81 lines
1.7 KiB
Text
81 lines
1.7 KiB
Text
private rule RSharedStrings : Surtr Family {
|
|
meta:
|
|
description = "identifiers for remote and gmremote"
|
|
author = "Katie Kleemola"
|
|
last_updated = "07-21-2014"
|
|
|
|
strings:
|
|
$ = "nView_DiskLoydb" wide
|
|
$ = "nView_KeyLoydb" wide
|
|
$ = "nView_skins" wide
|
|
$ = "UsbLoydb" wide
|
|
$ = "%sBurn%s" wide
|
|
$ = "soul" wide
|
|
|
|
condition:
|
|
any of them
|
|
|
|
}
|
|
|
|
|
|
private rule RemoteStrings : Remote Variant Surtr Family {
|
|
meta:
|
|
description = "indicators for remote.dll - surtr stage 2"
|
|
author = "Katie Kleemola"
|
|
last_updated = "07-21-2014"
|
|
|
|
strings:
|
|
$ = "\x00Remote.dll\x00"
|
|
$ = "\x00CGm_PlugBase::"
|
|
$ = "\x00ServiceMain\x00_K_H_K_UH\x00"
|
|
$ = "\x00_Remote_\x00" wide
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
private rule GmRemoteStrings : GmRemote Variant Family Surtr {
|
|
meta:
|
|
description = "identifiers for gmremote: surtr stage 2"
|
|
author = "Katie Kleemola"
|
|
last_updated = "07-21-2014"
|
|
|
|
strings:
|
|
$ = "\x00x86_GmRemote.dll\x00"
|
|
$ = "\x00D:\\Project\\GTProject\\Public\\List\\ListManager.cpp\x00"
|
|
$ = "\x00GmShutPoint\x00"
|
|
$ = "\x00GmRecvPoint\x00"
|
|
$ = "\x00GmInitPoint\x00"
|
|
$ = "\x00GmVerPoint\x00"
|
|
$ = "\x00GmNumPoint\x00"
|
|
$ = "_Gt_Remote_" wide
|
|
$ = "%sBurn\\workdll.tmp" wide
|
|
|
|
condition:
|
|
any of them
|
|
|
|
}
|
|
|
|
/*
|
|
* Check if File has shared identifiers among Surtr Stage 2's
|
|
* Then look for unique identifiers to each variant
|
|
*/
|
|
|
|
rule GmRemote : Family Surtr Variant GmRemote {
|
|
meta:
|
|
description = "identifier for gmremote"
|
|
author = "Katie Kleemola"
|
|
last_updated = "07-25-2014"
|
|
|
|
condition:
|
|
RSharedStrings and GmRemoteStrings
|
|
}
|
|
|
|
rule Remote : Family Surtr Variant Remote {
|
|
meta:
|
|
description = "identifier for remote"
|
|
author = "Katie Kleemola"
|
|
last_updated = "07-25-2014"
|
|
|
|
condition:
|
|
RSharedStrings and RemoteStrings
|
|
}
|