The best way of checking for a DLL is the one proposed by Wesley, but in case you want to know what's wrong with your rule, the issue is the *not* in red:
((uint16(uint32(0x3C)+0x16) & 0x2000) not 0x0)==1 Your condition is basically something like this (<int_expression> not <int_expression>) == 1. The *not* operator is unary, and must be followed by a boolean expression, that's why YARA complaints. This would suffice: (uint16(uint32(0x3C)+0x16) & 0x2000) == 0x2000 Or this: (uint16(uint32(0x3C)+0x16) & 0x2000) != 0 But of course this is more legible: pe.characteristics & pe.IMAGE_FILE_DLL And this is even more legible and compact: pe.is_dll() On Wed, Jan 20, 2016 at 6:56 PM, Wesley Shields <[email protected]> wrote: > The next release of YARA will have pe.is_dll() which you can use. In the > meantime you can always use this (untested): > > pe.characteristics & pe.IMAGE_FILE_DLL > > -- WXS > > > On Jan 20, 2016, at 9:28 AM, Glenn J <[email protected]> wrote: > > > > This works: > > rule IsDLL : PECheck > > { > > condition: > > // MZ signature at offset 0 and ... > > uint16(0) == 0x5A4D and > > // ... PE signature at offset stored in MZ header at 0x3C > > (uint8(uint32(0x3C)+0x17) == 0x21) > > } > > > > but id like to use another code: > > it complains about unexpected _NOT_ .. what todo ? > > > > rule IsDLL : PECheck > > { > > condition: > > // MZ signature at offset 0 and ... > > uint16(0) == 0x5A4D and > > //Result := ((PEHeader.Flags And IMAGE_FILE_DLL) <> 0) > > ((uint16(uint32(0x3C)+0x16) & 0x2000) not 0x0)==1 > > } > > > > -- > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
