I haven't looked at the code, but there is precedent to use pe.overlay.offset and pe.overlay.size.
-- WXS > On Aug 15, 2016, at 12:02 AM, Fernando Mercês <nand...@gmail.com> wrote: > > Sorry to reply to an old thread but I had the same need and decided to create > a patch (discussion at https://github.com/VirusTotal/yara/issues/432), that > is on my Yara fork at https://github.com/merces/yara/ > > This commit adds pe.overlay location: > https://github.com/merces/yara/commit/39447516d82454f46988fac7313aebe8ce356f88 > This one adds the pe.overlay_size integer: > https://github.com/merces/yara/commit/089e8915c1cde8274ab729789a1edc9cc2235b0c > > So rules like these would work: > > rule overlay_bytes { > strings: > $bytes = { 41 42 43 44 45 } > condition: > $bytes at pe.overlay > } > > rule has_overlay { > condition: > pe.overlay > } > > rule big_overlay { > condition: > pe.overlay_size > 10 > } > > > @Victor, do you believe the patch is good enough for a pull request? > > Att, > > @MercesFernando > mentebinaria.com.br > --------------------------- > > On Wed, Dec 2, 2015 at 7:46 AM, Víctor Manuel Álvarez García > <plus...@gmail.com> wrote: > Sure, i think this makes a lot of sense. Thank you for the suggestion. > > On Tue, Dec 1, 2015 at 10:05 PM, Glenn J <sir.pus...@gmail.com> wrote: > rule SkDUndetectabler : SkDrat { > meta: > author = "me" > condition: > ( > borland_delphi or //check All FSG or > ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0 )) > ) > and > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > < filesize) and > //is overlay at offset 2A00,1A00,C00,745,739 > //pe.overlay & pe.overlay_size would have been prettier > ( > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > == 0x00000739) or > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > == 0x00000745) or > //Uncompressed > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > == 0x00000C00) or > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > == 0x00002A00) or > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > == 0x00001A00) > ) > and > //is xored MZ ? > ( > > uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) > == 0x6275 or > > uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) > == 0x4057 > ) > } > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
