Sorry to reply to an old thread but I had the same need and decided to create a patch (discussion at https://github.com/VirusTotal/yara/issues/432), that is on my Yara fork at https://github.com/merces/yara/
This commit adds pe.overlay location: https://github.com/merces/yara/commit/39447516d82454f46988fac7313aebe8ce356f88 This one adds the pe.overlay_size integer: https://github.com/merces/yara/commit/089e8915c1cde8274ab729789a1edc9cc2235b0c So rules like these would work: rule overlay_bytes { strings: $bytes = { 41 42 43 44 45 } condition: $bytes at pe.overlay } rule has_overlay { condition: pe.overlay } rule big_overlay { condition: pe.overlay_size > 10 } @Victor, do you believe the patch is good enough for a pull request? Att, @MercesFernando mentebinaria.com.br <http://www.mentebinaria.com.br> --------------------------- On Wed, Dec 2, 2015 at 7:46 AM, Víctor Manuel Álvarez García < [email protected]> wrote: > Sure, i think this makes a lot of sense. Thank you for the suggestion. > > On Tue, Dec 1, 2015 at 10:05 PM, Glenn J <[email protected]> wrote: > >> rule SkDUndetectabler : SkDrat { >> meta: >> author = "me" >> condition: >> ( >> borland_delphi or //check All FSG or >> ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0 >> )) >> ) >> and >> (pe.sections[pe.number_of_sections-1].raw_data_offset+ >> pe.sections[pe.number_of_sections-1].raw_data_size < filesize) and >> //is overlay at offset 2A00,1A00,C00,745,739 >> //pe.overlay & pe.overlay_size would have been prettier >> ( >> (pe.sections[pe.number_of_sections-1].raw_data_offset+ >> pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000739) or >> (pe.sections[pe.number_of_sections-1].raw_data_offset+ >> pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000745) or >> //Uncompressed >> (pe.sections[pe.number_of_sections-1].raw_data_offset+ >> pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000C00) or >> (pe.sections[pe.number_of_sections-1].raw_data_offset+ >> pe.sections[pe.number_of_sections-1].raw_data_size == 0x00002A00) or >> (pe.sections[pe.number_of_sections-1].raw_data_offset+ >> pe.sections[pe.number_of_sections-1].raw_data_size == 0x00001A00) >> ) >> and >> //is xored MZ ? >> ( >> uint16(pe.sections[pe.number_of_sections-1].raw_data_ >> offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x6275 or >> uint16(pe.sections[pe.number_of_sections-1].raw_data_ >> offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x4057 >> ) >> } >> >> -- >> You received this message because you are subscribed to the Google Groups >> "YARA" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
