14 lines
597 B
Plaintext
14 lines
597 B
Plaintext
|
|
rule Exploit_Win32_SquirlFinish_B_dha{
|
|
meta:
|
|
description = "Exploit:Win32/SquirlFinish.B!dha,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {75 3f 3f 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 8b 7c 24 48 48 83 c4 20 41 3f 3f c3 } //1
|
|
$a_01_1 = {48 63 43 28 48 03 f8 48 63 43 2c 48 03 f0 83 c5 ff } //1
|
|
$a_01_2 = {48 63 43 28 48 03 f8 48 63 43 2c 48 03 f0 ff cd } //1
|
|
$a_01_3 = {48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 3f 3f 48 83 ec 20 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1) >=3
|
|
|
|
} |