18 lines
319 B
Text
18 lines
319 B
Text
|
|
||
|
rule vmprotect {
|
||
|
meta:
|
||
|
description = "VMProtect packed file"
|
||
|
|
||
|
block = false
|
||
|
quarantine = false
|
||
|
|
||
|
strings:
|
||
|
$mz = "MZ"
|
||
|
$vmp0 = {2E766D7030000000}
|
||
|
$vmp1 = {2E766D7031000000}
|
||
|
|
||
|
condition:
|
||
|
$mz at 0 and $vmp0 in (0x100..0x300) and $vmp1 in (0x100..0x300)
|
||
|
}
|
||
|
|