qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Exploit/Win64/Ropero/Exploit_Win64_Ropero_A.yar

13 lines
729 B
Plaintext
Raw Blame History

rule Exploit_Win64_Ropero_A{
meta:
description = "Exploit:Win64/Ropero.A,SIGNATURE_TYPE_PEHSTR_EXT,0c 00 0c 00 03 00 00 "
strings :
$a_03_0 = {48 b8 49 4e 54 45 4c 53 45 43 48 89 90 01 05 48 b8 55 52 49 54 59 47 52 50 90 00 } //10
$a_00_1 = {52 4f 50 20 77 61 73 20 77 72 69 74 74 65 6e 20 74 6f 20 72 65 69 67 73 74 79 20 6e 6f 77 20 6c 6f 61 64 20 76 75 6c 6e 65 72 61 62 6c 65 20 64 72 69 76 65 72 } //1 ROP was written to reigsty now load vulnerable driver
$a_00_2 = {75 6e 61 62 6c 65 20 74 6f 20 77 72 69 74 65 20 52 4f 50 20 74 6f 20 72 65 67 69 73 74 72 79 2c 20 65 72 72 6f 72 3a 20 } //1 unable to write ROP to registry, error:
condition:
((#a_03_0 & 1)*10+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1) >=12
}
Reference in New Issue View Git Blame Copy Permalink