708 lines
58 KiB
Plaintext
708 lines
58 KiB
Plaintext
|
|
rule _#PUA_Block_2345Cn{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,06 00 06 00 06 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {32 33 34 35 4d 69 6e 69 50 61 67 65 } //2345MiniPage 01 00
|
|
$a_80_1 = {32 33 34 35 50 69 6e 79 69 6e } //2345Pinyin 01 00
|
|
$a_80_2 = {53 4f 46 54 57 41 52 45 5c 32 33 34 35 2e 63 6f 6d } //SOFTWARE\2345.com 01 00
|
|
$a_80_3 = {32 33 34 35 4d 69 6e 69 50 61 67 65 2e 70 64 62 } //2345MiniPage.pdb 01 00
|
|
$a_80_4 = {75 70 64 61 74 65 72 5f 61 75 74 6f } //updater_auto 01 00
|
|
$a_80_5 = {32 33 34 35 50 43 53 61 66 65 42 6f 6f 74 41 73 73 69 73 74 61 6e 74 2e 65 78 65 } //2345PCSafeBootAssistant.exe 00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_2{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 63 54 6f 6f 6c 2e 70 64 62 } //01 00 \bin\Win32\Release\pdb\2345PicTool.pdb
|
|
$a_00_2 = {52 00 43 00 50 00 69 00 63 00 5f 00 50 00 6f 00 70 00 75 00 70 00 5f 00 54 00 6f 00 6f 00 6c 00 } //01 00 RCPic_Popup_Tool
|
|
$a_00_3 = {2f 00 70 00 69 00 63 00 5f 00 72 00 65 00 61 00 6c 00 74 00 69 00 6d 00 65 00 2f 00 69 00 6e 00 64 00 65 00 78 00 2e 00 70 00 68 00 70 00 } //00 00 /pic_realtime/index.php
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_3{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,06 00 06 00 07 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {32 33 34 35 4d 69 6e 69 50 61 67 65 } //2345MiniPage 01 00
|
|
$a_80_1 = {4d 69 6e 69 44 75 6d 70 57 72 69 74 65 44 75 6d 70 } //MiniDumpWriteDump 01 00
|
|
$a_80_2 = {4d 69 6e 69 50 61 67 65 4d 61 69 6e } //MiniPageMain 01 00
|
|
$a_80_3 = {75 70 64 61 74 65 2e 6d 69 6e 69 70 61 67 65 2e 32 33 34 35 2e 63 63 } //update.minipage.2345.cc 01 00
|
|
$a_80_4 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_80_5 = {2f 6d 69 6e 69 70 61 67 65 2f 69 6e 64 65 78 2e 70 68 70 } ///minipage/index.php 01 00
|
|
$a_80_6 = {5c 32 33 34 35 4d 69 6e 69 50 61 67 65 2e 70 64 62 } //\2345MiniPage.pdb 00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_4{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 63 00 53 00 76 00 63 00 } //02 00
|
|
$a_00_2 = {2d 00 2d 00 66 00 72 00 6f 00 6d 00 3d 00 70 00 69 00 63 00 5f 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 } //02 00 --from=pic_service
|
|
$a_00_3 = {5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 63 53 76 63 2e 70 64 62 } //00 00 \bin\Win32\Release\pdb\2345PicSvc.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_5{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 63 00 4c 00 6f 00 61 00 64 00 65 00 72 00 } //01 00
|
|
$a_00_2 = {6d 69 6e 69 70 61 67 65 5f 77 69 6e 64 6f 77 5f 70 75 73 68 } //01 00 minipage_window_push
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 72 63 69 6d 61 67 65 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 63 4c 6f 61 64 65 72 2e 70 64 62 } //00 00 :\zhanlue\rcimage\bin\Win32\Release\pdb\2345PicLoader.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_6{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 63 00 55 00 70 00 64 00 61 00 74 00 65 00 } //01 00
|
|
$a_00_2 = {6d 69 6e 69 70 61 67 65 5f 77 69 6e 64 6f 77 5f 70 75 73 68 } //01 00 minipage_window_push
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 72 63 69 6d 61 67 65 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 63 55 70 64 61 74 65 2e 70 64 62 } //00 00 :\zhanlue\rcimage\bin\Win32\Release\pdb\2345PicUpdate.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_7{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 68 00 65 00 6c 00 6c 00 50 00 72 00 6f 00 } //02 00
|
|
$a_00_2 = {2d 00 2d 00 69 00 73 00 49 00 6e 00 73 00 61 00 6c 00 6c 00 53 00 6f 00 66 00 74 00 4d 00 67 00 72 00 } //02 00 --isInsallSoftMgr
|
|
$a_00_3 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 53 68 65 6c 6c 50 72 6f 2e 70 64 62 } //00 00 \Rhino\Safe\Bin\Win32\release\pdb\2345ShellPro.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_8{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 75 00 69 00 74 00 65 00 } //02 00
|
|
$a_00_2 = {32 00 33 00 34 00 35 00 63 00 6f 00 6d 00 2e 00 32 00 33 00 34 00 35 00 53 00 75 00 69 00 74 00 65 00 2e 00 4d 00 75 00 74 00 65 00 78 00 } //02 00 2345com.2345Suite.Mutex
|
|
$a_00_3 = {3a 5c 64 6c 6c 70 6c 75 67 69 6e 5c 53 6f 66 74 77 61 72 65 43 6f 6c 6c 65 63 74 69 6f 6e 5c 62 69 6e 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 32 33 34 35 53 75 69 74 65 2e 70 64 62 } //00 00 :\dllplugin\SoftwareCollection\bin\release_static\2345Suite.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_9{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 54 00 6f 00 6f 00 6c 00 } //01 00
|
|
$a_00_2 = {70 00 64 00 66 00 32 00 77 00 6f 00 72 00 64 00 5f 00 70 00 6c 00 75 00 67 00 5f 00 63 00 6f 00 6e 00 66 00 69 00 67 00 } //01 00 pdf2word_plug_config
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 50 64 66 54 6f 6f 6c 2e 70 64 62 } //00 00 :\zhanlue\pdfconverter\bin\Win32\release_static\pdb\2345PdfTool.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_10{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 63 00 54 00 6f 00 6f 00 6c 00 } //01 00
|
|
$a_00_2 = {67 00 52 00 43 00 50 00 69 00 63 00 5f 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 43 00 6c 00 6f 00 75 00 64 00 5f 00 43 00 6f 00 6e 00 66 00 69 00 67 00 } //01 00 gRCPic_Update_Cloud_Config
