Hi Wesley, Thanks for that. Indeed it looks better this way. I've put overlay integers "offset" and "size" under an "overlay" struct. If you have time, I'll be happy to hear your feedback: https://github.com/merces/yara/commit/2751a8938e5b6cc2178118d956c4c905c90bc170
Thank you. Att, @MercesFernando mentebinaria.com.br <http://www.mentebinaria.com.br> --------------------------- On Mon, Aug 15, 2016 at 10:23 AM, Wesley Shields <[email protected]> wrote: > I haven't looked at the code, but there is precedent to use > pe.overlay.offset and pe.overlay.size. > > -- WXS > > > On Aug 15, 2016, at 12:02 AM, Fernando Mercês <[email protected]> wrote: > > > > Sorry to reply to an old thread but I had the same need and decided to > create a patch (discussion at https://github.com/VirusTotal/ > yara/issues/432), that is on my Yara fork at https://github.com/merces/ > yara/ > > > > This commit adds pe.overlay location: https://github.com/merces/ > yara/commit/39447516d82454f46988fac7313aebe8ce356f88 > > This one adds the pe.overlay_size integer: https://github.com/merces/ > yara/commit/089e8915c1cde8274ab729789a1edc9cc2235b0c > > > > So rules like these would work: > > > > rule overlay_bytes { > > strings: > > $bytes = { 41 42 43 44 45 } > > condition: > > $bytes at pe.overlay > > } > > > > rule has_overlay { > > condition: > > pe.overlay > > } > > > > rule big_overlay { > > condition: > > pe.overlay_size > 10 > > } > > > > > > @Victor, do you believe the patch is good enough for a pull request? > > > > Att, > > > > @MercesFernando > > mentebinaria.com.br > > --------------------------- > > > > On Wed, Dec 2, 2015 at 7:46 AM, Víctor Manuel Álvarez García < > [email protected]> wrote: > > Sure, i think this makes a lot of sense. Thank you for the suggestion. > > > > On Tue, Dec 1, 2015 at 10:05 PM, Glenn J <[email protected]> wrote: > > rule SkDUndetectabler : SkDrat { > > meta: > > author = "me" > > condition: > > ( > > borland_delphi or //check All FSG or > > ((pe.linker_version.major == 6) and (pe.linker_version.minor == > 0 )) > > ) > > and > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size < filesize) and > > //is overlay at offset 2A00,1A00,C00,745,739 > > //pe.overlay & pe.overlay_size would have been prettier > > ( > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000739) or > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000745) or > > //Uncompressed > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000C00) or > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00002A00) or > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00001A00) > > ) > > and > > //is xored MZ ? > > ( > > uint16(pe.sections[pe.number_of_sections-1].raw_data_ > offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x6275 or > > uint16(pe.sections[pe.number_of_sections-1].raw_data_ > offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x4057 > > ) > > } > > > > -- > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
