(YARA) Detect Disassembly Obfuscation Rogue Byte
rule RogueByte
{
meta:
description = "Detect disassembly obfuscation with a rogue byte"
author = "Joakim (Gelven) Pettersen"
date = "2024-11-08"
strings:
/* rax..rdi */
$s1 = { 48 8D ?? 00 00 00 00 [0-10] 48 83 ?? 07 [0-10] ( FF E? | 5? C3 ) }
/* r8..r15 */
$s2 = { 4C 8D ?? 00 00 00 00 [0-10] 49 83 ?? 08 [0-10] ( 41 FF E? | 41 5? C3 ) }
condition:
any of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Impossible Disassembly | U0211 |
Created
November 21, 2024
Last Revised
November 21, 2024