A NOP sled is a sequence of No Operation instructions commonly used when exploiting buffer overflow vulnerabilities. These rules hunt for sequences of 8, 16, and 32 NOP (0x90) bytes; I have no idea if this is actually an effective method of identifying exploit binaries!
rule HUNT_nopsled_8 {
meta:
description = "Matches 8 repeated no-operation hex bytes - 0x90"
last_modified = "2024-02-18"
author = "@petermstewart"
DaysofYara = "49/100"
strings:
$a = { 90 90 90 90 90 90 90 90 }
condition:
filesize < 5MB and
$a
}
rule HUNT_nopsled_16 {
meta:
description = "Matches 16 repeated no-operation hex bytes - 0x90"
last_modified = "2024-02-18"
author = "@petermstewart"
DaysofYara = "49/100"
strings:
$a = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
condition:
filesize < 5MB and
$a
}
rule HUNT_nopsled_32 {
meta:
description = "Matches 32 repeated no-operation hex bytes - 0x90"
last_modified = "2024-02-18"
author = "@petermstewart"
DaysofYara = "49/100"
strings:
$a = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
condition:
filesize < 5MB and
$a
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 