Re: Yara needs overlay offset

Wed, 02 Dec 2015 01:47:54 -0800 

Sure, i think this makes a lot of sense. Thank you for the suggestion.

On Tue, Dec 1, 2015 at 10:05 PM, Glenn J <sir.pus...@gmail.com> wrote:

> rule SkDUndetectabler : SkDrat {
>     meta:
>         author = "me"
>     condition:
>         (
>         borland_delphi or //check All FSG or
>         ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0
> ))
>         )
>         and
>
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
> < filesize) and
>         //is overlay at offset 2A00,1A00,C00,745,739
>         //pe.overlay & pe.overlay_size would have been prettier
>         (
>
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
> == 0x00000739)  or
>
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
> == 0x00000745)  or
>         //Uncompressed
>
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
> == 0x00000C00)  or
>
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
> == 0x00002A00)  or
>
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
> == 0x00001A00)
>         )
>         and
>         //is xored MZ ?
>         (
>
> uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)
> == 0x6275 or
>
> uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)
> == 0x4057
>         )
> }
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to