Sorry for the confusion, I think I worded things incorrectly in my original post. The Export Table name, not an exported function.
https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#export-directory-table In the Export Table there is the name of the module itself. "The address of the ASCII string that contains the name of the DLL. This address is relative to the image base." I'd like to use Yara to find samples with the same Export name, not the name of an exported function. Cheers, Schrodinger. On Thursday, June 27, 2019 at 12:40:03 AM UTC+1, Wesley Shields wrote: > > Not sure where you got "pilot.dll" from but the file you referenced has > one export by name and that is MSOProtect. > > -- WXS > > > On Jun 26, 2019, at 7:04 PM, Schrodinger <[email protected] > <javascript:>> wrote: > > > > Doesn't seem to work for me. Just trying a simple rule. > > > > import "pe" > > > > rule export_name > > { > > condition: > > uint16(0) == 0x5A4D > > and > > pe.exports("pilot.dll") > > } > > > > Sample I tested with d5c679df69751936d0fa380f2e4bf017 can provide the > sample if you need. > > > > Cheers. > > > > On Wednesday, June 26, 2019 at 2:00:47 AM UTC+1, Wesley Shields wrote: > > For now you can do: pe.exports("pilot.dll"). > > > > -- WXS > > > > > On Jun 25, 2019, at 6:21 PM, Schrodinger <[email protected]> wrote: > > > > > > Hi everyone, > > > > > > I was wondering if there is a way to perform matching on the name in > the DIRECTORY_ENTRY_EXPORT in a Portable Executable. Example from the > Python pefile module: > > > > > > In [32]: pe.DIRECTORY_ENTRY_EXPORT.name > > > Out[32]: 'pilot.dll' > > > > > > Cheers, > > > Schrodinger. > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/2f7a4837-7ce7-430f-a826-0bde055170af%40googlegroups.com. > > > > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/0ddcbcce-328e-4535-8e3f-f90b61616cd0%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/7cb565f6-b437-4f3e-9224-f928c7538b71%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
