08e8d462fe
RED PILL 🔴 💊
54 lines
No EOL
1.5 KiB
Text
54 lines
No EOL
1.5 KiB
Text
import "pe"
|
|
|
|
rule IndiaEcho
|
|
{
|
|
meta:
|
|
copyright = "2015 Novetta Solutions"
|
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
|
Source = "66a21f8c72bb4f314604526e9bf1736f75b06cf37dd3077eb292941b476c3235"
|
|
|
|
strings:
|
|
/*
|
|
69 C0 28 01 00 00 imul eax, 128h
|
|
50 push eax ; size_t
|
|
53 push ebx ; int
|
|
FF B5 AC FD FF FF push [ebp+configRecords]; void *
|
|
E8 6E 08 00 00 call _memset
|
|
8B 85 A4 FC FF FF mov eax, [ebp+var_35C.dwRecordCnt]
|
|
69 C0 28 01 00 00 imul eax, 128h
|
|
50 push eax ; size_t
|
|
8B 85 C4 FE FF FF mov eax, [ebp+hMem]
|
|
05 08 01 00 00 add eax, 108h
|
|
50 push eax ; void *
|
|
FF B5 AC FD FF FF push [ebp+configRecords]; void *
|
|
E8 0A 05 00 00 call _memcpy
|
|
83 C4 18 add esp, 18h
|
|
8B BD A4 FC FF FF mov edi, [ebp+var_35C.dwRecordCnt]
|
|
69 FF 28 01 00 00 imul edi, 128h
|
|
81 C7 08 01 00 00 add edi, 108h
|
|
*/
|
|
|
|
$a = {
|
|
69 ?? 28 01 00 00
|
|
5?
|
|
5?
|
|
FF B5 [4]
|
|
E8 [4]
|
|
8B [5]
|
|
69 ?? 28 01 00 00
|
|
50
|
|
8B [5]
|
|
(05 08 01 00 00 | 03 ??)
|
|
50
|
|
FF [5]
|
|
E8 [4]
|
|
83 C4 ??
|
|
8B [5]
|
|
69 ?? 28 01 00 00
|
|
(81 C7 08 01 00 00 | 03 ??)
|
|
|
|
}
|
|
|
|
condition:
|
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
|
} |