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 72 63 69 6d 61 67 65 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 63 54 6f 6f 6c 2e 70 64 62 } //00 00 :\zhanlue\rcimage\bin\Win32\Release\pdb\2345PicTool.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_11{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 } //01 00
|
|
$a_00_2 = {52 00 43 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 5f 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 43 00 6f 00 6e 00 66 00 69 00 67 00 5f 00 49 00 6e 00 69 00 } //01 00 RCCapture_Update_Config_Ini
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 32 33 34 35 63 61 70 74 75 72 65 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 43 61 70 74 75 72 65 2e 70 64 62 } //00 00 :\zhanlue\2345capture\bin\Win32\Release\pdb\2345Capture.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_12{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 49 00 6e 00 73 00 74 00 44 00 6c 00 6c 00 } //01 00
|
|
$a_00_2 = {52 00 43 00 3a 00 3a 00 52 00 43 00 49 00 6e 00 73 00 74 00 44 00 6c 00 6c 00 53 00 74 00 61 00 74 00 3a 00 3a 00 49 00 6e 00 69 00 74 00 } //01 00 RC::RCInstDllStat::Init
|
|
$a_00_3 = {3a 5c 52 68 69 6e 6f 50 72 6f 74 65 63 74 5c 50 75 62 6c 69 73 68 5c 4f 75 74 50 75 74 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 49 6e 73 74 44 6c 6c 2e 70 64 62 } //00 00 :\RhinoProtect\Publish\OutPut\Bin\Win32\release\pdb\2345InstDll.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_13{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 44 00 75 00 6d 00 70 00 65 00 72 00 } //01 00
|
|
$a_00_2 = {32 00 33 00 34 00 35 00 50 00 64 00 66 00 43 00 6f 00 6e 00 76 00 65 00 72 00 74 00 65 00 72 00 2e 00 68 00 7a 00 76 00 } //01 00 2345PdfConverter.hzv
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 50 64 66 44 75 6d 70 65 72 2e 70 64 62 } //00 00 :\zhanlue\pdfconverter\bin\Win32\release_static\pdb\2345PdfDumper.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_14{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 47 00 61 00 6d 00 65 00 48 00 61 00 6c 00 6c 00 } //01 00
|
|
$a_00_2 = {32 00 33 00 34 00 35 00 47 00 61 00 6d 00 65 00 48 00 61 00 6c 00 6c 00 5f 00 72 00 65 00 61 00 6c 00 74 00 69 00 6d 00 65 00 5f 00 73 00 74 00 61 00 74 00 69 00 73 00 74 00 69 00 63 00 73 00 } //01 00 2345GameHall_realtime_statistics
|
|
$a_00_3 = {3a 5c 67 61 6d 65 68 61 6c 6c 5c 47 61 6d 65 48 61 6c 6c 5c 6f 75 74 5c 52 65 6c 65 61 73 65 5c 32 33 34 35 47 61 6d 65 48 61 6c 6c 2e 70 64 62 } //00 00 :\gamehall\GameHall\out\Release\2345GameHall.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_15{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 61 00 66 00 65 00 54 00 72 00 61 00 79 00 } //02 00
|
|
$a_00_2 = {5c 00 5c 00 2e 00 5c 00 70 00 69 00 70 00 65 00 5c 00 32 00 33 00 34 00 35 00 53 00 61 00 66 00 65 00 43 00 65 00 6e 00 74 00 65 00 72 00 5c 00 42 00 72 00 65 00 61 00 6b 00 70 00 61 00 64 00 } //02 00 \\.\pipe\2345SafeCenter\Breakpad
|
|
$a_00_3 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 53 61 66 65 54 72 61 79 2e 70 64 62 } //00 00 \Rhino\Safe\Bin\Win32\release\pdb\2345SafeTray.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_16{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 61 00 66 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 } //02 00
|
|
$a_00_2 = {5c 00 5c 00 2e 00 5c 00 70 00 69 00 70 00 65 00 5c 00 32 00 33 00 34 00 35 00 53 00 61 00 66 00 65 00 43 00 65 00 6e 00 74 00 65 00 72 00 5c 00 42 00 72 00 65 00 61 00 6b 00 70 00 61 00 64 00 } //02 00 \\.\pipe\2345SafeCenter\Breakpad
|
|
$a_00_3 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 53 61 66 65 55 70 64 61 74 65 2e 70 64 62 } //00 00 \Rhino\Safe\Bin\Win32\release\pdb\2345SafeUpdate.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_17{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {64 00 6f 00 63 00 74 00 6f 00 72 00 5f 00 32 00 33 00 34 00 35 00 65 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 2e 00 6e 00 61 00 6d 00 65 00 64 00 5f 00 6d 00 75 00 74 00 65 00 78 00 2e 00 72 00 65 00 70 00 61 00 69 00 72 00 69 00 6e 00 67 00 } //01 00 doctor_2345explorer.named_mutex.repairing
|
|
$a_00_2 = {64 6f 63 74 6f 72 5f 6e 6f 74 69 63 65 5f 62 6f 61 72 64 5f 64 61 74 61 73 } //01 00 doctor_notice_board_datas
|
|
$a_00_3 = {3a 5c 64 6c 6c 70 6c 75 67 69 6e 5c 44 6f 63 74 6f 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 44 6f 63 74 6f 72 5f 32 33 34 35 45 78 70 6c 6f 72 65 72 2e 70 64 62 } //00 00 :\dllplugin\Doctor\bin\Win32\Release\pdb\Doctor_2345Explorer.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_18{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 4f 00 43 00 52 00 4d 00 61 00 69 00 6e 00 } //01 00
|
|
$a_00_2 = {52 00 43 00 4f 00 43 00 52 00 43 00 6f 00 6e 00 76 00 65 00 72 00 74 00 65 00 72 00 5f 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 43 00 6f 00 6e 00 66 00 69 00 67 00 5f 00 49 00 6e 00 69 00 } //01 00 RCOCRConverter_Update_Config_Ini
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 6f 63 72 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 4f 43 52 4d 61 69 6e 2e 70 64 62 } //00 00 :\zhanlue\ocrconverter\bin\Win32\Release\pdb\2345OCRMain.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_19{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 4f 00 43 00 52 00 4c 00 6f 00 61 00 64 00 65 00 72 00 } //01 00
