Fernando, Thank you for the response. I failed to mention that I am running my code on Windows, which, according to the magic.htlml, does not support the module described at https://yara.readthedocs.io/en/v3.5.0/modules/magic.html <https://www.google.com/url?q=https%3A%2F%2Fyara.readthedocs.io%2Fen%2Fv3.5.0%2Fmodules%2Fmagic.html&sa=D&sntz=1&usg=AFQjCNG5AsvEB8qAjJo_KYDj-7Q5E_P0TA> .
Nonetheless, thanks for the links to the 3 file type rules and your thoughtful & useful response. Jim On Friday, November 25, 2016 at 2:21:44 PM UTC-5, [email protected] wrote: > > Is there an existing rules repository for file types that can be > downloaded and used with Yara? > > For example, a file type rule for PE files: > > Rule IsPE > > { > > condition: > > // MZ signature at offset 0 and ... > > uint16(0) == 0x5A4D and > > // ... PE signature at offset stored in MZ header at 0x3C > > uint32(uint32(0x3C)) == 0x00004550 > > } > > > Thanks, > > Jim > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
