Hi everyboby,
I Have the custom detection to RAR, I create a RAR.fgi using the Analyzer utility, but I don´wt know how to import (use) on DLP.
Can some one help me, please?? :(
Thank you so much!!
Title
Scripts for Custom File type detection of Password protected WinRAR and 7zip files |
Issue
Scripts for Custom File type detection of Password protected WinRAR and 7zip files |
Solution
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Winrar password protected (file name not encrypted)
$First4rarTag=getHexStringValue('52617221');
$First4rarBytes=getBinaryValueAt($data, 0x0, 4);
assertTrue($First4rarTag == $First4rarBytes);
$Second3rarTag=getHexStringValue('1A0700');
$Second3rarBytes=getBinaryValueAt($data, 0x4, 3);
assertTrue($Second3rarTag == $Second3rarBytes);
$EncryptedrarTag=getHexStringValue('80');
$EncryptedrarBytes=getBinaryValueAt($data, 0xA, 1);
$FileHeaderFlags = getBinaryValueAt($data, 0x18, 1);
$modedValue = mod($FileHeaderFlags, 8);
if ($modedValue >=4)
{
assertTrue($modedValue >= 4);
}
else
{
assertTrue($EncryptedrarBytes == $EncryptedrarTag);
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7zip password proteced
$First7zipTag=getHexStringValue('377ABCAF');
$First7zipBytes=getBinaryValueAt($data, 0x0, 4);
assertTrue($First7zipTag == $First7zipBytes);
$Second7zipTag=getHexStringValue('271C0003');
$Second7zipBytes=getBinaryValueAt($data, 0x4, 4);
assertTrue($Second7zipTag == $Second7zipBytes);
$Encrypted7zipTag=getHexStringValue('00000000');
$Encrypted7zipBytes=getBinaryValueAt($data, 0x10, 4);
assertTrue($Encrypted7zipTag == $Encrypted7zipBytes); |