Skip to content

Commit

Permalink
Update NikiHTTP.yar
Browse files Browse the repository at this point in the history
  • Loading branch information
@bartblaze
bartblaze authored Aug 14, 2024
1 parent 18a7387 commit 273ea23
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions rules/APT/NikiHTTP.yar
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,14 @@ strings:
$str_3 = "%s:info" ascii wide
//D:\02.data\03.atk-tools\engine\niki\httpSpy\..\bin\httpSpy.pdb
$pdb_full = "\\02.data\\03.atk-tools\\" ascii wide
$pdb_httpspy = "\\bin\\httpSpy.pdb" ascii wide
$pdb_full = "\\02.data\\03.atk-tools\\" ascii
$pdb_httpspy = "\\bin\\httpSpy.pdb" ascii
$code = { 0f 57 c0 4? 89 7? ?? 33 c0 c7 4? ?? 68 00 00 00 0f 11 4? ?? c7 4? ?? 01 00 00 00 66 4? 89 7? 00 0f 11 4? ?? 4? 89 4? ?? 0f 11 4? ?? c7 44 ?? ?? 53 71 80 60 0f 11 4? ?? c7 44 ?? ?? 71 79 7c 5c 0f 11 4? ?? c7 44 ?? ?? 6d 80 74 63 0f 11 4? ?? 88 44 ?? ?? 0f 11 4? ?? 0f 1f 44 00 00 }
$code = {0f 57 c0 4? 89 7? ?? 33 c0 c7 4? ?? 68 00 00 00 0f 11 4? ?? c7 4? ?? 01 00 00 00 66 4? 89 7? 00 0f 11 4? ?? 4? 89 4? ?? 0f 11 4? ?? c7 44 ?? ?? 53 71 80 60 0f 11 4? ?? c7 44 ?? ?? 71 79 7c 5c 0f 11 4? ?? c7 44 ?? ?? 6d 80 74 63 0f 11 4? ?? 88 44 ?? ?? 0f 11 4? ?? 0f 1f 44 00 00}
condition:
uint16(0) == 0x5A4D and (
$cmd or (2 of ($str_*)) or
any of ($pdb_*) or $code
)
}
}

0 comments on commit 273ea23

Please sign in to comment.