From cf3fee1f2086993900a8a687d830c3c1f734cf5e Mon Sep 17 00:00:00 2001
From: blackorbird <137812951@qq.com>
Date: Wed, 3 Apr 2019 22:35:59 +0800
Subject: [PATCH] Create oceanlotus_png_loader.yar

---
 Oceanlotus/oceanlotus_png_loader.yar | 29 ++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 Oceanlotus/oceanlotus_png_loader.yar

diff --git a/Oceanlotus/oceanlotus_png_loader.yar b/Oceanlotus/oceanlotus_png_loader.yar
new file mode 100644
index 0000000..53c5ed2
--- /dev/null
+++ b/Oceanlotus/oceanlotus_png_loader.yar
@@ -0,0 +1,29 @@
+import “pe”
+rule OceanLotus_Steganography_Loader
+{
+    meta:
+        description = “OceanLotus Steganography Loader”
+    strings:
+        $data1 = “.?AVCBC_ModeBase@CryptoPP@@” ascii
+    condition:\
+        // Must be MZ file
+        uint16(0) == 0x5A4D and
+        // Must be smaller than 2MB
+        filesize < 2MB and
+        // Must be a DLL
+        pe.characteristics & pe.DLL and
+        // Must contain the following imports
+        pe.imports(“gdiplus.dll”, “GdipGetImageWidth”) and
+        pe.imports(“gdiplus.dll”, “GdipCreateBitmapFromFile”) and
+        pe.imports(“kernel32.dll”, “WriteProcessMemory”) and
+        // Check for strings in .data
+        for all of ($data*) :
+        (
+            $ in
+            (
+            pe.sections[pe.section_index(“.data”)].raw_data_offset
+            ..
+                pe.sections[pe.section_index(“.data”)].raw_data_offset + pe.sections[pe.section_index(“.data”)].raw_data_size
+             )
+         )
+}