diff --git a/analyzer/windows/data/yara/Al-khaser.yar b/analyzer/windows/data/yara/Al-khaser.yar deleted file mode 100644 index 0eab395fa8a..00000000000 --- a/analyzer/windows/data/yara/Al-khaser.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule Al_khaser -{ - meta: - author = "kevoreilly" - description = "Al-khaser bypass" - cape_options = "bp0=$print_check_result_x86,bp0=$print_check_result_x64,action0=setecx:0,count=1,no-logs=2" - strings: - $print_check_result_x86 = {89 45 FC 53 56 8B C1 89 95 C4 FD FF FF 89 85 C8 FD FF FF 57 6A F5 83 F8 01 75 47 FF 15 [4] 8B D8 8D 8D E4 FD FF FF BA 16 00 00 00 66 90} - $print_check_result_x64 = {48 89 84 24 50 02 00 00 8B F1 83 F9 01 B9 F5 FF FF FF 48 8B EA 75 41 FF 15 [4] 48 8D 7C 24 30 B9 16 00 00 00 48 8B D8} - condition: - uint16(0) == 0x5A4D and any of ($print_check_result*) -} diff --git a/analyzer/windows/data/yara/Pafish.yar b/analyzer/windows/data/yara/Pafish.yar deleted file mode 100644 index 5da94455018..00000000000 --- a/analyzer/windows/data/yara/Pafish.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule Pafish -{ - meta: - author = "kevoreilly" - description = "Pafish bypass" - cape_options = "bp0=$rdtsc_vmexit_32-2,bp1=$rdtsc_vmexit_32-2,bp0=$rdtsc_vmexit_64+36,bp1=$rdtsc_vmexit_64+36,action0=skip,action1=skip,count=1" - hash = "9e7d694ed87ae95f9c25af5f3a5cea76188cd7c1c91ce49c92e25585f232d98e" - hash = "ff24b9da6cddd77f8c19169134eb054130567825eee1008b5a32244e1028e76f" - strings: - $rdtsc_vmexit_32 = {8B 45 E8 80 F4 00 89 C? 8B 45 EC 80 F4 00 89 C? 89 F? 09 ?? 85 C0 75 07} - $rdtsc_vmexit_64 = {48 8B 45 F0 48 BA CD CC CC CC CC CC CC CC 48 F7 E2 48 89 D0 48 C1 E8 03 48 89 45 F0 48 81 7D F0 ?? 0? 00 00 77 07} - condition: - uint16(0) == 0x5A4D and any of them -}