12 lines
354 B
Plaintext
12 lines
354 B
Plaintext
|
|
rule Exploit_Win64_Revsell_A{
|
|
meta:
|
|
description = "Exploit:Win64/Revsell.A,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 02 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {63 6d 00 00 64 2e 65 00 78 00 00 00 65 00 00 00 25 73 25 73 } //1
|
|
$a_01_1 = {48 8d 05 8e 9e 01 00 48 89 44 24 70 0f b6 05 86 a8 01 00 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1) >=2
|
|
|
|
} |