16 lines
1.5 KiB
Plaintext
16 lines
1.5 KiB
Plaintext
|
|
rule VirTool_WinNT_Rootkitdrv_BW{
|
|
meta:
|
|
description = "VirTool:WinNT/Rootkitdrv.BW,SIGNATURE_TYPE_PEHSTR_EXT,1f 00 1f 00 06 00 00 0a 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {4b 65 54 69 63 6b 43 6f 75 6e 74 } //0a 00
|
|
$a_00_1 = {5c 63 72 61 7a 79 5c 73 6f 75 72 63 65 73 5c 63 68 6d 6f 64 5c 6f 62 6a 63 68 6b 5f 77 78 70 5f 78 38 36 5c 69 33 38 36 5c 77 } //0a 00
|
|
$a_02_2 = {c1 e8 08 33 02 25 ff ff 00 00 a3 04 1e 01 00 75 90 01 01 8b c1 a3 90 01 04 f7 d0 90 00 } //01 00
|
|
$a_00_3 = {5c 00 44 00 65 00 76 00 69 00 63 00 65 00 5c 00 48 00 61 00 72 00 64 00 64 00 69 00 73 00 6b 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 31 00 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 73 00 5c 00 53 00 63 00 70 00 61 00 64 00 5c 00 2e 00 64 00 6c 00 6c 00 } //01 00
|
|
$a_00_4 = {5c 00 44 00 65 00 76 00 69 00 63 00 65 00 5c 00 48 00 61 00 72 00 64 00 64 00 69 00 73 00 6b 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 31 00 5c 00 41 00 72 00 71 00 75 00 69 00 76 00 6f 00 73 00 20 00 64 00 65 00 20 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 61 00 73 00 5c 00 53 00 63 00 70 00 61 00 64 00 5c 00 2e 00 64 00 6c 00 6c 00 } //01 00
|
|
$a_00_5 = {5c 00 44 00 65 00 76 00 69 00 63 00 65 00 5c 00 48 00 61 00 72 00 64 00 64 00 69 00 73 00 6b 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 31 00 5c 00 41 00 72 00 71 00 75 00 69 00 76 00 6f 00 73 00 20 00 64 00 65 00 20 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 61 00 73 00 5c 00 47 00 62 00 50 00 6c 00 75 00 67 00 69 00 6e 00 5c 00 2e 00 67 00 70 00 63 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |