08e8d462fe
RED PILL 🔴 💊
73 lines
No EOL
3.3 KiB
Text
73 lines
No EOL
3.3 KiB
Text
import "pe"
|
|
|
|
|
|
rule RomeoJuliettMikeTwo
|
|
{
|
|
meta:
|
|
copyright = "2015 Novetta Solutions"
|
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
|
Source = "819722ba1c5b9d0b360c54cbdd3811d0cac1a9230720b3ed4815f78bcacb3653_d1ba9ba2987f59d99ce4bf09393c0521c4d1f2961c5aeed4e0bf86e78303d27c"
|
|
|
|
strings:
|
|
/*
|
|
81 7C 24 24 33 27 00 00 cmp [esp+1Ch+dwBytesToRead], 2733h
|
|
75 7F jnz short loc_10002B74
|
|
8D 54 24 14 lea edx, [esp+1Ch+var_8]
|
|
52 push edx ; Time
|
|
FF 15 5C 11 02 10 call ds:time
|
|
8B 44 24 14 mov eax, [esp+20h+var_C]
|
|
83 C4 04 add esp, 4
|
|
8B C8 mov ecx, eax
|
|
40 inc eax
|
|
83 F9 64 cmp ecx, 64h
|
|
*/
|
|
|
|
$recvFunc = { 81 [3] 33 27 00 00 75 ?? 8D [3] 5? FF 15 [4] 8B [3] 83 ?? 04 8B ?? 4? 83 ?? 64 }
|
|
|
|
/*
|
|
E8 74 31 00 00 call GetStringByIndex
|
|
8B 7C 24 14 mov edi, [esp+0Ch+dwFuncIndex]
|
|
8B F0 mov esi, eax
|
|
57 push edi ; index
|
|
E8 68 31 00 00 call GetStringByIndex
|
|
83 C4 08 add esp, 8
|
|
85 F6 test esi, esi
|
|
74 21 jz short loc_10001040
|
|
85 C0 test eax, eax
|
|
74 1D jz short loc_10001040
|
|
56 push esi ; lpLibFileName
|
|
FF 15 2C 10 02 10 call ds:LoadLibraryA
|
|
57 push edi ; index
|
|
8B F0 mov esi, eax
|
|
E8 4E 31 00 00 call GetStringByIndex
|
|
83 C4 04 add esp, 4
|
|
50 push eax ; lpProcName
|
|
56 push esi ; hModule
|
|
FF 15 5C 10 02 10 call ds:GetProcAddress
|
|
*/
|
|
|
|
$apiLoader = { E8 [4] 8B [3] 8B ?? 5? E8 [4] 83 C4 08 85 ?? 74 ?? 85 C0 74 ?? 5? FF 15 [4] 5? 8B ?? E8 [4] 83 C4 04 5? 5? FF 15 }
|
|
|
|
/*
|
|
68 B8 0B 00 00 push 0BB8h ; dwMilliseconds
|
|
FF 15 18 10 02 10 call ds:Sleep
|
|
6A 01 push 1 ; dwTimeout
|
|
8D 4C 24 10 lea ecx, [esp+4C0h+peerEntries]
|
|
68 B0 04 00 00 push 4B0h ; dwBytesToRead
|
|
51 push ecx ; pvRecvBuffer
|
|
8B CE mov ecx, esi ; this
|
|
C7 44 24 14 B0 04 00 00 mov [esp+4C8h+Memory], 4B0h
|
|
E8 25 F4 FF FF call CClientConnection__RecvData
|
|
83 F8 FF cmp eax, 0FFFFFFFFh
|
|
*/
|
|
|
|
$recvPeers = { 68 B8 0B 00 00 FF 15 [4] 6A 01 [0-4] 68 B0 04 00 00 51 8B ?? [1-4] B0 04 00 00 E8 [4] 83 F8 FF }
|
|
|
|
$logFileName = "KBD_%%s_%%02d%%02d%%02d%%02d%%02d.CAT"
|
|
|
|
condition:
|
|
$recvFunc in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
|
or $apiLoader in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
|
or $recvPeers in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
|
or $logFileName
|
|
} |