|
|
$a_00_2 = {73 00 74 00 61 00 72 00 74 00 5f 00 75 00 70 00 5f 00 74 00 69 00 6d 00 65 00 73 00 5f 00 73 00 69 00 6e 00 63 00 65 00 5f 00 6c 00 61 00 73 00 74 00 5f 00 75 00 70 00 64 00 61 00 74 00 65 00 } //01 00 start_up_times_since_last_update
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 6f 63 72 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 4f 43 52 4c 6f 61 64 65 72 2e 70 64 62 } //00 00 :\zhanlue\ocrconverter\bin\Win32\release_static\pdb\2345OCRLoader.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_20{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 4f 00 43 00 52 00 44 00 75 00 6d 00 70 00 65 00 72 00 } //01 00
|
|
$a_00_2 = {46 00 69 00 6c 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e 00 00 00 00 00 32 00 33 00 34 00 35 00 4f 00 43 00 52 00 87 65 57 5b c6 8b 2b 52 2d 00 44 00 75 00 6d 00 70 00 0b 7a 8f 5e } //01 00
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 6f 63 72 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 4f 43 52 44 75 6d 70 65 72 2e 70 64 62 } //00 00 :\zhanlue\ocrconverter\bin\Win32\release_static\pdb\2345OCRDumper.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_21{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 } //01 00
|
|
$a_00_2 = {70 00 69 00 6e 00 79 00 69 00 6e 00 2e 00 75 00 70 00 64 00 61 00 74 00 65 00 5f 00 74 00 6f 00 6f 00 6c 00 2e 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 5f 00 65 00 78 00 69 00 74 00 2e 00 65 00 76 00 65 00 6e 00 74 00 } //01 00 pinyin.update_tool.process_exit.event
|
|
$a_00_3 = {5c 55 70 64 61 74 65 50 72 6f 67 72 61 6d 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 55 70 64 61 74 65 5f 32 33 34 35 50 69 6e 79 69 6e 2e 70 64 62 } //00 00 \UpdateProgram\bin\Win32\Release\pdb\Update_2345Pinyin.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_22{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 4d 00 61 00 69 00 6e 00 2e 00 65 00 78 00 65 00 } //01 00
|
|
$a_00_2 = {52 00 43 00 50 00 64 00 66 00 43 00 6f 00 6e 00 76 00 65 00 72 00 74 00 65 00 72 00 5f 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 43 00 6f 00 6e 00 66 00 69 00 67 00 5f 00 49 00 6e 00 69 00 } //01 00 RCPdfConverter_Update_Config_Ini
|
|
$a_02_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 90 03 03 05 78 36 34 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 64 66 4d 61 69 6e 2e 70 64 62 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_23{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 32 00 33 00 34 00 35 00 50 00 69 00 63 00 2e 00 65 00 78 00 65 00 } //01 00
|
|
$a_00_2 = {75 00 70 00 64 00 61 00 74 00 65 00 5f 00 32 00 33 00 34 00 35 00 2e 00 6e 00 61 00 6d 00 65 00 64 00 5f 00 6d 00 75 00 74 00 65 00 78 00 2e 00 73 00 69 00 67 00 6e 00 61 00 6c 00 } //01 00 update_2345.named_mutex.signal
|
|
$a_00_3 = {3a 5c 74 72 75 6e 6b 5c 43 6f 6d 6d 6f 6e 50 6c 61 74 66 6f 72 6d 5c 55 70 64 61 74 65 50 72 6f 67 72 61 6d 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 55 70 64 61 74 65 5f 32 33 34 35 50 69 63 2e 70 64 62 } //00 00 :\trunk\CommonPlatform\UpdateProgram\bin\Win32\Release\pdb\Update_2345Pic.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_24{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 46 00 52 00 65 00 70 00 61 00 69 00 72 00 46 00 63 00 } //01 00
|
|
$a_00_2 = {5c 52 68 69 6e 6f 50 72 6f 74 65 63 74 5c 50 75 62 6c 69 73 68 5c 4f 75 74 50 75 74 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 53 61 66 65 43 65 6e 74 65 72 44 69 66 66 2e 70 64 62 } //01 00 \RhinoProtect\Publish\OutPut\bin\Win32\Release\pdb\2345SafeCenterDiff.pdb
|
|
$a_00_3 = {52 00 43 00 3a 00 3a 00 52 00 43 00 53 00 61 00 66 00 65 00 52 00 65 00 70 00 61 00 69 00 72 00 53 00 74 00 61 00 74 00 3a 00 3a 00 53 00 65 00 6e 00 64 00 52 00 65 00 61 00 6c 00 54 00 69 00 6d 00 65 00 53 00 74 00 61 00 74 00 } //00 00 RC::RCSafeRepairStat::SendRealTimeStat
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_25{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 05 00 00 04 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 57 00 69 00 7a 00 61 00 72 00 64 00 } //02 00
|
|
$a_00_2 = {5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 57 69 7a 61 72 64 2e 70 64 62 } //01 00 \bin\Win32\Release\pdb\2345PinyinWizard.pdb
|
|
$a_00_3 = {32 00 33 00 34 00 35 00 70 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 72 00 65 00 67 00 69 00 73 00 74 00 5f 00 70 00 69 00 70 00 65 00 5f 00 } //01 00 2345pinyin_regist_pipe_
|
|
$a_00_4 = {52 00 43 00 50 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 45 00 72 00 72 00 6f 00 72 00 5f 00 53 00 74 00 61 00 74 00 5f 00 53 00 65 00 6e 00 64 00 65 00 72 00 } //00 00 RCPinyin_Error_Stat_Sender
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_26{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {70 00 64 00 66 00 63 00 76 00 74 00 2e 00 32 00 33 00 34 00 35 00 2e 00 63 00 63 00 2f 00 68 00 65 00 6c 00 70 00 2e 00 68 00 74 00 6d 00 6c 00 } //01 00 pdfcvt.2345.cc/help.html
|
|
$a_00_2 = {64 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 2e 00 32 00 33 00 34 00 35 00 2e 00 63 00 6e 00 2f 00 70 00 64 00 66 00 63 00 76 00 74 00 2f 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 43 00 6f 00 6e 00 76 00 65 00 72 00 74 00 65 00 72 00 5f 00 } //01 00 download.2345.cn/pdfcvt/2345PdfConverter_
