Move MicrosoftVisualCV80 rule from packer.yar to packer_complier_signatures.yar…

Move MicrosoftVisualCV80 rule from packer.yar to packer_complier_signatures.yar replacing the commented out rule. Signed-off-by: Ryan B <randomrhythm@rhythmengineering.com>

Move MicrosoftVisualCV80 rule from packer.yar to packer_complier_signatures.yar…
Move MicrosoftVisualCV80 rule from packer.yar to packer_complier_signatures.yar replacing the commented out rule. Signed-off-by: Ryan B <randomrhythm@rhythmengineering.com>
0de1aee4 · Ryan B · be978081 · 0de1aee4 · 0de1aee4
Commit 0de1aee4 authored Jun 27, 2020 by Ryan B
Hide whitespace changes
Inline Side-by-side

Showing with 1 additions and 15 deletions

packer.yar packers/packer.yar +0 -12

packer_compiler_signatures.yar packers/packer_compiler_signatures.yar +1 -3

No files found.
--- a/packers/packer.yar
+++ b/packers/packer.yar
@@ -14842,18 +14842,6 @@ condition:
 }
-rule MicrosoftVisualCV80
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 14 68 [4] E8 [4] BB 94 00 00 00 53 6A 00 8B [5] FF D7 50 FF [5] 8B F0 85 F6 75 0A 6A 12 E8 [4] 59 EB 18 89 1E 56 FF [5] 56 85 C0 75 14 50 FF D7 50 FF [5] B8 }
-condition:
-		$a0 at pe.entry_point
-}
 rule MZ_Crypt10byBrainSt0rm
 {
      meta:

--- a/packers/packer_compiler_signatures.yar
+++ b/packers/packer_compiler_signatures.yar
@@ -463,18 +463,16 @@ rule SkDUndetectabler : SkDrat {
 		)
 }
-/* usefull ? 18:53 2016-08-12
 rule MicrosoftVisualCV80
 {
      meta:
 		author="malware-lu"
 strings:
-		$a0 = { 6A 14 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BB 94 00 00 00 53 6A 00 8B ?? ?? ?? ?? ?? FF D7 50 FF ?? ?? ?? ?? ?? 8B F0 85 F6 75 0A 6A 12 E8 ?? ?? ?? ?? 59 EB 18 89 1E 56 FF ?? ?? ?? ?? ?? 56 85 C0 75 14 50 FF D7 50 FF ?? ?? ?? ?? ?? B8 }
+		$a0 = { 6A 14 68 [4] E8 [4] BB 94 00 00 00 53 6A 00 8B [5] FF D7 50 FF [5] 8B F0 85 F6 75 0A 6A 12 E8 [4] 59 EB 18 89 1E 56 FF [5] 56 85 C0 75 14 50 FF D7 50 FF [5] B8 }
 condition:
 		$a0 at pe.entry_point
 }
-*/
 rule Cygwin : Red Hat
 {