feat: Added more yara detection rules for languages, compilers and envs

plugins/yara_rules/romfs/rules/compiler.yar

@@ -0,0 +1,40 @@
+rule CompilerMSVC {
+    meta:
+        category = "Compiler"
+        name = "MSVC"
+
+    strings:
+        $iostreams_mangled_name = "$basic_iostream@DU" ascii
+        $std_namespace = "@@std@@" ascii
+
+    condition:
+        any of them
+}
+
+rule CompilerGCC {
+    meta:
+        category = "Compiler"
+        name = "GCC"
+
+    strings:
+        $iostreams_mangled_name = "_ZSt4cout" ascii
+        $std_namespace = "_ZSt" ascii
+        $gcc_version = "GCC: (GNU) " ascii
+
+    condition:
+        2 of them
+}
+
+rule CompilerClang {
+    meta:
+        category = "Compiler"
+        name = "Clang"
+
+    strings:
+        $iostreams_mangled_name = "_ZSt4cout" ascii
+        $std_namespace = "_ZSt" ascii
+        $clang_version = "clang version " ascii
+
+    condition:
+        2 of them
+}

plugins/yara_rules/romfs/rules/environment.yar

@@ -0,0 +1,36 @@
+rule EnvironmentMingw {
+    meta:
+        category = "Environment"
+        name = "MinGW"
+
+    strings:
+        $mingw_runtime = "Mingw runtime failure" ascii
+        $mingw64_runtime = "Mingw-w64 runtime failure:" ascii fullword
+        $msys2 = "Built by MSYS2 project" ascii
+
+    condition:
+        2 of them
+}
+
+rule EnvironmentWin32 {
+    meta:
+        category = "Environment"
+        name = "Win32"
+
+    strings:
+        $kernel32 = "KERNEL32.dll" ascii
+        $user32 = "USER32.dll" ascii
+        $advapi32 = "ADVAPI32.dll" ascii
+        $ole32 = "OLE32.dll" ascii
+        $oleaut32 = "OLEAUT32.dll" ascii
+        $shell32 = "SHELL32.dll" ascii
+        $shlwapi = "SHLWAPI.dll" ascii
+        $comctl32 = "COMCTL32.dll" ascii
+        $comdlg32 = "COMDLG32.dll" ascii
+        $gdi32 = "GDI32.dll" ascii
+        $imm32 = "IMM32.dll" ascii
+        $msvcrt = "MSVCRT.dll" ascii
+
+    condition:
+        4 of them
+}

plugins/yara_rules/romfs/rules/language.yar

@@ -1,4 +1,4 @@
-rule CppExecutable {
+rule LanguageCpp {
     meta:
         category = "Programming Language"
         name = "C++"
@@ -11,15 +11,51 @@ rule CppExecutable {
         any of them
 }
 
-rule CppMSVC {
+rule LanguageC {
     meta:
-        category = "Compiler"
-        name = "MSVC"
+        category = "Programming Language"
+        name = "C++"
 
     strings:
-        $iostreams_mangled_name = "$basic_iostream@DU" ascii
-        $std_namespace = "@@std@@" ascii
+        $printf = "printf" ascii
+        $scanf = "scanf" ascii
+        $malloc = "malloc" ascii
+        $calloc = "calloc" ascii
+        $realloc = "realloc" ascii
+        $free = "free" ascii
 
     condition:
-        any of them and CppExecutable
+        any of them and not LanguageCpp
+}
+
+rule LanguageRust {
+    meta:
+        category = "Programming Language"
+        name = "Rust"
+
+    strings:
+        $option_unwrap = "called `Option::unwrap()` on a `None`" ascii
+        $result_unwrap = "called `Result::unwrap()` on an `Err`" ascii
+        $panic_1 = "panicked at" ascii
+        $panic_2 = "thread '' panicked at" ascii
+        $panic_3 = "thread panicked while processing panic. aborting." ascii
+        $panicking_file = "panicking.rs" ascii fullword
+
+    condition:
+        any of them
+}
+
+rule LanguageGo {
+    meta:
+        category = "Programming Language"
+        name = "Go"
+
+    strings:
+        $max_procs = "runtime.GOMAXPROCS" ascii fullword
+        $panic = "runtime.gopanic" ascii fullword
+        $go_root = "runtime.GOROOT" ascii fullword
+
+    condition:
+        any of them
+
 }