LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@ohisama@github

c#でlibyara その9

Last updated at Posted at 2022-07-17

概要

c#でlibyaraやってみた。
練習問題やってみた。

練習問題

sality のyaraルールを探せ。

サンプルコード

rule win_sality_auto {
	strings:
		$sequence_0 = { 02040a 8845fc 8b4dfc 81e1ff000000 }
		$sequence_1 = { 0311 52 6878563412 e8???????? }
		$sequence_2 = { 0302 50 6878563412 e8???????? }
		$sequence_3 = { 0302 8945fc 8b4d10 8b55fc }
		$sequence_4 = { 837d1400 741c 8b4d10 51 8b550c }
		$sequence_5 = { 0302 50 6a00 e8???????? }
		$sequence_6 = { 02c8 884dec 8b55f0 83c201 }
		$sequence_7 = { 0255fc 8855ec 8b45ec 25ff000000 }
		$sequence_8 = { 50 e8???????? 8d9547164000 52 }
		$sequence_9 = { 6a00 6a00 ff9585144000 50 }
		$sequence_10 = { 3b4218 75e2 3b4218 7502 eb35 8b7224 }
		$sequence_11 = { 8d9533164000 52 50 ff953a144000 }
		$sequence_12 = { 2f 8803 43 80e904 73ec }
		$sequence_13 = { 83c404 eb0a 59 83c304 }
		$sequence_14 = { 0f858c000000 8d8578274000 68fe010000 50 6a00 }
		$sequence_15 = { 56 52 ff953a144000 e8???????? 8907 5a 83c704 }
		$sequence_16 = { 014304 c3 53 56 }
		$sequence_17 = { 00fb fb 804880bc 280d???????? }
		$sequence_18 = { 0306 50 8d5604 e8???????? }
		$sequence_19 = { 0306 50 8b4e04 8d5608 }
		$sequence_20 = { 0007 7307 c607ff 8ac1 }
		$sequence_21 = { 0202 7466 0fb77202 8b7a04 }
		$sequence_22 = { 010d???????? 83c004 5f 5e }
		$sequence_23 = { 031e ff7608 ff7604 e8???????? }
	condition:
		7 of them and filesize < 1523712
}

以上。

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?