0 mov byte ptr [ebp - 0xb], 0xf0 0x10001058 C645F681 mov byte ptr [ebp - 0xa], 0x81 0x1000105c C645F7B7 mov byte ptr [ebp - 9], 0xb7 0x10001060 C645F836 mov byte ptr [ebp - 8], 0x36 0x10001064 C645F9E5 mov byte ptr [ebp - 7], 0xe5 0x10001068 C645FAD5 mov byte ptr [ebp - 6], 0xd5 0x1000106c C645FB93 mov byte ptr [ebp - 5], 0x93 0x10001070 6A10 push 0x10 0x10001072 8D4DEC lea ecx, [ebp - 0x14] 0x10001075 51 push ecx 0x10001076 8D95E8FEFFFF lea edx, [ebp - 0x118] 0x1000107c 52 push edx 0x1000107d E8DE0C0000 call 0x10001d60 */ strings: $call_instr = { C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 6A ?? 8D 4D ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? } $cmp = { 81 7D ?? 00 01 00 00 } condition: console.hex("Relative offset to function address: ", int32(@call_instr+!call_instr-4)) and console.hex("Next Instruction Address: ", @call_instr+!call_instr) and console.hex("Start of Function: ", @call_instr+!call_instr+int32(@call_instr+!call_instr-4)) and $cmp in (@call_instr+!call_instr+int32(@call_instr+!call_instr-4)..@call_instr+!call_instr+int32(@call_instr+!call_instr-4)+32) }
rule follow_the_fallchill_call { /* 0x10001030 C645EC78 mov byte ptr [ebp - 0x14], 0x78 0x10001034 C645ED29 mov byte ptr [ebp - 0x13], 0x29 0x10001038 C645EE2E mov byte ptr [ebp - 0x12], 0x2e 0x1000103c C645EF4C mov byte ptr [ebp - 0x11], 0x4c 0x10001040 C645F05D mov byte ptr [ebp - 0x10], 0x5d 0x10001044 C645F1A3 mov byte ptr [ebp - 0xf], 0xa3 0x10001048 C645F2B5 mov byte ptr [ebp - 0xe], 0xb5 0x1000104c C645F3D0 mov byte ptr [ebp - 0xd], 0xd0 0x10001050 C645F467 mov byte ptr [ebp - 0xc], 0x67 0x10001054 C645F5F0 mov byte ptr [ebp - 0xb], 0xf0 0x10001058 C645F681 mov byte ptr [ebp - 0xa], 0x81 0x1000105c C645F7B7 mov byte ptr [ebp - 9], 0xb7 0x10001060 C645F836 mov byte ptr [ebp - 8], 0x36 0x10001064 C645F9E5 mov byte ptr [ebp - 7], 0xe5 0x10001068 C645FAD5 mov byte ptr [ebp - 6], 0xd5 0x1000106c C645FB93 mov byte ptr [ebp - 5], 0x93 0x10001070 6A10 push 0x10 0x10001072 8D4DEC lea ecx, [ebp - 0x14] 0x10001075 51 push ecx 0x10001076 8D95E8FEFFFF lea edx, [ebp - 0x118] 0x1000107c 52 push edx 0x1000107d E8DE0C0000 call 0x10001d60 */ strings: $call_instr = { C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 6A ?? 8D 4D ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? } $cmp = { 81 7D ?? 00 01 00 00 } condition: console.hex("Relative offset to function address: ", int32(@call_instr+!call_instr-4)) and console.hex("Next Instruction Address: ", @call_instr+!call_instr) and console.hex("Start of Function: ", @call_instr+!call_instr+int32(@call_instr+!call_instr-4)) and $cmp in (@call_instr+!call_instr+int32(@call_instr+!call_instr-4)..@call_instr+!call_instr+int32(@call_instr+!call_instr-4)+32) }