Sorry to reply to an old thread but I had the same need and decided to
create a patch (discussion at https://github.com/VirusTotal/yara/issues/432),
that is on my Yara fork at https://github.com/merces/yara/

This commit adds pe.overlay location:
https://github.com/merces/yara/commit/39447516d82454f46988fac7313aebe8ce356f88
This one adds the pe.overlay_size integer:
https://github.com/merces/yara/commit/089e8915c1cde8274ab729789a1edc9cc2235b0c

So rules like these would work:

rule overlay_bytes {
strings:
$bytes = { 41 42 43 44 45 }
condition:
$bytes at pe.overlay
}

rule has_overlay {
condition:
pe.overlay
}

rule big_overlay {
condition:
pe.overlay_size > 10
}


@Victor, do you believe the patch is good enough for a pull request?

Att,

@MercesFernando
mentebinaria.com.br <http://www.mentebinaria.com.br>
---------------------------

On Wed, Dec 2, 2015 at 7:46 AM, Víctor Manuel Álvarez García <
[email protected]> wrote:

> Sure, i think this makes a lot of sense. Thank you for the suggestion.
>
> On Tue, Dec 1, 2015 at 10:05 PM, Glenn J <[email protected]> wrote:
>
>> rule SkDUndetectabler : SkDrat {
>>     meta:
>>         author = "me"
>>     condition:
>>         (
>>         borland_delphi or //check All FSG or
>>         ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0
>> ))
>>         )
>>         and
>>         (pe.sections[pe.number_of_sections-1].raw_data_offset+
>> pe.sections[pe.number_of_sections-1].raw_data_size < filesize) and
>>         //is overlay at offset 2A00,1A00,C00,745,739
>>         //pe.overlay & pe.overlay_size would have been prettier
>>         (
>>         (pe.sections[pe.number_of_sections-1].raw_data_offset+
>> pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000739)  or
>>         (pe.sections[pe.number_of_sections-1].raw_data_offset+
>> pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000745)  or
>>         //Uncompressed
>>         (pe.sections[pe.number_of_sections-1].raw_data_offset+
>> pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000C00)  or
>>         (pe.sections[pe.number_of_sections-1].raw_data_offset+
>> pe.sections[pe.number_of_sections-1].raw_data_size == 0x00002A00)  or
>>         (pe.sections[pe.number_of_sections-1].raw_data_offset+
>> pe.sections[pe.number_of_sections-1].raw_data_size == 0x00001A00)
>>         )
>>         and
>>         //is xored MZ ?
>>         (
>>         uint16(pe.sections[pe.number_of_sections-1].raw_data_
>> offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x6275 or
>>         uint16(pe.sections[pe.number_of_sections-1].raw_data_
>> offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x4057
>>         )
>> }
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "YARA" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to