Another excelent suggestion, Wesley. Thanks! It's done now. ;-) https://github.com/merces/yara/commit/c6ab8e39d4f9611de54681376de528f605634a72
Att, @MercesFernando mentebinaria.com.br <http://www.mentebinaria.com.br> --------------------------- On Mon, Aug 15, 2016 at 5:26 PM, Wesley Shields <[email protected]> wrote: > Is it possible to do this in the loop at the end of pe_parse_header()? The > construct to walk the section headers is already there so walking them a > second time in your function is redundant. Otherwise it looks correct to > me. I'll hopefully be able to test it out tonight, but assume it looks good > to me (for whatever that is worth) unless I speak up. > > -- WXS > > > On Aug 15, 2016, at 4:11 PM, Fernando Mercês <[email protected]> wrote: > > > > Hi Wesley, > > > > Thanks for that. Indeed it looks better this way. I've put overlay > integers "offset" and "size" under an "overlay" struct. If you have time, > I'll be happy to hear your feedback: https://github.com/merces/ > yara/commit/2751a8938e5b6cc2178118d956c4c905c90bc170 > > > > Thank you. > > > > Att, > > > > @MercesFernando > > mentebinaria.com.br > > --------------------------- > > > > On Mon, Aug 15, 2016 at 10:23 AM, Wesley Shields <[email protected]> > wrote: > > I haven't looked at the code, but there is precedent to use > pe.overlay.offset and pe.overlay.size. > > > > -- WXS > > > > > On Aug 15, 2016, at 12:02 AM, Fernando Mercês <[email protected]> > wrote: > > > > > > Sorry to reply to an old thread but I had the same need and decided to > create a patch (discussion at https://github.com/VirusTotal/ > yara/issues/432), that is on my Yara fork at https://github.com/merces/ > yara/ > > > > > > This commit adds pe.overlay location: https://github.com/merces/ > yara/commit/39447516d82454f46988fac7313aebe8ce356f88 > > > This one adds the pe.overlay_size integer: https://github.com/merces/ > yara/commit/089e8915c1cde8274ab729789a1edc9cc2235b0c > > > > > > So rules like these would work: > > > > > > rule overlay_bytes { > > > strings: > > > $bytes = { 41 42 43 44 45 } > > > condition: > > > $bytes at pe.overlay > > > } > > > > > > rule has_overlay { > > > condition: > > > pe.overlay > > > } > > > > > > rule big_overlay { > > > condition: > > > pe.overlay_size > 10 > > > } > > > > > > > > > @Victor, do you believe the patch is good enough for a pull request? > > > > > > Att, > > > > > > @MercesFernando > > > mentebinaria.com.br > > > --------------------------- > > > > > > On Wed, Dec 2, 2015 at 7:46 AM, Víctor Manuel Álvarez García < > [email protected]> wrote: > > > Sure, i think this makes a lot of sense. Thank you for the suggestion. > > > > > > On Tue, Dec 1, 2015 at 10:05 PM, Glenn J <[email protected]> wrote: > > > rule SkDUndetectabler : SkDrat { > > > meta: > > > author = "me" > > > condition: > > > ( > > > borland_delphi or //check All FSG or > > > ((pe.linker_version.major == 6) and (pe.linker_version.minor > == 0 )) > > > ) > > > and > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size < filesize) and > > > //is overlay at offset 2A00,1A00,C00,745,739 > > > //pe.overlay & pe.overlay_size would have been prettier > > > ( > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000739) or > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000745) or > > > //Uncompressed > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000C00) or > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00002A00) or > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00001A00) > > > ) > > > and > > > //is xored MZ ? > > > ( > > > uint16(pe.sections[pe.number_of_sections-1].raw_data_ > offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x6275 or > > > uint16(pe.sections[pe.number_of_sections-1].raw_data_ > offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x4057 > > > ) > > > } > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > > For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