|
|
$a_00_3 = {5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 74 6f 6f 6c 5c 46 69 6c 65 44 6f 77 6e 5c 62 69 6e 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 32 33 34 35 50 44 46 43 76 74 49 6e 73 74 61 6c 6c 65 72 2e 70 64 62 } //00 00 \pdfconverter\bin\tool\FileDown\bin\release_static\2345PDFCvtInstaller.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_27{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {32 00 33 00 34 00 35 00 70 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 72 00 65 00 67 00 69 00 73 00 74 00 5f 00 70 00 69 00 70 00 65 00 5f 00 } //01 00 2345pinyin_regist_pipe_
|
|
$a_00_2 = {32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 47 00 75 00 69 00 64 00 65 00 5f 00 4c 00 6f 00 67 00 69 00 6e 00 5f 00 4d 00 75 00 74 00 65 00 78 00 } //01 00 2345Pinyin_Guide_Login_Mutex
|
|
$a_00_3 = {3a 00 5c 00 7a 00 68 00 61 00 6e 00 6c 00 75 00 65 00 5c 00 32 00 33 00 34 00 35 00 69 00 6e 00 70 00 75 00 74 00 5c 00 70 00 72 00 6f 00 6a 00 65 00 63 00 74 00 5c 00 70 00 69 00 6e 00 79 00 69 00 6e 00 63 00 6f 00 6e 00 66 00 69 00 67 00 5c 00 73 00 72 00 63 00 5c 00 71 00 71 00 5f 00 64 00 65 00 74 00 65 00 63 00 74 00 } //00 00 :\zhanlue\2345input\project\pinyinconfig\src\qq_detect
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_28{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 05 00 00 04 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 79 00 6d 00 62 00 6f 00 6c 00 } //02 00
|
|
$a_00_2 = {5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 53 79 6d 62 6f 6c 2e 70 64 62 } //01 00 \bin\Win32\Release\pdb\2345PinyinSymbol.pdb
|
|
$a_00_3 = {47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 4e 00 6f 00 74 00 69 00 66 00 79 00 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 45 00 76 00 65 00 6e 00 74 00 } //01 00 Global\2345PinyinServiceNotifyMonitorEvent
|
|
$a_00_4 = {75 00 69 00 2f 00 53 00 65 00 74 00 74 00 69 00 6e 00 67 00 55 00 49 00 2e 00 64 00 75 00 69 00 } //00 00 ui/SettingUI.dui
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_29{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 55 00 70 00 64 00 61 00 74 00 65 00 } //01 00
|
|
$a_00_2 = {52 00 43 00 50 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 53 00 6b 00 69 00 6e 00 5f 00 50 00 75 00 73 00 68 00 5f 00 49 00 6d 00 6d 00 65 00 64 00 69 00 61 00 74 00 65 00 6c 00 79 00 } //01 00 RCPinyin_Update_Skin_Push_Immediately
|
|
$a_00_3 = {3a 00 5c 00 7a 00 68 00 61 00 6e 00 6c 00 75 00 65 00 5c 00 32 00 33 00 34 00 35 00 69 00 6e 00 70 00 75 00 74 00 5c 00 70 00 72 00 6f 00 6a 00 65 00 63 00 74 00 5c 00 70 00 69 00 6e 00 79 00 69 00 6e 00 75 00 70 00 64 00 61 00 74 00 65 00 5c 00 73 00 72 00 63 00 5c 00 } //00 00 :\zhanlue\2345input\project\pinyinupdate\src\
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_30{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 05 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 03 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 76 00 63 00 } //02 00
|
|
$a_00_2 = {52 00 43 00 50 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 45 00 72 00 72 00 6f 00 72 00 5f 00 53 00 74 00 61 00 74 00 5f 00 53 00 65 00 6e 00 64 00 65 00 72 00 } //01 00 RCPinyin_Error_Stat_Sender
|
|
$a_02_3 = {5c 32 33 34 35 49 6e 70 75 74 90 03 04 00 44 75 6d 70 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 53 76 63 2e 70 64 62 90 00 } //01 00
|
|
$a_00_4 = {5c 32 33 34 35 50 69 6e 79 69 6e 5c 6e 65 77 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 53 76 63 2e 70 64 62 } //00 00 \2345Pinyin\new\bin\Win32\Release\pdb\2345PinyinSvc.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_31{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 6f 00 66 00 74 00 4d 00 67 00 72 00 } //02 00
|
|
$a_00_2 = {52 00 43 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 53 00 6f 00 66 00 74 00 4d 00 67 00 72 00 3a 00 3a 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 53 00 74 00 61 00 74 00 3a 00 6f 00 6c 00 64 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3d 00 25 00 73 00 2c 00 20 00 6e 00 65 00 77 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3d 00 25 00 73 00 } //02 00 RCInstallSoftMgr::InstallStat:oldVersion=%s, newVersion=%s
|
|
$a_02_3 = {5c 73 6f 66 74 6d 67 72 5c 6d 61 69 6e 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 90 03 00 07 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 53 6f 66 74 4d 67 72 2e 70 64 62 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_32{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 43 00 6c 00 6f 00 75 00 64 00 } //01 00
|
|
$a_00_2 = {32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 50 00 69 00 63 00 5f 00 46 00 61 00 63 00 65 00 5f 00 45 00 6d 00 6f 00 6a 00 5f 00 4d 00 75 00 74 00 65 00 78 00 } //01 00 2345Pinyin_Pic_Face_Emoj_Mutex
|
|
$a_00_3 = {3a 00 5c 00 7a 00 68 00 61 00 6e 00 6c 00 75 00 65 00 5c 00 32 00 33 00 34 00 35 00 69 00 6e 00 70 00 75 00 74 00 5c 00 70 00 72 00 6f 00 6a 00 65 00 63 00 74 00 5c 00 70 00 69 00 6e 00 79 00 69 00 6e 00 63 00 6c 00 6f 00 75 00 64 00 5c 00 73 00 72 00 63 00 5c 00 77 00 65 00 62 00 5f 00 62 00 75 00 73 00 69 00 6e 00 65 00 73 00 73 00 5c 00 } //00 00 :\zhanlue\2345input\project\pinyincloud\src\web_business\
