qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Exploit/Win32/Ceilscour/Exploit_Win32_Ceilscour_B_d...

24 lines
2.2 KiB
Plaintext
Raw Permalink Blame History

rule Exploit_Win32_Ceilscour_B_dha{
meta:
description = "Exploit:Win32/Ceilscour.B!dha,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 0e 00 00 "
strings :
$a_01_0 = {66 61 69 6c 65 64 20 74 6f 20 67 65 74 20 62 69 67 20 70 6f 6f 6c 20 69 6e 66 6f 20 2d 20 25 78 } //1 failed to get big pool info - %x
$a_01_1 = {6c 65 61 6b 5f 62 69 67 70 6f 6f 6c } //1 leak_bigpool
$a_01_2 = {65 72 72 6f 72 3a 20 64 75 70 6c 69 63 61 74 65 20 69 6e 20 62 69 67 20 70 6f 6f 6c } //1 error: duplicate in big pool
$a_01_3 = {66 61 69 6c 65 64 20 74 6f 20 67 65 74 20 6d 6f 64 75 6c 65 73 20 69 6e 66 6f 20 2d 20 25 78 } //1 failed to get modules info - %x
$a_01_4 = {6c 65 61 6b 5f 6b 65 72 6e 65 6c 5f 6d 6f 64 75 6c 65 73 } //1 leak_kernel_modules
$a_01_5 = {66 61 69 6c 65 64 20 74 6f 20 67 65 74 20 69 6e 66 6f 20 66 6f 72 20 64 65 73 69 72 65 64 20 6d 6f 64 75 6c 65 20 2d 20 25 73 2c 20 6c 69 73 74 20 61 6c 6c 3a } //1 failed to get info for desired module - %s, list all:
$a_01_6 = {46 6f 75 6e 64 20 63 6f 64 65 20 28 25 73 29 20 66 6f 72 20 70 61 74 74 65 72 6e } //1 Found code (%s) for pattern
$a_01_7 = {70 61 74 74 65 72 6e 3a 3a 73 65 61 72 63 68 5f 70 61 74 74 65 72 6e 5f 69 6e 5f 73 65 63 74 69 6f 6e } //1 pattern::search_pattern_in_section
$a_01_8 = {66 61 69 6c 65 64 20 74 6f 20 67 65 74 20 73 79 73 74 65 6d 20 64 69 72 } //1 failed to get system dir
$a_01_9 = {62 6c 66 3a 3a 63 72 65 61 74 65 5f 63 6f 6e 74 61 69 6e 65 72 } //2 blf::create_container
$a_01_10 = {66 61 69 6c 65 64 20 74 6f 20 63 72 65 61 74 65 20 62 61 73 65 6c 6f 67 20 72 65 63 6f 72 64 } //2 failed to create baselog record
$a_01_11 = {70 61 74 63 68 5f 64 73 74 20 76 61 6c 75 65 20 2d 20 25 70 } //1 patch_dst value - %p
$a_01_12 = {70 61 74 63 68 5f 73 72 63 20 76 61 6c 75 65 20 2d 20 25 70 } //1 patch_src value - %p
$a_01_13 = {5c 31 32 33 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 65 78 70 6c 6f 69 74 2e 70 64 62 } //1 \123\x64\Release\exploit.pdb
condition:
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*2+(#a_01_10 & 1)*2+(#a_01_11 & 1)*1+(#a_01_12 & 1)*1+(#a_01_13 & 1)*1) >=5
}
Reference in New Issue View Git Blame Copy Permalink