data/yara/shellcodes.yar
// Copyright (C) 2010-2012 Cuckoo Sandbox Developers.
// This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
// See the file 'docs/LICENSE' for copying permission.
rule shellcode
{
meta:
description = "Matched shellcode byte patterns"
strings:
$a = { 64 8b 64 }
$b = { 64 a1 30 }
$c = { 64 8b 15 30 }
$d = { 64 8b 35 30 }
$e = { 55 8b ec 83 c4 }
$f = { 55 8b ec 81 ec }
$g = { 55 8b ec e8 }
$h = { 55 8b ec e9 }
condition:
any of them
}