[pull] master from kevoreilly:master

analyzer/windows/data/yara/Rhadamanthys.yar

@@ -11,3 +11,14 @@ rule Rhadamanthys
     condition:
         2 of them
 }
+
+rule RhadaAnti
+{
+    meta:
+        author = "kevoreilly"
+        cape_options = "bp0=$anti,action0=jmp,count=0,ntdll-protect=0,dump-limit=0"
+    strings:
+        $anti = {74 0E FF 75 ?? 8D 45 ?? 50 E8 [4] 59 59 8D 45 ?? 50 56 68 04 01 00 00}
+    condition:
+        all of them
+}

changelog.md

@@ -1,11 +1,16 @@
+### [03.11.2025]
+* Rhadamanthys:
+    * static config extraction - thanks @YungBinary
+    * anti-anti detonation bypass
+
 ### [22.10.2025]
+* Add monitor injection to previously unused RESUME: monitor message handler _handle_resume()
 * Remove obsolete 'suspended' parameter from PROCESS monitor message
 * Monitor updates:
     * WriteMemoryHandler: prevent analysis log spam for small PE writes
     * Cap per-process messages to prevent detonation slow-down & failure in e.g. 9f8333d81c13ea426953b758140836cff2cf7e7f32e36738f118c6257c6efd34
     * Experimental debugger action 'guard' to trap on guard violation
-    * (origin/capemon, origin/HEAD) YaraHarness: write rules canary detection to analysis log
-    * YaraHarness: simplify 'dump' option
+    * YaraHarness: write rules canary detection to analysis log & simplify 'dump' option
     * Deprecate Win7 wow64 breakpoint workaround
     * Implement Gemini suggestions from #111
     * Merge pull request #111 from StephanTLavavej/unordered_map

data/yara/CAPE/Rhadamanthys.yar

@@ -2,15 +2,31 @@ rule Rhadamanthys
 {
     meta:
         author = "kevoreilly, YungBinary"
-        description = "Rhadamanthys Loader"
-        cape_type = "Rhadamanthys Loader"
+        description = "Rhadamanthys Payload"
+        cape_type = "Rhadamanthys Payload"
     strings:
         $rc4 = {88 4C 01 08 41 81 F9 00 01 00 00 7C F3 89 75 08 33 FF 8B 4D 08 3B 4D 10 72 04 83 65 08 00}
         $code = {8B 4D FC 3B CF 8B C1 74 0D 83 78 04 02 74 1C 8B 40 1C 3B C7 75 F3 3B CF 8B C1 74 57 83 78 04 17 74 09 8B 40 1C 3B C7 75 F3 EB}
-        $conf = {46 BB FF 00 00 00 23 F3 0F B6 44 31 08 03 F8 23 FB 0F B6 5C 39 08 88 5C 31 08 88 44 39 08 02 C3 8B 5D 08 0F B6 C0 8A 44 08 08}
+        $conf_1 = {46 BB FF 00 00 00 23 F3 0F B6 44 31 08 03 F8 23 FB 0F B6 5C 39 08 88 5C 31 08 88 44 39 08 02 C3 8B 5D 08 0F B6 C0 8A 44 08 08}
+        $conf_2 = {0F B6 4F 2A 8D 77 2A 33 C0 6A 03 89 45 F8 89 45 FC 89 45 08 8B C1}
         $beef = {57 8D 44 33 FC 53 83 C6 FC 50 56 E8 [4] 83 C4 10 66 81 3F EF BE 0F 85}
-        $config_2 = {0F B6 4F 2A 8D 77 2A 33 C0 6A 03 89 45 F8 89 45 FC 89 45 08 8B C1}
-        $cape_string = "cape_options"
+        $anti = {50 68 [4] 68 [4] E8 [4] 83 C4 0C A3 [4] 85 C0 74}
+        $dnr = {99 52 50 8D 45 ?? 99 52 50 8B C7 99 52 50 8B C3 99 52 50}
+        $sys = {83 E4 F0 6A 33 E8 00 00 00 00 83 04 24 05 CB}
+    condition:
+        2 of them
+}
+
+rule RhadamanthysLoader
+{
+    meta:
+        author = "kevoreilly"
+        description = "Rhadamanthys Loader"
+        cape_type = "Rhadamanthys Loader"
+    strings:
+        $ref = {33 D2 B9 0B 00 00 00 F7 F1 B8 01 00 00 00 6B C8 00 8D 84 0D [4] 0F BE 0C 10 8B 95 [4] 03 95 [4] 0F B6 02 33 C1 8B 8D [4] 03 8D [4] 88 01}
+        $ntdll = {B9 6E 00 00 00 66 89 8D [4] BA 74 00 00 00 66 89 95 [4] B8 64 00 00 00 66 89 85 [4] B9 6C 00 00 00 66 89 8D [4] BA 6C 00 00 00 66 89 95}
+        $exit = {6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 8B 95 [4] 52 8B 85 [4] 50 6A 00 68 FF FF 1F 00}
     condition:
-        2 of them and not $cape_string
+        2 of them
 }