qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/WinNT/PcClient/Backdoor_WinNT_PcClient.yar

34 lines
2.5 KiB
Plaintext
Raw Blame History

rule Backdoor_WinNT_PcClient{
meta:
description = "Backdoor:WinNT/PcClient,SIGNATURE_TYPE_PEHSTR_EXT,0e 00 0c 00 18 00 00 03 00 "
strings :
$a_00_0 = {fa 0f 20 c0 25 ff ff fe ff 0f 22 c0 } //03 00
$a_02_1 = {68 44 64 6b 20 68 90 01 02 00 00 6a 01 ff 15 90 00 } //02 00
$a_02_2 = {81 ea 18 00 61 25 74 90 01 01 83 ea 08 74 90 01 01 83 ea 04 90 00 } //04 00
$a_02_3 = {25 ff ff fe ff 0f 22 c0 8b 41 01 8b 90 01 03 01 00 8b 90 01 01 c7 04 81 90 01 02 01 00 8b 90 00 } //05 00
$a_02_4 = {25 ff ff fe ff 0f 22 c0 8b 15 90 01 02 01 00 8b 42 01 8b 0d 90 01 02 01 00 8b 11 c7 04 90 00 } //05 00
$a_02_5 = {25 ff ff fe ff 0f 22 c0 a1 90 01 02 01 00 8b 48 01 8b 15 90 01 02 01 00 8b 02 8b 15 90 00 } //05 00
$a_02_6 = {fa 0f 20 c0 25 ff ff fe ff 0f 22 c0 90 02 08 01 00 8b 90 01 01 01 8b 90 02 10 c7 90 01 04 01 00 90 00 } //04 00
$a_02_7 = {01 00 8b 40 01 8b 0d 90 01 02 01 00 8b 09 8b 04 81 a3 90 01 02 01 00 a1 90 01 02 01 00 8b 40 01 8b 0d 90 01 02 01 00 8b 09 8b 04 81 a3 90 01 02 01 00 fa 90 00 } //02 00
$a_00_8 = {01 00 89 14 88 0f 20 c0 0d 00 00 01 00 0f 22 c0 fb } //02 00
$a_00_9 = {01 00 89 14 81 0f 20 c0 0d 00 00 01 00 0f 22 c0 fb } //02 00
$a_00_10 = {01 00 89 14 82 0f 20 c0 0d 00 00 01 00 0f 22 c0 fb } //03 00
$a_00_11 = {f3 ab 6a 5c 66 ab 5f 6a 53 5e 66 89 } //03 00
$a_00_12 = {cb c6 45 9c 5c c6 45 9d 52 c6 45 9e 45 } //03 00
$a_00_13 = {66 ab aa c6 45 4c 5c c6 45 4d 52 c6 45 4e 45 } //01 00
$a_00_14 = {44 3a 5c 53 6f 66 74 5c 53 6d 72 5c } //01 00 D:\Soft\Smr\
$a_00_15 = {5c 70 63 68 69 64 65 5c } //01 00 \pchide\
$a_00_16 = {25 73 25 73 25 73 00 00 25 73 25 73 25 73 00 00 25 73 25 73 25 73 } //03 00
$a_03_17 = {45 4e 55 4d 5c 52 4f 4f 54 00 00 00 53 45 52 56 49 43 45 53 90 02 05 25 73 25 73 25 73 00 00 25 73 25 73 25 73 90 00 } //01 00
$a_01_18 = {4b 65 53 65 72 76 69 63 65 44 65 73 63 72 69 70 74 6f 72 54 61 62 6c 65 } //01 00 KeServiceDescriptorTable
$a_01_19 = {50 73 47 65 74 43 75 72 72 65 6e 74 50 72 6f 63 65 73 73 49 64 } //01 00 PsGetCurrentProcessId
$a_01_20 = {5a 77 51 75 65 72 79 44 69 72 65 63 74 6f 72 79 46 69 6c 65 } //ce ff ZwQueryDirectoryFile
$a_01_21 = {6b 64 65 66 65 6e 73 65 } //ce ff kdefense
$a_00_22 = {5c 70 72 75 65 62 61 5c 6d 69 70 72 75 65 62 61 5c 42 69 6e 5c } //ce ff \prueba\miprueba\Bin\
$a_00_23 = {41 00 63 00 74 00 69 00 76 00 65 00 58 00 20 00 50 00 6f 00 72 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 44 00 72 00 69 00 76 00 65 00 72 00 } //00 00 ActiveX Portector Driver
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink