16 lines
541 B
Text
16 lines
541 B
Text
|
rule obfuscation_singlebyte_mov : feature obfuscation
|
||
|
{
|
||
|
meta:
|
||
|
author = "Andreas Schuster"
|
||
|
description = "Detects strings obfuscated by single-byte mov ex: mov [ebp+String+1], A"
|
||
|
//Check also:
|
||
|
//https://insights.sei.cmu.edu/sei_blog/2012/11/writing-effective-yara-signatures-to-identify-malware.html
|
||
|
|
||
|
strings:
|
||
|
$singleb_mov = { c6 45 [2] c6 45 [2] c6 45 [2] c6 45}
|
||
|
|
||
|
condition:
|
||
|
//Contains all of the strings
|
||
|
all of them
|
||
|
}
|