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_33{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 32 00 33 00 34 00 35 00 50 00 43 00 53 00 61 00 66 00 65 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 4e 00 6f 00 74 00 69 00 66 00 79 00 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 45 00 76 00 65 00 6e 00 74 00 } //01 00 Global\2345PCSafeServiceNotifyMonitorEvent
|
|
$a_00_2 = {52 00 43 00 3a 00 3a 00 52 00 43 00 46 00 69 00 6c 00 65 00 41 00 73 00 73 00 6f 00 63 00 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 65 00 72 00 3a 00 3a 00 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 53 00 6f 00 66 00 74 00 } //01 00 RC::RCFileAssocDownloader::DownloadSoft
|
|
$a_00_3 = {5c 52 68 69 6e 6f 50 72 6f 74 65 63 74 5c 50 75 62 6c 69 73 68 5c 4f 75 74 50 75 74 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 41 73 73 6f 63 69 61 74 65 2e 70 64 62 } //00 00 \RhinoProtect\Publish\OutPut\bin\Win32\Release\pdb\2345Associate.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_34{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 41 00 64 00 52 00 74 00 50 00 72 00 6f 00 74 00 65 00 63 00 74 00 } //02 00
|
|
$a_00_2 = {3a 00 5c 00 72 00 68 00 69 00 6e 00 6f 00 5c 00 73 00 61 00 66 00 65 00 5c 00 73 00 72 00 63 00 5c 00 61 00 64 00 72 00 74 00 70 00 72 00 6f 00 74 00 65 00 63 00 74 00 5c 00 61 00 64 00 72 00 74 00 70 00 72 00 6f 00 74 00 65 00 63 00 74 00 5c 00 72 00 63 00 6d 00 61 00 69 00 6e 00 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 2e 00 63 00 70 00 70 00 } //02 00 :\rhino\safe\src\adrtprotect\adrtprotect\rcmainapplication.cpp
|
|
$a_00_3 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 41 64 52 74 50 72 6f 74 65 63 74 2e 70 64 62 } //00 00 \Rhino\Safe\Bin\Win32\release\pdb\2345AdRtProtect.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_35{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 61 00 66 00 65 00 43 00 65 00 6e 00 74 00 65 00 72 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 72 00 } //01 00
|
|
$a_00_2 = {32 00 33 00 34 00 35 00 53 00 61 00 66 00 65 00 43 00 65 00 6e 00 74 00 65 00 72 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 72 00 20 00 53 00 74 00 61 00 72 00 74 00 2e 00 20 00 43 00 6d 00 64 00 4c 00 69 00 6e 00 65 00 3a 00 20 00 25 00 73 00 } //01 00 2345SafeCenterInstaller Start. CmdLine: %s
|
|
$a_00_3 = {3a 5c 52 68 69 6e 6f 50 72 6f 74 65 63 74 5c 50 75 62 6c 69 73 68 5c 4f 75 74 50 75 74 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 53 61 66 65 43 65 6e 74 65 72 49 6e 73 74 61 6c 6c 65 72 2e 70 64 62 } //00 00 :\RhinoProtect\Publish\OutPut\bin\Win32\Release\pdb\2345SafeCenterInstaller.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_36{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 63 00 44 00 75 00 6d 00 70 00 65 00 72 00 } //01 00
|
|
$a_00_2 = {52 00 43 00 50 00 69 00 63 00 5f 00 6d 00 69 00 6e 00 69 00 64 00 75 00 6d 00 70 00 5f 00 73 00 65 00 6e 00 64 00 5f 00 68 00 69 00 73 00 74 00 6f 00 72 00 79 00 5f 00 6d 00 75 00 74 00 65 00 78 00 5f 00 7b 00 38 00 35 00 46 00 38 00 42 00 41 00 42 00 41 00 2d 00 41 00 31 00 44 00 43 00 2d 00 34 00 46 00 37 00 41 00 2d 00 41 00 46 00 37 00 38 00 2d 00 45 00 42 00 35 00 45 00 32 00 46 00 37 00 31 00 39 00 41 00 42 00 46 00 7d 00 } //01 00 RCPic_minidump_send_history_mutex_{85F8BABA-A1DC-4F7A-AF78-EB5E2F719ABF}
|
|
$a_00_3 = {5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 63 44 75 6d 70 65 72 2e 70 64 62 } //00 00 \bin\Win32\Release\pdb\2345PicDumper.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_37{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 46 00 61 00 63 00 65 00 54 00 6f 00 6f 00 6c 00 5f 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 } //01 00
|
|
$a_00_2 = {32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 50 00 69 00 63 00 5f 00 46 00 61 00 63 00 65 00 5f 00 42 00 75 00 62 00 62 00 6c 00 65 00 5f 00 4d 00 75 00 74 00 65 00 78 00 } //01 00 2345Pinyin_Pic_Face_Bubble_Mutex
|
|
$a_00_3 = {3a 00 5c 00 7a 00 68 00 61 00 6e 00 6c 00 75 00 65 00 5c 00 32 00 33 00 34 00 35 00 69 00 6e 00 70 00 75 00 74 00 5c 00 70 00 72 00 6f 00 6a 00 65 00 63 00 74 00 5c 00 70 00 69 00 6e 00 79 00 69 00 6e 00 70 00 69 00 63 00 66 00 61 00 63 00 65 00 74 00 6f 00 6f 00 6c 00 5c 00 73 00 72 00 63 00 5c 00 64 00 61 00 74 00 61 00 5c 00 } //00 00 :\zhanlue\2345input\project\pinyinpicfacetool\src\data\
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_38{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,06 00 06 00 05 00 00 05 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 03 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 54 00 6f 00 6f 00 6c 00 } //03 00
|
|
$a_02_2 = {5c 32 33 34 35 69 6e 70 75 74 90 03 00 04 44 75 6d 70 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 54 6f 6f 6c 2e 70 64 62 90 00 } //01 00
|
|
$a_00_3 = {47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 4e 00 6f 00 74 00 69 00 66 00 79 00 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 45 00 76 00 65 00 6e 00 74 00 } //01 00 Global\2345PinyinServiceNotifyMonitorEvent
|
|
$a_00_4 = {32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 54 00 6f 00 6f 00 6c 00 2e 00 75 00 73 00 74 00 } //00 00 2345PinyinTool.ust
