-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change the logic of detection #446
Change the logic of detection #446
Conversation
looks good to me, but lets wait for @kevoreilly review too |
I may be being a n00b here but are these 'double datas' intended?
|
Yes, if no r prefix is used |
why Data is duplicated? i mean |
Hello, Sorry for the delay, You are right, it's my mistake. |
ok cool thanks, im doing some fixes to general sigs before im leaving to PTO as i just got too many deprecation errors on my server :D |
ah and i have reitroduced some logic back, so we can properly cover it
|
check it now plz, if it looks fine for you then im merging it |
I have modified some regex, I don't remember why I use |
thanks, looks fine to me, sorry for delay |
The signature is only triggered by the
NtReadFile
API, which requires the file to exist; however, if the browser is not installed on the guest VM, the signature won't be triggered. Most info stealers first check for the file's existence using thePathFileExists
API, which internally calls theNtQueryAttributesFile
API.Also, I have added a counter to make the signature fired up if it hits a defined threshold, not in general to avoid false-positives.