windows-exe-decompiler-mcp-server 0.1.0

package/workers/yara_rules/default.yar

@@ -0,0 +1,33 @@
+/*
+    Default YARA Rule Set
+    
+    This is a basic rule set for testing purposes.
+    Contains simple rules to detect common patterns.
+*/
+
+rule Test_Rule
+{
+    meta:
+        description = "Test rule for YARA scanning"
+        author = "MCP Server"
+        date = "2024-01-01"
+        
+    strings:
+        $test_string = "This program cannot be run in DOS mode" ascii
+        
+    condition:
+        $test_string
+}
+
+rule PE_File
+{
+    meta:
+        description = "Detects PE files"
+        author = "MCP Server"
+        
+    strings:
+        $mz = "MZ"
+        
+    condition:
+        $mz at 0
+}

package/workers/yara_rules/malware_families.yar

@@ -0,0 +1,93 @@
+/*
+    Malware Families YARA Rule Set
+    
+    Rules to detect common malware families.
+    Note: These are simplified examples for testing purposes.
+*/
+
+rule Generic_Trojan
+{
+    meta:
+        description = "Generic trojan detection based on suspicious API calls"
+        author = "MCP Server"
+        severity = "high"
+        
+    strings:
+        $api1 = "CreateRemoteThread" ascii
+        $api2 = "VirtualAllocEx" ascii
+        $api3 = "WriteProcessMemory" ascii
+        $api4 = "OpenProcess" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and 3 of ($api*)
+}
+
+rule Suspicious_Network_Activity
+{
+    meta:
+        description = "Detects suspicious network-related strings"
+        author = "MCP Server"
+        severity = "medium"
+        
+    strings:
+        $url1 = /https?:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ ascii
+        $net1 = "InternetOpenA" ascii
+        $net2 = "InternetConnectA" ascii
+        $net3 = "HttpSendRequestA" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and ($url1 or 2 of ($net*))
+}
+
+rule Keylogger_Indicators
+{
+    meta:
+        description = "Detects potential keylogger behavior"
+        author = "MCP Server"
+        severity = "high"
+        
+    strings:
+        $key1 = "GetAsyncKeyState" ascii
+        $key2 = "GetKeyState" ascii
+        $key3 = "SetWindowsHookEx" ascii
+        $key4 = "WH_KEYBOARD" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and 2 of ($key*)
+}
+
+rule Ransomware_Indicators
+{
+    meta:
+        description = "Detects potential ransomware indicators"
+        author = "MCP Server"
+        severity = "critical"
+        
+    strings:
+        $ransom1 = "encrypted" nocase ascii
+        $ransom2 = "bitcoin" nocase ascii
+        $ransom3 = "decrypt" nocase ascii
+        $ransom4 = "ransom" nocase ascii
+        $crypto1 = "CryptEncrypt" ascii
+        $crypto2 = "CryptAcquireContext" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and (2 of ($ransom*) and 1 of ($crypto*))
+}
+
+rule Persistence_Mechanism
+{
+    meta:
+        description = "Detects persistence mechanisms"
+        author = "MCP Server"
+        severity = "medium"
+        
+    strings:
+        $reg1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii
+        $reg2 = "HKEY_LOCAL_MACHINE" ascii
+        $svc1 = "CreateServiceA" ascii
+        $svc2 = "OpenSCManagerA" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and (any of ($reg*) or any of ($svc*))
+}

package/workers/yara_rules/packers.yar

@@ -0,0 +1,80 @@
+/*
+    Packers YARA Rule Set
+    
+    Rules to detect common packers and protectors.
+*/
+
+rule UPX_Packer
+{
+    meta:
+        description = "Detects UPX packer"
+        author = "MCP Server"
+        reference = "https://upx.github.io/"
+        
+    strings:
+        $upx1 = "UPX0" ascii
+        $upx2 = "UPX1" ascii
+        $upx3 = "UPX!" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and any of ($upx*)
+}
+
+rule Themida_Packer
+{
+    meta:
+        description = "Detects Themida/WinLicense packer"
+        author = "MCP Server"
+        
+    strings:
+        $themida1 = "Themida" ascii
+        $themida2 = "WinLicense" ascii
+        $themida3 = { 8B 45 ?? 8B 4D ?? 51 50 E8 }
+        
+    condition:
+        uint16(0) == 0x5A4D and any of ($themida*)
+}
+
+rule VMProtect_Packer
+{
+    meta:
+        description = "Detects VMProtect packer"
+        author = "MCP Server"
+        
+    strings:
+        $vmp1 = ".vmp0" ascii
+        $vmp2 = ".vmp1" ascii
+        $vmp3 = "VMProtect" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and any of ($vmp*)
+}
+
+rule ASPack_Packer
+{
+    meta:
+        description = "Detects ASPack packer"
+        author = "MCP Server"
+        
+    strings:
+        $aspack1 = "ASPack" ascii
+        $aspack2 = ".aspack" ascii
+        $aspack3 = { 60 E8 00 00 00 00 5D }
+        
+    condition:
+        uint16(0) == 0x5A4D and any of ($aspack*)
+}
+
+rule PECompact_Packer
+{
+    meta:
+        description = "Detects PECompact packer"
+        author = "MCP Server"
+        
+    strings:
+        $pec1 = "PECompact2" ascii
+        $pec2 = "PEC2" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and any of ($pec*)
+}