Sneed-Reactivity/yara-mikesxrs/unknown/undocumentedFPUAtEntryPoint.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

11 lines
No EOL
263 B
Text

rule undocumentedFPUAtEntryPoint {
strings:
$fpu1 = {D9 D8}
$fpu2 = {DF DF}
$fpu3 = {DF D8}
$fpu4 = {DC D9}
$fpu5 = {DF DA}
$fpu6 = {DF CB}
condition:
(for any of ($fpu*) : ($ at entrypoint)) or $fpu2 in (entrypoint..entrypoint + 10)
}