Windows WarBird signature

Question

Windows WarBird signature

Nukem9 opened this issue 8 years ago · 1 comments

Thought this was interesting: https://thisissecurity.net/2014/10/15/warbird-operation/

This is for license checks in certain windows exes/dlls:

/* Match the PEB.Ldr assembly for warbird function resolution */
rule WarBird
{
strings:
    $a = {64 A1 30 00 00 00 2B CA D1 F9 8B 40 0C 83 C0 0C}
condition:
    $a
}

Answer 1 · 2016-08-07T16:35:02.000Z

added it in packer.yara 👍