Skip to content

Commit

Permalink
Update self-delete-using-alternate-data-streams.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
dstepanic authored Apr 26, 2024
1 parent 9151fed commit e851c56
Showing 1 changed file with 20 additions and 9 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,27 @@ rule:
features:
- and:
- count(api(kernel32.SetFileInformationByHandle)): 2
- basic block:
- and:
- api: kernel32.SetFileInformationByHandle
- optional:
- or:
- basic block:
- and:
- api: kernel32.SetFileInformationByHandle
- optional:
- number: 3 = FileRenameInfo
- call:
- and:
- api: SetFileInformationByHandle
- number: 3 = FileRenameInfo
- basic block:
- and:
- api: kernel32.SetFileInformationByHandle
- number: 4 = FileDispositionInfo
- number: 1 = TRUE // fDelete.DeleteFile = TRUE;
- or:
- basic block:
- and:
- api: kernel32.SetFileInformationByHandle
- number: 4 = FileDispositionInfo
- number: 1 = TRUE // fDelete.DeleteFile = TRUE;
- call:
- and:
- api: SetFileInformationByHandle
- number: 4 = FileDispositionInfo
- number: 1 = TRUE // fDelete.DeleteFile = TRUE;
- and:
- count(api(kernel32.CreateFile)): 2
- number: 0x10000 = DELETE

0 comments on commit e851c56

Please sign in to comment.