qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Exploit/Win32/ShellCode/Exploit_Win32_ShellCode_AD.yar

54 lines
2.2 KiB
Plaintext
Raw Blame History

rule Exploit_Win32_ShellCode_AD{
meta:
description = "Exploit:Win32/ShellCode.AD,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 03 00 00 "
strings :
$a_03_0 = {77 69 6e 69 c7 [0-03] 6e 65 74 2e c7 [0-03] 64 6c 6c 00 } //1
$a_03_1 = {4c 77 26 07 [0-04] e8 } //1
$a_03_2 = {b9 58 a4 53 e5 8b d8 e8 ?? ?? ?? ?? 6a 40 68 00 10 00 00 68 00 00 10 00 33 f6 56 ff d0 } //1
condition:
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1) >=3
}
rule Exploit_Win32_ShellCode_AD_2{
meta:
description = "Exploit:Win32/ShellCode.AD,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 05 00 00 "
strings :
$a_01_0 = {89 6c 24 24 ff 54 24 48 8b 44 24 14 6a 40 68 00 30 00 00 40 50 57 6a ff ff 54 24 34 } //1
$a_03_1 = {77 69 6e 69 c7 [0-03] 6e 65 74 2e c7 [0-03] 64 6c 6c 00 } //1
$a_03_2 = {70 6f 77 65 c7 [0-03] 72 73 68 65 c7 [0-03] 6c 6c 20 2d } //1
$a_03_3 = {3a 56 79 a7 [0-0c] e8 } //1
$a_03_4 = {4c 77 26 07 [0-04] e8 } //1
condition:
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1) >=4
}
rule Exploit_Win32_ShellCode_AD_3{
meta:
description = "Exploit:Win32/ShellCode.AD,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 05 00 00 "
strings :
$a_03_0 = {2e 64 6c 6c 88 44 24 ?? c7 44 24 ?? 77 69 6e 69 } //1
$a_03_1 = {6c 2e 64 6c 66 c7 44 24 ?? 6c 00 c7 [0-06] 68 74 74 70 c7 } //1
$a_03_2 = {6e 65 74 2e c7 44 24 ?? 64 6c 6c 00 c7 44 24 ?? 68 74 74 70 } //1
$a_03_3 = {b9 3a 56 79 a7 e8 ?? ?? ?? ?? b9 77 87 7a f0 } //1
$a_01_4 = {78 3a 43 6c 61 73 73 3d 22 65 73 69 6c 76 65 72 2e 41 70 70 22 } //1 x:Class="esilver.App"
condition:
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_01_4 & 1)*1) >=4
}
rule Exploit_Win32_ShellCode_AD_4{
meta:
description = "Exploit:Win32/ShellCode.AD,SIGNATURE_TYPE_ARHSTR_EXT,04 00 04 00 04 00 00 "
strings :
$a_01_0 = {89 6c 24 24 ff 54 24 48 8b 44 24 14 6a 40 68 00 30 00 00 40 50 57 6a ff ff 54 24 34 } //1
$a_03_1 = {77 69 6e 69 c7 [0-03] 6e 65 74 2e c7 [0-03] 64 6c 6c 00 } //1
$a_03_2 = {70 6f 77 65 c7 [0-03] 72 73 68 65 c7 [0-03] 6c 6c 20 2d } //1
$a_03_3 = {3a 56 79 a7 [0-0c] e8 } //1
condition:
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1) >=4
}
Reference in New Issue View Git Blame Copy Permalink