update Metasploit 6.3.42-dev

thewhiteninja · Nov 7, 2023 · 1616a73 · 1616a73
1 parent 76c8039
commit 1616a73
Show file tree

Hide file tree

Showing 7 changed files with 1,227 additions and 36 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.idea
diff --git a/README.md b/README.md
@@ -7,5 +7,7 @@
 
 YaraSploit is a collection of [Yara][1] rules generated from [Metasploit][2] framework shellcodes.
 
+Build from Metasploit 6.3.42 on Windows 10 19045.
+
 [1]: https://github.com/VirusTotal/yara
 [2]: https://www.metasploit.com/
diff --git a/api/advapi32.yar b/api/advapi32.yar
@@ -8297,6 +8297,24 @@ rule advapi32_LsaICLookupSidsWithCreds
 }
 
 
+rule advapi32_LsaInvokeTrustScanner
+{
+    meta:
+        desc = "Metasploit::API::advapi32::LsaInvokeTrustScanner"
+
+    /*
+        68E50FFA4D           | push 0x4dfa0fe5
+        FFD5                 | call ebp
+    */
+
+    strings:
+        $a   = { 68 e5 0f fa 4d ff d5 }
+
+    condition:
+        any of them
+}
+
+
 rule advapi32_LsaLookupNames
 {
     meta:
@@ -8621,6 +8639,24 @@ rule advapi32_LsaQueryForestTrustInformation
 }
 
 
+rule advapi32_LsaQueryForestTrustInformation2
+{
+    meta:
+        desc = "Metasploit::API::advapi32::LsaQueryForestTrustInformation2"
+
+    /*
+        6816542C68           | push 0x682c5416
+        FFD5                 | call ebp
+    */
+
+    strings:
+        $a   = { 68 16 54 2c 68 ff d5 }
+
+    condition:
+        any of them
+}
+
+
 rule advapi32_LsaQueryInfoTrustedDomain
 {
     meta:
@@ -8837,6 +8873,24 @@ rule advapi32_LsaSetForestTrustInformation
 }
 
 
+rule advapi32_LsaSetForestTrustInformation2
+{
+    meta:
+        desc = "Metasploit::API::advapi32::LsaSetForestTrustInformation2"
+
+    /*
+        686C443E36           | push 0x363e446c
+        FFD5                 | call ebp
+    */
+
+    strings:
+        $a   = { 68 6c 44 3e 36 ff d5 }
+
+    condition:
+        any of them
+}
+
+
 rule advapi32_LsaSetInformationPolicy
 {
     meta:

diff --git a/api/kernel32.yar b/api/kernel32.yar
@@ -1511,6 +1511,24 @@ rule kernel32_BasepCopyEncryption
 }
 
 
+rule kernel32_BasepFinishPackageActivationForSxS
+{
+    meta:
+        desc = "Metasploit::API::kernel32::BasepFinishPackageActivationForSxS"
+
+    /*
+        68E345A0F6           | push 0xf6a045e3
+        FFD5                 | call ebp
+    */
+
+    strings:
+        $a   = { 68 e3 45 a0 f6 ff d5 }
+
+    condition:
+        any of them
+}
+
+
 rule kernel32_BasepFreeActivationContextActivationBlock
 {
     meta:
@@ -1601,6 +1619,24 @@ rule kernel32_BasepGetExeArchType
 }
 
 
+rule kernel32_BasepGetPackageActivationTokenForSxS
+{
+    meta:
+        desc = "Metasploit::API::kernel32::BasepGetPackageActivationTokenForSxS"
+
+    /*
+        681F4C84A7           | push 0xa7844c1f
+        FFD5                 | call ebp
+    */
+
+    strings:
+        $a   = { 68 1f 4c 84 a7 ff d5 }
+
+    condition:
+        any of them
+}
+
+
 rule kernel32_BasepInitAppCompatData
 {
     meta:
@@ -2267,6 +2303,24 @@ rule kernel32_CheckForReadOnlyResourceFilter
 }
 
