-
Notifications
You must be signed in to change notification settings - Fork 1
/
UniformAlfa.yara
27 lines (23 loc) · 1.04 KB
/
UniformAlfa.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import "pe"
rule UniformAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - [email protected]"
Source = "a24377681cf56c712e544af01ac8a5dbaa81d16851a17a147bbf5132890d7437"
strings:
/*
8D 44 24 10 lea eax, [esp+2Ch+ServiceStatus]
50 push eax ; lpServiceStatus
6A 01 push 1 ; dwControl
56 push esi ; hService
FF D3 call ebx ; ControlService
83 7C 24 14 01 cmp [esp+2Ch+ServiceStatus.dwCurrentState], 1
75 EF jnz short loc_4010A5
56 push esi ; hService
FF 15 08 70 40 00 call ds:DeleteService
*/
$stopDeleteService = {8D [3] 5? 6A 01 5? FF D? 83 [3] 01 75 ?? 5? FF 15}
condition:
$stopDeleteService in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}