Sneed-Reactivity/yara-mikesxrs/nex/shellcode.yar

import "pe"

rule shellcode
{
    meta:
        author = "nex"
        description = "Matched shellcode byte patterns"
        modified = "Glenn Edwards (@hiddenillusion)"
    strings:
        $s0 = { 64 8b 64 }
        $s1 = { 64 a1 30 }
        $s2 = { 64 8b 15 30 }
        $s3 = { 64 8b 35 30 }
        $s4 = { 55 8b ec 83 c4 }
        $s5 = { 55 8b ec 81 ec }
        $s6 = { 55 8b ec e8 }
        $s7 = { 55 8b ec e9 }
    condition:
        for any of ($s*) : ($ at pe.entry_point)    
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`import "pe"`

			`rule shellcode`
			`{`
			`meta:`
			`author = "nex"`
			`description = "Matched shellcode byte patterns"`
			`modified = "Glenn Edwards (@hiddenillusion)"`
			`strings:`
			`$s0 = { 64 8b 64 }`
			`$s1 = { 64 a1 30 }`
			`$s2 = { 64 8b 15 30 }`
			`$s3 = { 64 8b 35 30 }`
			`$s4 = { 55 8b ec 83 c4 }`
			`$s5 = { 55 8b ec 81 ec }`
			`$s6 = { 55 8b ec e8 }`
			`$s7 = { 55 8b ec e9 }`
			`condition:`
			`for any of ($s*) : ($ at pe.entry_point)`
			`}`