-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathinstructions.yara
executable file
·42 lines (41 loc) · 2.1 KB
/
instructions.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
rule VmInstructions
{
strings:
$i0 = {8A 47 03 8A 67 04 C0 E4 03 80 CC 05 66 89 07 FF 74 24 2C 8F 47 02 B8 06 00 00 00 51 C6 04 38 68 ?? ?? ?? ?? ?? 59 81 C1 B0 FA FF FF 89 4C ?? 01 C6 44 38 05 C3 59 5A 58}
$i1 = {8B 57 03 52 ?? ?? ?? ?? ?? 5A 8B 92 12 FD FF FF 01 14 24 ?? ?? ?? ?? ?? 6A 00 6A 00 60 9C 9C 58 50 ?? ?? ?? ?? ?? 58 8B 80 ED FC FF FF 8D 40 50 89 20 83 00 04 58 ?? ?? ?? ?? ?? 5C 8B A4 24 D8 FC FF FF 89 44 24 28 61}
$i2 = {0F B6 47 04 50 8D 57 05 52 0F B6 57 03 57 E8 52 00 00 00 50 ?? ?? ?? ?? ?? ?? ?? 5A 8B 92 2D F9 FF FF ?? ?? ?? 58 EB}
$i3 = {0F B6 47 03 8B 54 24 30 C1 E0 02 83 E8 20 F7 D8 8B 14 10 83 F8 10 75 03 83 C2 08 01 54 24 2C E9}
$i4 = {5A 58 8B 44 24 28 0F B7 57 03 50 ?? ?? ?? ?? ?? 58 89 ?? 31}
$i5 = {8B 47 03 01 44 24 2C E9}
$i6 = {8B C1 0F B6 4F 03 D3 64 24 2C ?? ?? E9}
$i7 = {0F B6 57 03 FF 74 24 08 9D E8 ?? ?? ?? ?? ?? ?? 74 ?? 5A}
$i8 = {8B 47 03 8B 54 24 2C 9C FF 77 FC 9D 39 02 9C 8F 47 FC 9D E9}
$i9 = {5A 03 57 03 03 4F 03 58 E9}
$i10 = {8B 54 24 2C C6 07 68 8B 12 89 57 01 B8 05 00 00 00 EB}
$i11 = {8B 47 03 89 44 24 2C E9}
$i12 = {8B 47 03 8B 54 24 2C 9C FF 77 FC 9D 89 02 9C 8F 47 FC 9D E9}
$i13 = {8B 57 03 C6 07 68 ?? ?? ?? ?? ?? 58 8B 80 6E F9 FF FF ?? ?? 89 57 01 B8 05 00 00 00 EB}
$i14 = {8B 54 24 2C 66 C7 07 8F 05 89 57 02 B8 06 00 00 00 EB}
$i15 = {8B 47 03 8B 54 24 2C 9C FF 77 FC 9D 29 02 9C 8F 47 FC 9D E9}
$i16 = {5A 58 8B 44 24 28 C9 50 ?? ?? ?? ?? ?? 58 89 A0 4D FC FF FF 83 80 4D FC FF FF 04 58 ?? ?? 89 5C 24 24 9D 61 C2 04 00}
$i17 = {0F B6 47 03 8B 54 24 30 C1 E0 02 83 E8 20 F7 D8 ?? ?? ?? 83 F8 10 75 03 83 C2 08 89 54 24 2C E9}
condition:
$i0 at 0 or
$i1 at 0 or
$i2 at 0 or
$i3 at 0 or
$i4 at 0 or
$i5 at 0 or
$i6 at 0 or
$i7 at 0 or
$i8 at 0 or
$i9 at 0 or
$i10 at 0 or
$i11 at 0 or
$i12 at 0 or
$i13 at 0 or
$i14 at 0 or
$i15 at 0 or
$i16 at 0 or
$i17 at 0
}