From 07b35de84450c68e59ee726fb529204d9853e795 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Sat, 9 Nov 2024 12:03:39 +0800 Subject: [PATCH 1/4] Add krpt.dll Signed-off-by: Still Hsu --- yml/3rd_party/kingsoft/krpt.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 yml/3rd_party/kingsoft/krpt.yml diff --git a/yml/3rd_party/kingsoft/krpt.yml b/yml/3rd_party/kingsoft/krpt.yml new file mode 100644 index 0000000..3c50e17 --- /dev/null +++ b/yml/3rd_party/kingsoft/krpt.yml @@ -0,0 +1,23 @@ +--- +Name: krpt.dll +Author: Still Hsu +Created: 2024-11-09 +Vendor: Kingsoft +ExpectedLocations: +- '%ProgramFiles(x86)%\Kingsoft\WPS Office\%VERSION%\office6' +VulnerableExecutables: +- Path: '%ProgramFiles(x86)%\Kingsoft\WPS Office\%VERSION%\office6\wpp.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: WPS Presentation + OriginalFilename: wpp.exe + ProductName: WPS Office + ExpectedSignatureInformation: + - Subject: CN="Zhuhai Kingsoft Office Software Co., Ltd.", O="Zhuhai Kingsoft Office Software Co., Ltd.", L=Zhuhai, S=Guangdong, C=CN + Issuer: CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US + Type: Authenticode +Resources: + - https://www.virustotal.com/gui/file/4957a62e019c30c0a79e4d2d4dd854f6e8f6e0aadb606e157525d98ee0ac5096 +Acknowledgements: + - Name: Still Hsu + Twitter: '@AzakaSekai_' From cd4b497611f7bd627281c27de681c7b469d75f89 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 10 Nov 2024 16:17:14 +0000 Subject: [PATCH 2/4] Update krpt.yml --- yml/3rd_party/kingsoft/krpt.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/yml/3rd_party/kingsoft/krpt.yml b/yml/3rd_party/kingsoft/krpt.yml index 3c50e17..6462fc9 100644 --- a/yml/3rd_party/kingsoft/krpt.yml +++ b/yml/3rd_party/kingsoft/krpt.yml @@ -4,20 +4,21 @@ Author: Still Hsu Created: 2024-11-09 Vendor: Kingsoft ExpectedLocations: -- '%ProgramFiles(x86)%\Kingsoft\WPS Office\%VERSION%\office6' +- '%PROGRAMFILES%\Kingsoft\WPS Office\%VERSION%\office6' VulnerableExecutables: -- Path: '%ProgramFiles(x86)%\Kingsoft\WPS Office\%VERSION%\office6\wpp.exe' +- Path: '%PROGRAMFILES%\Kingsoft\WPS Office\%VERSION%\office6\wpp.exe' Type: Sideloading ExpectedVersionInformation: - FileDescription: WPS Presentation OriginalFilename: wpp.exe ProductName: WPS Office ExpectedSignatureInformation: - - Subject: CN="Zhuhai Kingsoft Office Software Co., Ltd.", O="Zhuhai Kingsoft Office Software Co., Ltd.", L=Zhuhai, S=Guangdong, C=CN - Issuer: CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US + - Subject: 'CN="Zhuhai Kingsoft Office Software Co., Ltd.", O="Zhuhai Kingsoft Office Software Co., Ltd.", L=Zhuhai, S=Guangdong, C=CN' + Issuer: 'CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US' Type: Authenticode Resources: - https://www.virustotal.com/gui/file/4957a62e019c30c0a79e4d2d4dd854f6e8f6e0aadb606e157525d98ee0ac5096 + - https://www.virustotal.com/gui/file/57acd8566e6cc0526e99d0ba450c662b11a5f70b08bcfe0f326654d9f630a1f1 Acknowledgements: - Name: Still Hsu Twitter: '@AzakaSekai_' From 87f9e38d580636cc5d4f21534d07d9455140f8df Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 10 Nov 2024 16:19:38 +0000 Subject: [PATCH 3/4] Making indents consistent --- yml/3rd_party/kingsoft/krpt.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/yml/3rd_party/kingsoft/krpt.yml b/yml/3rd_party/kingsoft/krpt.yml index 6462fc9..608714c 100644 --- a/yml/3rd_party/kingsoft/krpt.yml +++ b/yml/3rd_party/kingsoft/krpt.yml @@ -4,18 +4,18 @@ Author: Still Hsu Created: 2024-11-09 Vendor: Kingsoft ExpectedLocations: -- '%PROGRAMFILES%\Kingsoft\WPS Office\%VERSION%\office6' + - '%PROGRAMFILES%\Kingsoft\WPS Office\%VERSION%\office6' VulnerableExecutables: -- Path: '%PROGRAMFILES%\Kingsoft\WPS Office\%VERSION%\office6\wpp.exe' - Type: Sideloading - ExpectedVersionInformation: - - FileDescription: WPS Presentation - OriginalFilename: wpp.exe - ProductName: WPS Office - ExpectedSignatureInformation: - - Subject: 'CN="Zhuhai Kingsoft Office Software Co., Ltd.", O="Zhuhai Kingsoft Office Software Co., Ltd.", L=Zhuhai, S=Guangdong, C=CN' - Issuer: 'CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US' - Type: Authenticode + - Path: '%PROGRAMFILES%\Kingsoft\WPS Office\%VERSION%\office6\wpp.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: WPS Presentation + OriginalFilename: wpp.exe + ProductName: WPS Office + ExpectedSignatureInformation: + - Subject: 'CN="Zhuhai Kingsoft Office Software Co., Ltd.", O="Zhuhai Kingsoft Office Software Co., Ltd.", L=Zhuhai, S=Guangdong, C=CN' + Issuer: 'CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US' + Type: Authenticode Resources: - https://www.virustotal.com/gui/file/4957a62e019c30c0a79e4d2d4dd854f6e8f6e0aadb606e157525d98ee0ac5096 - https://www.virustotal.com/gui/file/57acd8566e6cc0526e99d0ba450c662b11a5f70b08bcfe0f326654d9f630a1f1 From a4bb2a04a3b8f0fb760d9f0f09f5ddd2a7d8f312 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 10 Nov 2024 16:20:57 +0000 Subject: [PATCH 4/4] Update krpt.yml --- yml/3rd_party/kingsoft/krpt.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/3rd_party/kingsoft/krpt.yml b/yml/3rd_party/kingsoft/krpt.yml index 608714c..e6f367c 100644 --- a/yml/3rd_party/kingsoft/krpt.yml +++ b/yml/3rd_party/kingsoft/krpt.yml @@ -13,7 +13,7 @@ VulnerableExecutables: OriginalFilename: wpp.exe ProductName: WPS Office ExpectedSignatureInformation: - - Subject: 'CN="Zhuhai Kingsoft Office Software Co., Ltd.", O="Zhuhai Kingsoft Office Software Co., Ltd.", L=Zhuhai, S=Guangdong, C=CN' + - Subject: 'CN="Zhuhai Kingsoft Office Software Co., Ltd.", O="Zhuhai Kingsoft Office Software Co., Ltd.", L=Zhuhai, S=Guangdong, C=CN' Issuer: 'CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US' Type: Authenticode Resources: