12 lines
519 B
Plaintext
12 lines
519 B
Plaintext
|
|
rule VirTool_WinNT_Rootkitdrv_gen_FS{
|
|
meta:
|
|
description = "VirTool:WinNT/Rootkitdrv.gen!FS,SIGNATURE_TYPE_PEHSTR_EXT,14 00 14 00 02 00 00 0a 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {89 45 fc 83 7d fc 00 0f 8c 90 01 04 83 7d 08 05 0f 85 90 01 04 8b 4d 0c 89 4d f4 c7 45 f8 00 00 00 00 90 00 } //0a 00
|
|
$a_02_1 = {83 7d f4 00 0f 84 90 01 04 8b 55 f4 83 7a 3c 00 0f 84 90 01 04 b9 0c 00 00 00 bf 80 04 01 00 8b 45 f4 8b 70 3c 33 d2 89 55 ec f3 a6 74 08 1b c0 83 d8 ff 89 45 ec 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |