Changeset 731

Timestamp:

01/05/07 22:09:10 (2 years ago)

Author:

oxff

Message:

nepenthes.shellcode-signatures: added xor::marburganderlahn (thanks to tillmann werner for providing sample)

Files:

• nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc (modified) (2 diffs)

nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc

@@ -177 +177 @@
-        "\\xED\\xFF\\xFF\\xFF)(.*)$";
-        mapping (none,pre,decoder,size,key,post); 
+};
+
+xor::marburganderlahn
+{
+        pattern
+        "(.*)(\\xEB.\\x5A\\x4A\\x31\\xC9\\xB1(.)\\x80..(.)\\xE2.\\xEB.\\xE8.)(.*)$";
+        mapping (none,pre,decoder,size,key,post);
-};
-
@@ -1052 +1059 @@
-
-// taken from shellcode-generic/sch_generic_url.cpp
-
+/*
-{
-        pattern
-        ".*((http|https|ftp):\/\/[@a-zA-Z0-9\-\/\\\.\+:]+).*";
-        mapping (none,uri);
-
+*
-
-