(YARA) YARA_ModifyDLLExportName

Created the . Updated 1 year, 4 months ago.

            rule ModifyDLLExportName {
  strings:
    $map_and_load = "MapAndLoad"
    $entry_to_data = "ImageDirectoryEntryToData"
    $rva_to_va = "ImageRvaToVa"
    $modify = "ModifyDLLExportName"
    $virtual_protect = "VirtualProtect"
    $virtual_alloc = "VirtualAlloc"
  condition:
    all of them
}

Download Raw

Associated Techniques

Technique Name	Technique ID's	Has Snippet(s)
Tamper DLL Export Names & GetProcAddress Spoofing	U1241