16 lines
1.9 KiB
Plaintext
16 lines
1.9 KiB
Plaintext
|
|
rule VirTool_WinNT_Wspipe_A{
|
|
meta:
|
|
description = "VirTool:WinNT/Wspipe.A,SIGNATURE_TYPE_PEHSTR_EXT,1b 00 15 00 06 00 00 06 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {68 44 64 6b 20 68 00 08 00 00 6a 01 ff 15 90 01 02 01 00 8b d8 85 db 74 5d 56 57 53 ff 75 0c ff 75 08 e8 85 fc ff ff 53 ff 15 90 01 02 01 00 8b 35 14 1f 01 00 59 bf 10 1f 01 00 3b f7 74 19 ff 76 fc 53 ff 15 90 01 02 01 00 59 85 c0 59 75 05 8b 76 04 eb e7 c6 45 ff 01 53 90 00 } //06 00
|
|
$a_02_1 = {68 44 64 6b 20 68 00 08 00 00 6a 01 32 db ff 15 90 01 02 01 00 8b f8 85 ff 74 59 55 56 57 6a 00 ff 74 24 1c e8 98 fd ff ff 57 ff 15 90 01 02 01 00 8b 35 14 1f 01 00 59 bd 10 1f 01 00 3b f5 74 17 ff 76 fc 57 ff 15 90 01 02 01 00 59 85 c0 59 75 05 8b 76 04 eb e7 b3 01 57 90 00 } //06 00
|
|
$a_02_2 = {68 44 64 6b 20 68 00 08 00 00 6a 01 32 db ff 15 90 01 02 01 00 8b f8 85 ff 74 5b 55 56 57 ff 74 24 1c ff 74 24 1c e8 12 fd ff ff 57 ff 15 90 01 02 01 00 8b 35 14 1f 01 00 59 bd 10 1f 01 00 3b f5 74 17 ff 76 fc 57 ff 15 90 01 02 01 00 59 85 c0 59 75 05 8b 76 04 eb e7 b3 01 57 90 00 } //06 00
|
|
$a_02_3 = {50 ff 75 08 e8 f6 fe ff ff 8d 45 80 50 e8 6b ff ff ff 8b 1d dc 13 01 00 8d 45 80 50 8d 45 c0 50 ff d3 59 85 c0 59 74 30 8b 35 24 1f 01 00 bf 20 1f 01 00 3b f7 74 21 ff 76 fc 8d 45 c0 50 ff d3 59 85 c0 59 74 05 8b 76 04 eb e8 80 3d 80 14 01 00 00 74 04 33 c0 eb 0c ff 75 0c ff 75 08 ff 15 90 01 02 01 00 5f 5e 5b c9 c2 08 00 90 00 } //03 00
|
|
$a_00_4 = {7b 00 62 00 36 00 33 00 62 00 66 00 66 00 38 00 63 00 2d 00 32 00 65 00 32 00 35 00 2d 00 34 00 63 00 63 00 63 00 2d 00 39 00 61 00 30 00 31 00 2d 00 36 00 38 00 38 00 30 00 37 00 66 00 35 00 36 00 37 00 61 00 61 00 37 00 7d 00 } //03 00
|
|
$a_00_5 = {7b 00 30 00 39 00 65 00 37 00 36 00 61 00 33 00 33 00 2d 00 39 00 32 00 65 00 61 00 2d 00 34 00 30 00 37 00 65 00 2d 00 61 00 30 00 35 00 61 00 2d 00 66 00 62 00 66 00 33 00 38 00 33 00 33 00 62 00 63 00 34 00 39 00 32 00 7d 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |