Skip to content

Commit

Permalink
PrivateLoader direct syscall capture
Browse files Browse the repository at this point in the history
  • Loading branch information
kevoreilly committed Oct 4, 2024
1 parent 141b653 commit acb0261
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 0 deletions.
12 changes: 12 additions & 0 deletions analyzer/windows/data/yara/PrivateLoader.yar
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
rule PrivateLoader
{
meta:
author = "kevoreilly"
description = "PrivateLoader indirect syscall capture"
cape_options = "clear,sysbp=$syscall*-2"
packed = "075d0dafd7b794fbabaf53d38895cfd7cffed4a3fe093b0fc7853f3b3ce642a4"
strings:
$syscall = {48 31 C0 4C 8B 19 8B 41 10 48 8B 49 08 49 89 CA 41 FF E3}
condition:
any of them
}
1 change: 1 addition & 0 deletions changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
### [04.10.2024]
* Monitor update: Add GetClassObject hook to handle UAC bypass technique using CMSTPLUA COM object
* PrivateLoader direct syscall capture

### [01.10.2024]
* Monitor update: Improve fix for size bug with unpacking embedded PEs
Expand Down

0 comments on commit acb0261

Please sign in to comment.