Skip to content

Commit

Permalink
Correct disassembly comment
Browse files Browse the repository at this point in the history
  • Loading branch information
@0xThiebaut
0xThiebaut committed May 26, 2023
1 parent 760cbba commit 67d491a
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions YARA/sus_xll.yar
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ rule sus_xll_xlAutoOpen_empty: TESTING SUSPICIOUS TA0003 T1137 T1137_006 {
uint8(pe.export_details[pe.exports_index("xlAutoOpen")].offset) == 0xC3 // ret
or (
uint16(pe.export_details[pe.exports_index("xlAutoOpen")].offset) == 0xC033 // xor eax eax
and uint8(pe.export_details[pe.exports_index("xlAutoOpen")].offset+2) == 0xC3 // xor eax eax
and uint8(pe.export_details[pe.exports_index("xlAutoOpen")].offset+2) == 0xC3 // ret
)
)
}
Expand Down Expand Up @@ -52,7 +52,7 @@ rule sus_xll_xlAutoClose_empty: TESTING SUSPICIOUS TA0003 T1137 T1137_006 {
uint8(pe.export_details[pe.exports_index("xlAutoClose")].offset) == 0xC3 // ret
or (
uint16(pe.export_details[pe.exports_index("xlAutoClose")].offset) == 0xC033 // xor eax eax
and uint8(pe.export_details[pe.exports_index("xlAutoClose")].offset+2) == 0xC3 // xor eax eax
and uint8(pe.export_details[pe.exports_index("xlAutoClose")].offset+2) == 0xC3 // ret
)
)
}

0 comments on commit 67d491a

Please sign in to comment.