Sure, i think this makes a lot of sense. Thank you for the suggestion.
On Tue, Dec 1, 2015 at 10:05 PM, Glenn J <[email protected]> wrote:
> rule SkDUndetectabler : SkDrat {
> meta:
> author = "me"
> condition:
> (
> borland_delphi or //check All FSG or
> ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0
> ))
> )
> and
>
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
> < filesize) and
> //is overlay at offset 2A00,1A00,C00,745,739
> //pe.overlay & pe.overlay_size would have been prettier
> (
>
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
> == 0x00000739) or
>
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
> == 0x00000745) or
> //Uncompressed
>
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
> == 0x00000C00) or
>
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
> == 0x00002A00) or
>
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
> == 0x00001A00)
> )
> and
> //is xored MZ ?
> (
>
> uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)
> == 0x6275 or
>
> uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)
> == 0x4057
> )
> }
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
