14 lines
630 B
Plaintext
14 lines
630 B
Plaintext
|
|
rule VirTool_WinNT_Rootkitdrv_OM_bit{
|
|
meta:
|
|
description = "VirTool:WinNT/Rootkitdrv.OM!bit,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {83 f8 48 75 7a 48 8b 44 24 28 0f b6 40 01 3d 8d 00 00 00 75 6a 48 8b 44 24 28 0f b6 40 02 83 f8 0d 75 5c 48 8b 44 24 28 0f b6 40 07 83 f8 48 75 4e 48 8b 44 24 28 0f b6 40 08 3d 8b 00 00 00 75 3e 48 8b 44 24 28 0f b6 40 09 3d d7 00 00 00 } //01 00
|
|
$a_01_1 = {6d 73 76 63 64 6c 78 33 32 2e 64 61 74 } //01 00
|
|
$a_01_2 = {62 63 74 6c 69 73 74 2e 64 61 74 } //01 00
|
|
$a_01_3 = {66 6b 5f 64 72 76 2e 70 64 62 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |