15 lines
518 B
Text
15 lines
518 B
Text
|
rule crashoverride_configReader{
|
||
|
meta:
|
||
|
description = "CRASHOVERRIDE v1 Config File Parsing"
|
||
|
author = "Dragos Inc"
|
||
|
sha256 = "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad"
|
||
|
reference = "https://troopers.de/downloads/troopers18/TR18_DM_Mind-The-Gap.pdf"
|
||
|
strings:
|
||
|
$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
|
||
|
$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
|
||
|
$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
|
||
|
$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and all of them
|
||
|
}
|