DefenderYara/Exploit/Win32/Spectre/Exploit_Win32_Spectre_A.yar

rule Exploit_Win32_Spectre_A{
	meta:
		description = "Exploit:Win32/Spectre.A,SIGNATURE_TYPE_PEHSTR_EXT,56 04 56 04 13 00 00 "
		
	strings :
		$a_00_0 = {6d 61 6c 69 63 69 6f 75 73 5f 78 20 3d 20 25 70 } //1111 malicious_x = %p
		$a_00_1 = {53 71 75 65 61 6d 69 73 68 20 4f 73 73 69 66 72 61 67 65 } //1 Squeamish Ossifrage
		$a_00_2 = {49 6e 2d 53 70 65 63 74 72 65 5f 6d 65 6c 74 64 6f 77 6e 00 } //1111 湉匭数瑣敲浟汥摴睯n
		$a_00_3 = {6d 65 6c 74 64 6f 77 6e 2d 70 6f 63 2e 70 64 62 } //1111 meltdown-poc.pdb
		$a_00_4 = {5c 4d 65 6c 74 64 6f 77 6e 2e 70 64 62 00 } //10
		$a_00_5 = {5c 4d 65 6c 74 64 6f 77 6e 2d 50 6f 43 2d 57 69 } //1111 \Meltdown-PoC-Wi
		$a_00_6 = {5c 6d 5c 6d 32 5c 78 36 34 5c 44 65 62 75 67 5c 68 65 6c 6c 6f 2e 70 64 62 00 } //1111
		$a_00_7 = {30 78 25 30 32 78 3a 20 67 75 65 73 73 3a 20 30 78 25 30 32 78 2c 20 72 65 61 6c 3a 30 78 25 30 32 78 } //1000 0x%02x: guess: 0x%02x, real:0x%02x
		$a_03_8 = {ab aa aa 2a [0-02] f7 ?? ?? ?? c1 ?? 1f } //100
		$a_03_9 = {48 33 c0 0f [0-20] 0f ae 3f 49 81 fa 19 04 00 00 } //1000
		$a_03_10 = {0f 01 f9 4c [0-2d] 0f 01 f9 } //100
		$a_03_11 = {0f 01 f9 8b [0-2d] 0f 01 f9 } //100
		$a_03_12 = {0f 01 f9 89 [0-2d] 0f 01 f9 } //100
		$a_03_13 = {0f ae f0 0f 31 [0-2d] 0f ae f0 0f 31 } //100
		$a_03_14 = {0f ae 38 83 45 ?? 01 } //10
		$a_01_15 = {48 0f ae 39 48 8d } //10
		$a_01_16 = {0f ae 38 05 00 } //10
		$a_01_17 = {66 66 66 0f 1f 84 00 00 00 00 00 } //10
		$a_03_18 = {81 7d e8 ff 00 00 00 7e ?? 8b 45 ?? 8b 14 85 ?? ?? 40 00 8b 45 ?? 8b 04 85 ?? ?? 40 00 01 c0 83 c0 05 39 c2 7d } //10
	condition:
		((#a_00_0  & 1)*1111+(#a_00_1  & 1)*1+(#a_00_2  & 1)*1111+(#a_00_3  & 1)*1111+(#a_00_4  & 1)*10+(#a_00_5  & 1)*1111+(#a_00_6  & 1)*1111+(#a_00_7  & 1)*1000+(#a_03_8  & 1)*100+(#a_03_9  & 1)*1000+(#a_03_10  & 1)*100+(#a_03_11  & 1)*100+(#a_03_12  & 1)*100+(#a_03_13  & 1)*100+(#a_03_14  & 1)*10+(#a_01_15  & 1)*10+(#a_01_16  & 1)*10+(#a_01_17  & 1)*10+(#a_03_18  & 1)*10) >=1110
 
}