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_39{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 05 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {45 00 78 00 65 00 63 00 75 00 74 00 65 00 20 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 20 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 20 00 54 00 61 00 73 00 6b 00 } //02 00 Execute 2345Pinyin MiniPage Task
|
|
$a_00_1 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 41 00 70 00 70 00 2e 00 64 00 6c 00 6c 00 } //02 00
|
|
$a_02_2 = {5c 52 43 4d 69 6e 69 50 61 67 65 90 02 08 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 4d 69 6e 69 70 61 67 65 4d 61 69 6e 2e 70 64 62 90 00 } //01 00
|
|
$a_00_3 = {32 00 33 00 34 00 35 00 6d 00 69 00 6e 00 69 00 70 00 61 00 67 00 65 00 2d 00 68 00 77 00 6e 00 64 00 2d 00 70 00 72 00 6f 00 70 00 2d 00 6e 00 61 00 6d 00 65 00 } //01 00 2345minipage-hwnd-prop-name
|
|
$a_00_4 = {6d 00 69 00 6e 00 69 00 70 00 61 00 67 00 65 00 2e 00 73 00 74 00 61 00 74 00 } //00 00 minipage.stat
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_40{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 05 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {45 00 78 00 65 00 63 00 75 00 74 00 65 00 20 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 20 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 20 00 54 00 61 00 73 00 6b 00 } //02 00 Execute 2345Pinyin MiniPage Task
|
|
$a_00_1 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 48 00 65 00 6c 00 70 00 65 00 72 00 4d 00 61 00 69 00 6e 00 2e 00 64 00 6c 00 6c 00 } //02 00
|
|
$a_02_2 = {5c 48 65 6c 70 65 72 32 33 34 35 90 02 08 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 48 65 6c 70 65 72 4d 61 69 6e 2e 70 64 62 90 00 } //01 00
|
|
$a_00_3 = {68 00 65 00 6c 00 70 00 65 00 72 00 5f 00 74 00 72 00 61 00 79 00 5f 00 73 00 74 00 61 00 74 00 69 00 73 00 74 00 69 00 63 00 } //01 00 helper_tray_statistic
|
|
$a_00_4 = {32 00 33 00 34 00 35 00 6d 00 69 00 6e 00 69 00 70 00 61 00 67 00 65 00 2d 00 68 00 77 00 6e 00 64 00 2d 00 70 00 72 00 6f 00 70 00 2d 00 6e 00 61 00 6d 00 65 00 } //00 00 2345minipage-hwnd-prop-name
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_41{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 52 00 54 00 50 00 72 00 6f 00 74 00 65 00 63 00 74 00 } //02 00
|
|
$a_00_2 = {47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 52 00 43 00 41 00 56 00 37 00 45 00 34 00 37 00 44 00 41 00 39 00 33 00 2d 00 41 00 46 00 34 00 31 00 2d 00 34 00 34 00 35 00 30 00 2d 00 39 00 30 00 43 00 44 00 2d 00 33 00 31 00 43 00 37 00 38 00 31 00 32 00 35 00 32 00 38 00 37 00 44 00 5f 00 52 00 54 00 50 00 52 00 4f 00 54 00 45 00 43 00 54 00 5f 00 4d 00 55 00 54 00 45 00 58 00 } //02 00 Global\RCAV7E47DA93-AF41-4450-90CD-31C78125287D_RTPROTECT_MUTEX
|
|
$a_00_3 = {5c 52 68 69 6e 6f 50 72 6f 74 65 63 74 5c 50 75 62 6c 69 73 68 5c 4f 75 74 50 75 74 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 52 54 50 72 6f 74 65 63 74 2e 70 64 62 } //00 00 \RhinoProtect\Publish\OutPut\bin\Win32\Release\pdb\2345RTProtect.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_42{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 4f 00 43 00 52 00 55 00 70 00 64 00 61 00 74 00 65 00 } //01 00
|
|
$a_00_2 = {7b 00 34 00 37 00 46 00 46 00 30 00 44 00 32 00 34 00 2d 00 45 00 30 00 41 00 35 00 2d 00 34 00 31 00 36 00 33 00 2d 00 38 00 35 00 34 00 36 00 2d 00 44 00 45 00 37 00 32 00 31 00 37 00 44 00 32 00 46 00 31 00 34 00 31 00 7d 00 2e 00 32 00 33 00 34 00 35 00 6f 00 63 00 72 00 2e 00 63 00 68 00 65 00 63 00 6b 00 76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 2e 00 64 00 61 00 74 00 61 00 } //01 00 {47FF0D24-E0A5-4163-8546-DE7217D2F141}.2345ocr.checkversion.data
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 6f 63 72 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 4f 43 52 55 70 64 61 74 65 2e 70 64 62 } //00 00 :\zhanlue\ocrconverter\bin\Win32\release_static\pdb\2345OCRUpdate.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_43{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 4c 00 6f 00 61 00 64 00 65 00 72 00 } //01 00
|
|
$a_00_2 = {52 00 43 00 50 00 64 00 66 00 5f 00 4c 00 6f 00 61 00 64 00 65 00 72 00 5f 00 70 00 6c 00 75 00 67 00 69 00 6e 00 5f 00 70 00 64 00 66 00 32 00 78 00 5f 00 7b 00 42 00 32 00 39 00 30 00 45 00 44 00 32 00 34 00 2d 00 31 00 32 00 39 00 35 00 2d 00 34 00 42 00 35 00 35 00 2d 00 41 00 36 00 41 00 37 00 2d 00 35 00 45 00 42 00 44 00 33 00 32 00 31 00 46 00 34 00 37 00 33 00 42 00 7d 00 } //01 00 RCPdf_Loader_plugin_pdf2x_{B290ED24-1295-4B55-A6A7-5EBD321F473B}
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 50 64 66 4c 6f 61 64 65 72 2e 70 64 62 } //00 00 :\zhanlue\pdfconverter\bin\Win32\release_static\pdb\2345PdfLoader.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_44{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 55 00 70 00 64 00 61 00 74 00 65 00 } //01 00
|
|
$a_00_2 = {7b 00 34 00 37 00 46 00 46 00 30 00 44 00 32 00 34 00 2d 00 45 00 30 00 41 00 35 00 2d 00 34 00 31 00 36 00 33 00 2d 00 38 00 35 00 34 00 36 00 2d 00 44 00 45 00 37 00 32 00 31 00 37 00 44 00 32 00 46 00 31 00 34 00 31 00 7d 00 2e 00 32 00 33 00 34 00 35 00 70 00 64 00 66 00 63 00 6f 00 6e 00 76 00 65 00 72 00 74 00 65 00 72 00 2e 00 6e 00 65 00 77 00 76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 2e 00 64 00 61 00 74 00 61 00 } //01 00 {47FF0D24-E0A5-4163-8546-DE7217D2F141}.2345pdfconverter.newversion.data