 
+rule kernel32_CheckIsMSIXPackage
+{
+    meta:
+        desc = "Metasploit::API::kernel32::CheckIsMSIXPackage"
+
+    /*
+        685DE9A487           | push 0x87a4e95d
+        FFD5                 | call ebp
+    */
+
+    strings:
+        $a   = { 68 5d e9 a4 87 ff d5 }
+
+    condition:
+        any of them
+}
+
+
 rule kernel32_CheckNameLegalDOS8Dot3A
 {
     meta:
@@ -16361,6 +16415,24 @@ rule kernel32_IsThreadpoolTimerSet
 }
 
 
+rule kernel32_IsUserCetAvailableInEnvironment
+{
+    meta:
+        desc = "Metasploit::API::kernel32::IsUserCetAvailableInEnvironment"
+
+    /*
+        683B629515           | push 0x1595623b
+        FFD5                 | call ebp
+    */
+
+    strings:
+        $a   = { 68 3b 62 95 15 ff d5 }
+
+    condition:
+        any of them
+}
+
+
 rule kernel32_IsValidCalDateTime
 {
     meta:
@@ -18251,24 +18323,6 @@ rule kernel32_NlsCheckPolicy
 }
 
 
-rule kernel32_NlsEventDataDescCreate
-{
-    meta:
-        desc = "Metasploit::API::kernel32::NlsEventDataDescCreate"
-
-    /*
-        683B5E54CB           | push 0xcb545e3b
-        FFD5                 | call ebp
-    */
-
-    strings:
-        $a   = { 68 3b 5e 54 cb ff d5 }
-
-    condition:
-        any of them
-}
-
-
 rule kernel32_NlsGetCacheUpdateCount
 {
     meta:
@@ -18323,24 +18377,6 @@ rule kernel32_NlsUpdateSystemLocale
 }
 
 
-rule kernel32_NlsWriteEtwEvent
-{
-    meta:
-        desc = "Metasploit::API::kernel32::NlsWriteEtwEvent"
-
-    /*
-        68489CD7D3           | push 0xd3d79c48
-        FFD5                 | call ebp
-    */
-
-    strings:
-        $a   = { 68 48 9c d7 d3 ff d5 }
-
-    condition:
-        any of them
-}
-
-
 rule kernel32_NormalizeString
 {
     meta:
@@ -20069,6 +20105,24 @@ rule kernel32_QueueUserAPC
 }
 
 
+rule kernel32_QueueUserAPC2
+{
+    meta:
+        desc = "Metasploit::API::kernel32::QueueUserAPC2"
+
+    /*
+        68A17524F4           | push 0xf42475a1
+        FFD5                 | call ebp
+    */
+
+    strings:
+        $a   = { 68 a1 75 24 f4 ff d5 }
+
+    condition:
+        any of them
+}
+
+
 rule kernel32_QueueUserWorkItem
 {
     meta:
@@ -24443,6 +24497,42 @@ rule kernel32_SetProcessDefaultCpuSets
 }
 
 
+rule kernel32_SetProcessDynamicEHContinuationTargets
+{
+    meta:
+        desc = "Metasploit::API::kernel32::SetProcessDynamicEHContinuationTargets"
+
+    /*
+        685914EA11           | push 0x11ea1459
+        FFD5                 | call ebp
+    */
+
+    strings:
+        $a   = { 68 59 14 ea 11 ff d5 }
+
+    condition:
+        any of them
+}
+
+
+rule kernel32_SetProcessDynamicEnforcedCetCompatibleRanges
+{
+    meta:
+        desc = "Metasploit::API::kernel32::SetProcessDynamicEnforcedCetCompatibleRanges"
+
+    /*
+        68340BF9DA           | push 0xdaf90b34
+        FFD5                 | call ebp
+    */
+
+    strings:
+        $a   = { 68 34 0b f9 da ff d5 }
+
+    condition:
+        any of them
+}
+
+
 rule kernel32_SetProcessInformation
 {
     meta: