15 lines
1.0 KiB
Plaintext
15 lines
1.0 KiB
Plaintext
|
|
rule Backdoor_Win32_PcClient_ZP{
|
|
meta:
|
|
description = "Backdoor:Win32/PcClient.ZP,SIGNATURE_TYPE_PEHSTR_EXT,0e 00 0d 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {b2 25 b1 30 b0 64 b3 32 c6 ?? 24 1c 5b 88 ?? 24 1d 88 ?? 24 1e c6 ?? 24 1f 34 88 ?? 24 20 c6 ?? 24 21 2d 88 ?? 24 22 88 ?? 24 23 88 ?? 24 24 88 ?? 24 25 c6 ?? 24 26 2d 88 ?? 24 27 88 ?? 24 28 88 ?? 24 29 88 ?? 24 2a c6 ?? 24 2b 20 88 ?? 24 2c 88 ?? 24 2d 88 ?? 24 2e 88 ?? 24 2f c6 ?? 24 30 3a 88 ?? 24 31 88 ?? 24 32 88 ?? 24 33 88 ?? 24 34 c6 ?? 24 35 3a 88 ?? 24 36 88 ?? 24 37 88 ?? 24 38 88 ?? 24 39 c6 ?? 24 3a 5d ff d6 } //10
|
|
$a_00_1 = {47 65 74 4b 65 79 62 6f 61 72 64 53 74 61 74 65 } //1 GetKeyboardState
|
|
$a_00_2 = {43 61 6c 6c 4e 65 78 74 48 6f 6f 6b 45 78 } //1 CallNextHookEx
|
|
$a_00_3 = {53 65 74 50 72 6f 63 65 73 73 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e } //1 SetProcessWindowStation
|
|
$a_00_4 = {47 65 74 57 69 6e 64 6f 77 54 65 78 74 41 } //1 GetWindowTextA
|
|
condition:
|
|
((#a_03_0 & 1)*10+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=13
|
|
|
|
} |