Skip to content

Instantly share code, notes, and snippets.

@xorhex
Created January 6, 2022 14:52
Show Gist options
  • Save xorhex/b5bead1c5e52ebc2a996770c1789e7de to your computer and use it in GitHub Desktop.
Save xorhex/b5bead1c5e52ebc2a996770c1789e7de to your computer and use it in GitHub Desktop.
rule CallOverString
{
strings:
$imp_1 = "LoadLibraryA"
$imp_2 = "WinHttpOpen"
condition:
for any of ($imp_*) : (
// Byte at address of string match minus 5 == call with relative offset opcode
(uint8(@ - 5) == 0xe8)
and
// DWORD at address of string minus 4 == length of string
(uint32(@ -4) == !)
and
// Byte at string address plus length string "anded" with 0x50 == push immediate opcode
// This step is a little hazy to me
(uint8(@ + !) & 0x50) == 0x50
)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment