37 lines
1.1 KiB
Text
37 lines
1.1 KiB
Text
|
import "pe"
|
||
|
|
||
|
rule UniformAlfa
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "a24377681cf56c712e544af01ac8a5dbaa81d16851a17a147bbf5132890d7437"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
8D 44 24 10 lea eax, [esp+2Ch+ServiceStatus]
|
||
|
50 push eax ; lpServiceStatus
|
||
|
6A 01 push 1 ; dwControl
|
||
|
56 push esi ; hService
|
||
|
FF D3 call ebx ; ControlService
|
||
|
83 7C 24 14 01 cmp [esp+2Ch+ServiceStatus.dwCurrentState], 1
|
||
|
75 EF jnz short loc_4010A5
|
||
|
56 push esi ; hService
|
||
|
FF 15 08 70 40 00 call ds:DeleteService
|
||
|
*/
|
||
|
|
||
|
$stopDeleteService = {
|
||
|
8D [3]
|
||
|
5?
|
||
|
6A 01
|
||
|
5?
|
||
|
FF D?
|
||
|
83 [3] 01
|
||
|
75 ??
|
||
|
5?
|
||
|
FF 15
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$stopDeleteService in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|