This works:
rule IsDLL : PECheck
{
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
(uint8(uint32(0x3C)+0x17) == 0x21)
}
but id like to use another code:
it complains about unexpected _NOT_ .. what todo ?
rule IsDLL : PECheck
{
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
//Result := ((PEHeader.Flags And IMAGE_FILE_DLL) <> 0)
((uint16(uint32(0x3C)+0x16) & 0x2000) not 0x0)==1
}
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
