65 lines
1.8 KiB
Text
65 lines
1.8 KiB
Text
|
import "pe"
|
||
|
|
||
|
rule LimaCharlie
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source_x86 = "6ee6ae79ee1502a11ece81e971a54f189a271be9ec700101a2bd7a21198b94c7"
|
||
|
Source_x64 = "90ace24eb132c776a6d5bb0451437db21e84601495a2165d75f520af637e71e8"
|
||
|
|
||
|
strings:
|
||
|
$misspelling = "Defualt Sleep = %d" wide
|
||
|
|
||
|
/*
|
||
|
FF 76 74 push dword ptr [esi+74h]
|
||
|
59 pop ecx
|
||
|
50 push eax
|
||
|
8F 86 48 01 00 00 pop dword ptr [esi+148h]
|
||
|
85 C0 test eax, eax
|
||
|
51 push ecx
|
||
|
8F 86 44 01 00 00 pop dword ptr [esi+144h]
|
||
|
75 3D jnz short loc_100035F3
|
||
|
F6 46 56 01 test byte ptr [esi+56h], 1
|
||
|
74 0A jz short loc_100035C6
|
||
|
*/
|
||
|
|
||
|
$x86 = {
|
||
|
FF ?? 74
|
||
|
5?
|
||
|
5?
|
||
|
8F ?? 48 01 00 00
|
||
|
85 C0
|
||
|
5?
|
||
|
8F ?? 44 01 00 00
|
||
|
75 ??
|
||
|
F6 [2] 01
|
||
|
74
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
48 8B 4B 70 mov rcx, [rbx+70h]
|
||
|
48 89 8B 60 01 00 00 mov [rbx+160h], rcx
|
||
|
48 89 83 68 01 00 00 mov [rbx+168h], rax
|
||
|
48 85 C0 test rax, rax
|
||
|
75 35 jnz short loc_180002372
|
||
|
F6 43 56 01 test byte ptr [rbx+56h], 1
|
||
|
74 07 jz short loc_18000234A
|
||
|
*/
|
||
|
|
||
|
$x64 = {
|
||
|
48 [2] 70
|
||
|
48 [2] 60 01 00 00
|
||
|
48 [2] 68 01 00 00
|
||
|
48 85 C0
|
||
|
75 ??
|
||
|
F6 [2] 01
|
||
|
74
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$x86 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
or $x64 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
or $misspelling
|
||
|
|
||
|
}
|