valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Process Injector Generic

Browse Source
This commit is contained in:
Florian Roth 2018-04-26 23:19:35 +02:00
parent abdc494d13
commit b396038d14
1 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
yara/thor-hacktools.yar
View File

@ -4022,3 +4022,24 @@ rule MAL_Unknown_PWDumper_Apr18_3 {
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
rule ProcessInjector_Gen {
meta:
description = "Detects a process injection utility that can be used ofr good and bad purposes"
author = "Florian Roth"
reference = "https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c"
date = "2018-04-23"
score = 60
hash1 = "456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d"
strings:
$x1 = "Error injecting remote thread in process:" fullword ascii
$s5 = "[-] Error getting access to process: %ld!" fullword ascii
$s6 = "--process-name <name> Process name to inject" fullword ascii
$s12 = "No injection target has been provided!" fullword ascii
$s17 = "[-] An app path is required when not injecting!" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 50KB and (
pe.imphash() == "d27e0fa013d7ae41be12aaf221e41f9b" or
1 of them
) or 3 of them
}