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 50 64 66 55 70 64 61 74 65 2e 70 64 62 } //00 00 :\zhanlue\pdfconverter\bin\Win32\release_static\pdb\2345PdfUpdate.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_45{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 52 00 74 00 50 00 72 00 6f 00 74 00 65 00 63 00 74 00 43 00 65 00 6e 00 74 00 65 00 72 00 } //02 00
|
|
$a_00_2 = {5c 00 72 00 68 00 69 00 6e 00 6f 00 5c 00 73 00 61 00 66 00 65 00 5c 00 73 00 72 00 63 00 5c 00 66 00 72 00 61 00 6d 00 65 00 77 00 6f 00 72 00 6b 00 5c 00 73 00 72 00 63 00 5c 00 66 00 72 00 61 00 6d 00 65 00 77 00 6f 00 72 00 6b 00 5c 00 73 00 72 00 63 00 5c 00 75 00 74 00 69 00 6c 00 73 00 5c 00 72 00 63 00 6d 00 6f 00 64 00 75 00 6c 00 65 00 74 00 68 00 72 00 65 00 61 00 64 00 73 00 79 00 6e 00 63 00 2e 00 63 00 70 00 70 00 } //02 00 \rhino\safe\src\framework\src\framework\src\utils\rcmodulethreadsync.cpp
|
|
$a_00_3 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 52 74 50 72 6f 74 65 63 74 43 65 6e 74 65 72 2e 70 64 62 } //00 00 \Rhino\Safe\Bin\Win32\release\pdb\2345RtProtectCenter.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_46{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 03 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 41 00 75 00 74 00 68 00 6f 00 72 00 69 00 74 00 79 00 50 00 72 00 6f 00 74 00 65 00 63 00 74 00 } //02 00
|
|
$a_00_2 = {3a 00 5c 00 72 00 68 00 69 00 6e 00 6f 00 5c 00 73 00 61 00 66 00 65 00 5c 00 73 00 72 00 63 00 5c 00 61 00 75 00 74 00 68 00 6f 00 72 00 69 00 74 00 79 00 70 00 72 00 6f 00 74 00 65 00 63 00 74 00 5c 00 61 00 75 00 74 00 68 00 6f 00 72 00 69 00 74 00 79 00 70 00 72 00 6f 00 74 00 65 00 63 00 74 00 5c 00 72 00 63 00 6d 00 61 00 69 00 6e 00 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 2e 00 63 00 70 00 70 00 } //02 00 :\rhino\safe\src\authorityprotect\authorityprotect\rcmainapplication.cpp
|
|
$a_00_3 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 41 75 74 68 6f 72 69 74 79 50 72 6f 74 65 63 74 2e 70 64 62 } //00 00 \Rhino\Safe\Bin\Win32\release\pdb\2345AuthorityProtect.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_47{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,0d 00 0d 00 05 00 00 08 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 04 00
|
|
$a_02_1 = {50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 32 00 33 00 34 00 35 00 89 5b 68 51 6b 53 eb 58 90 03 06 0c 0b 4e 7d 8f 68 56 28 57 bf 7e 89 5b c5 88 0b 7a 8f 5e 90 00 } //04 00
|
|
$a_00_2 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 49 6e 73 74 61 6c 6c 5c 46 69 6c 65 44 6f 77 6e 5c 62 69 6e 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 32 33 34 35 53 61 66 65 44 6f 77 6e 6c 6f 61 64 65 72 2e 70 64 62 } //01 00 \Rhino\Safe\Install\FileDown\bin\release_static\2345SafeDownloader.pdb
|
|
$a_00_3 = {52 00 43 00 3a 00 3a 00 52 00 43 00 53 00 61 00 66 00 65 00 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 3a 00 3a 00 50 00 72 00 65 00 70 00 61 00 72 00 65 00 50 00 6f 00 73 00 74 00 44 00 61 00 74 00 61 00 } //01 00 RC::RCSafeDownload::PreparePostData
|
|
$a_00_4 = {52 00 43 00 3a 00 3a 00 52 00 43 00 53 00 61 00 66 00 65 00 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 3a 00 3a 00 52 00 65 00 71 00 75 00 69 00 72 00 65 00 57 00 65 00 62 00 44 00 61 00 74 00 61 00 } //00 00 RC::RCSafeDownload::RequireWebData
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_48{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 01 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 46 00 65 00 65 00 64 00 62 00 61 00 63 00 6b 00 } //01 00
|
|
$a_00_2 = {52 00 43 00 50 00 44 00 46 00 43 00 6f 00 6e 00 76 00 65 00 72 00 74 00 65 00 72 00 5f 00 6d 00 69 00 6e 00 69 00 64 00 75 00 6d 00 70 00 5f 00 67 00 65 00 6e 00 65 00 72 00 61 00 74 00 65 00 5f 00 6d 00 75 00 74 00 65 00 78 00 5f 00 7b 00 33 00 35 00 34 00 44 00 42 00 34 00 33 00 38 00 2d 00 41 00 45 00 32 00 38 00 2d 00 34 00 39 00 33 00 43 00 2d 00 42 00 35 00 45 00 45 00 2d 00 30 00 43 00 30 00 36 00 39 00 32 00 33 00 39 00 33 00 30 00 45 00 36 00 7d 00 } //01 00 RCPDFConverter_minidump_generate_mutex_{354DB438-AE28-493C-B5EE-0C06923930E6}
|
|
$a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 50 64 66 46 65 65 64 62 61 63 6b 2e 70 64 62 } //00 00 :\zhanlue\pdfconverter\bin\Win32\release_static\pdb\2345PdfFeedback.pdb
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_49{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 06 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {45 00 78 00 65 00 63 00 75 00 74 00 65 00 20 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 20 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 20 00 54 00 61 00 73 00 6b 00 } //02 00 Execute 2345Pinyin MiniPage Task
|
|
$a_00_1 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 2e 00 65 00 78 00 65 00 } //02 00
|
|
$a_00_2 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 42 00 6f 00 6f 00 74 00 41 00 73 00 73 00 69 00 73 00 74 00 61 00 6e 00 74 00 2e 00 65 00 78 00 65 00 } //01 00
|
|
$a_02_3 = {75 00 70 00 64 00 61 00 74 00 65 00 90 02 02 6d 00 69 00 6e 00 69 00 70 00 61 00 67 00 65 00 2e 00 32 00 33 00 34 00 35 00 2e 00 63 00 90 00 } //01 00
|
|
