import "hash"

rule AM0NEye_SyscallsdumpX64 {
	meta:
		description = "AM0NEye - syscallsdump.x64.o"
		sha256 = "b33dc013e2168ebb37d8ac80dbcd778c6bda2ede4927b47ec95f32c87ad125fd"
	strings:
		$s1 = "Dumping PID %d to file: %s" ascii fullword
		$s2 = "Failed to retrieve PID %d process handle." ascii fullword
		$s3 = "Failed to create dump file at %s" ascii fullword
		$s4 = "Failed to set debug privilege." ascii fullword
		$s5 = "Failed to create minidump." ascii fullword
		$s6 = "Unhooking - Initial ZwProtectVirtualMemory failed." ascii fullword
		$s7 = "Unhooking - ZwWriteVirtualMemory failed." ascii fullword
		$s8 = "Unhooking - Final ZwProtectVirtualMemory failed." ascii fullword
		$s9 = "__imp_DBGHELP$MiniDumpWriteDump" ascii fullword
		$s10 = "__imp_ADVAPI32$LookupPrivilegeValueW" ascii fullword
		$s11 = "Failed to unhook NtReadVirtualMemory." ascii fullword
		$s12 = "  [!] OS Version not supported." ascii fullword
		$s13 = "SW2_GetSyscallNumber" ascii fullword
		$s14 = "SeDebugPrivilege" wide fullword
		$s15 = "__imp_BeaconDataInt" ascii fullword
		$s16 = "entry.c" ascii fullword
		$s17 = "__imp_MSVCRT$_wcsicmp" ascii fullword
		$s18 = "__imp_MSVCRT$memset" ascii fullword
		$s19 = "UnhookFunction" ascii fullword
		$s20 = "__imp_MSVCRT$swprintf_s" ascii fullword
	condition:
		hash.sha256(0, filesize) == "b33dc013e2168ebb37d8ac80dbcd778c6bda2ede4927b47ec95f32c87ad125fd" or uint16(0) == 0x8664 and filesize < 30KB and 8 of them
}