Doesn't seem to work for me. Just trying a simple rule.
import "pe"
rule export_name
{
condition:
uint16(0) == 0x5A4D
and
pe.exports("pilot.dll")
}
Sample I tested with d5c679df69751936d0fa380f2e4bf017 can provide the
sample if you need.
Cheers.
On Wednesday, June 26, 2019 at 2:00:47 AM UTC+1, Wesley Shields wrote:
>
> For now you can do: pe.exports("pilot.dll").
>
> -- WXS
>
> > On Jun 25, 2019, at 6:21 PM, Schrodinger <[email protected]
> <javascript:>> wrote:
> >
> > Hi everyone,
> >
> > I was wondering if there is a way to perform matching on the name in the
> DIRECTORY_ENTRY_EXPORT in a Portable Executable. Example from the Python
> pefile module:
> >
> > In [32]: pe.DIRECTORY_ENTRY_EXPORT.name
> > Out[32]: 'pilot.dll'
> >
> > Cheers,
> > Schrodinger.
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "YARA" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/2f7a4837-7ce7-430f-a826-0bde055170af%40googlegroups.com.
>
>
> > For more options, visit https://groups.google.com/d/optout.
>
>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/yara-project/0ddcbcce-328e-4535-8e3f-f90b61616cd0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