$a_00_4 = {6d 00 69 00 6e 00 69 00 70 00 61 00 67 00 65 00 2e 00 73 00 74 00 61 00 74 00 } //01 00 minipage.stat
|
|
$a_00_5 = {5c 00 32 00 33 00 34 00 35 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 2e 00 4e 00 65 00 77 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 2e 00 64 00 61 00 74 00 61 00 } //00 00 \2345MiniPage.NewVersion.data
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_50{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 05 00 00 04 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 46 00 47 00 75 00 61 00 72 00 64 00 } //02 00
|
|
$a_02_2 = {3a 5c 52 68 69 6e 6f 50 72 6f 74 65 63 74 5c 50 75 62 6c 69 73 68 5c 4f 75 74 50 75 74 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 53 46 47 75 61 72 64 90 03 02 00 36 34 2e 70 64 62 90 00 } //01 00
|
|
$a_00_3 = {7b 00 22 00 43 00 72 00 61 00 73 00 68 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 43 00 6d 00 64 00 4c 00 69 00 6e 00 65 00 22 00 3a 00 22 00 2f 00 6e 00 6f 00 74 00 69 00 66 00 79 00 5f 00 67 00 75 00 61 00 72 00 64 00 22 00 2c 00 22 00 43 00 72 00 61 00 73 00 68 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 50 00 61 00 74 00 68 00 22 00 3a 00 22 00 43 00 3a 00 5c 00 5c 00 32 00 33 00 34 00 35 00 53 00 46 00 47 00 75 00 61 00 72 00 64 00 2e 00 65 00 78 00 65 00 } //01 00 {"CrashProcessCmdLine":"/notify_guard","CrashProcessPath":"C:\\2345SFGuard.exe
|
|
$a_00_4 = {2f 00 6e 00 6f 00 74 00 69 00 66 00 79 00 5f 00 64 00 65 00 73 00 6b 00 5f 00 67 00 75 00 61 00 72 00 64 00 } //00 00 /notify_desk_guard
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_51{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 05 00 00 04 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 } //02 00
|
|
$a_00_2 = {5c 62 69 6e 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 49 6e 73 74 61 6c 6c 2e 70 64 62 } //01 00 \bin\x64\Release\pdb\2345PinyinInstall.pdb
|
|
$a_00_3 = {47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 4e 00 6f 00 74 00 69 00 66 00 79 00 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 45 00 76 00 65 00 6e 00 74 00 } //01 00 Global\2345PinyinServiceNotifyMonitorEvent
|
|
$a_00_4 = {7b 00 45 00 34 00 30 00 41 00 37 00 31 00 45 00 36 00 2d 00 35 00 45 00 34 00 38 00 2d 00 34 00 41 00 36 00 36 00 2d 00 38 00 42 00 41 00 31 00 2d 00 35 00 44 00 38 00 43 00 45 00 44 00 37 00 38 00 35 00 35 00 32 00 44 00 7d 00 5f 00 52 00 43 00 49 00 4d 00 5f 00 47 00 4c 00 4f 00 42 00 4c 00 45 00 5f 00 43 00 4f 00 4d 00 4d 00 4f 00 4d 00 5f 00 53 00 45 00 47 00 4d 00 45 00 4e 00 54 00 5f 00 53 00 48 00 41 00 52 00 45 00 44 00 } //00 00 {E40A71E6-5E48-4A66-8BA1-5D8CED78552D}_RCIM_GLOBLE_COMMOM_SEGMENT_SHARED
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_52{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 05 00 00 04 00 "
|
|
|
|
strings :
|
|
$a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 02 00
|
|
$a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 6b 00 69 00 6e 00 55 00 74 00 69 00 6c 00 } //02 00
|
|
$a_00_2 = {5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 53 6b 69 6e 55 74 69 6c 2e 70 64 62 } //01 00 \bin\Win32\Release\pdb\2345PinyinSkinUtil.pdb
|
|
$a_00_3 = {47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 4e 00 6f 00 74 00 69 00 66 00 79 00 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 45 00 76 00 65 00 6e 00 74 00 } //01 00 Global\2345PinyinServiceNotifyMonitorEvent
|
|
$a_00_4 = {7b 00 45 00 34 00 30 00 41 00 37 00 31 00 45 00 36 00 2d 00 35 00 45 00 34 00 38 00 2d 00 34 00 41 00 36 00 36 00 2d 00 38 00 42 00 41 00 31 00 2d 00 35 00 44 00 38 00 43 00 45 00 44 00 37 00 38 00 35 00 35 00 32 00 44 00 7d 00 5f 00 52 00 43 00 49 00 4d 00 5f 00 47 00 4c 00 4f 00 42 00 4c 00 45 00 5f 00 43 00 4f 00 4d 00 4d 00 4f 00 4d 00 5f 00 53 00 45 00 47 00 4d 00 45 00 4e 00 54 00 5f 00 53 00 48 00 41 00 52 00 45 00 44 00 } //00 00 {E40A71E6-5E48-4A66-8BA1-5D8CED78552D}_RCIM_GLOBLE_COMMOM_SEGMENT_SHARED
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule _#PUA_Block_2345Cn_53{
|
|
meta:
|
|
description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR,05 00 05 00 05 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {45 00 78 00 65 00 63 00 75 00 74 00 65 00 20 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 20 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 20 00 54 00 61 00 73 00 6b 00 } //02 00 Execute 2345Pinyin MiniPage Task
|
|
$a_01_1 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 48 00 65 00 6c 00 70 00 65 00 72 00 5f 00 32 00 33 00 34 00 35 00 2e 00 65 00 78 00 65 00 } //01 00
|
|
$a_01_2 = {43 6f 6d 6d 6f 6e 50 6c 61 74 66 6f 72 6d 5c 48 65 6c 70 65 72 32 33 34 35 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 48 65 6c 70 65 72 5f 32 33 34 35 2e 70 64 62 } //01 00 CommonPlatform\Helper2345\bin\Win32\Release\pdb\Helper_2345.pdb
|
|
$a_01_3 = {68 00 65 00 6c 00 70 00 65 00 72 00 5f 00 74 00 72 00 61 00 79 00 5f 00 73 00 74 00 61 00 74 00 69 00 73 00 74 00 69 00 63 00 } //01 00 helper_tray_statistic
|
|
$a_01_4 = {68 00 65 00 6c 00 70 00 65 00 72 00 5f 00 32 00 33 00 34 00 35 00 2e 00 63 00 68 00 69 00 6c 00 64 00 5f 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 2e 00 63 00 6f 00 6d 00 6d 00 6f 00 6e 00 } //00 00 helper_2345.child_process.common
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |