I'm ok with cumbersome ;) Thanks Wesley, much appreciated and I hope this
gets exposed in the future, it's a nice pivot point for finding related
samples when malware hunting.
Cheers,
Schrodinger.
On Friday, June 28, 2019 at 3:52:34 PM UTC+1, Wesley Shields wrote:
>
> OK, that makes a bit more sense. I see what you want to do now, and there
> is no easy way to do it that I'm aware of, but there is a rather cumbersome
> way to do it.
>
> import "pe"
>
> rule a {
> strings:
> $pilot = "pilot.dll"
> condition:
> $pilot at
> pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address)
>
> + 12))
> }
>
> This will check if pilot.dll is in the appropriate spot.
>
> We currently don't expose that field in the pe module. I am working on
> some improvements to export and import parsing and can probably include
> this in there too, but no promises if it will be accepted. :)
>
> -- WXS
>
> > On Jun 27, 2019, at 10:20 AM, Schrodinger <[email protected]
> <javascript:>> wrote:
> >
> > Sorry for the confusion, I think I worded things incorrectly in my
> original post. The Export Table name, not an exported function.
> >
> >
> https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#export-directory-table
>
> >
> > In the Export Table there is the name of the module itself. "The address
> of the ASCII string that contains the name of the DLL. This address is
> relative to the image base." I'd like to use Yara to find samples with the
> same Export name, not the name of an exported function.
> >
> > Cheers,
> > Schrodinger.
> >
> > On Thursday, June 27, 2019 at 12:40:03 AM UTC+1, Wesley Shields wrote:
> > Not sure where you got "pilot.dll" from but the file you referenced has
> one export by name and that is MSOProtect.
> >
> > -- WXS
> >
> > > On Jun 26, 2019, at 7:04 PM, Schrodinger <[email protected]> wrote:
> > >
> > > Doesn't seem to work for me. Just trying a simple rule.
> > >
> > > import "pe"
> > >
> > > rule export_name
> > > {
> > > condition:
> > > uint16(0) == 0x5A4D
> > > and
> > > pe.exports("pilot.dll")
> > > }
> > >
> > > Sample I tested with d5c679df69751936d0fa380f2e4bf017 can provide the
> sample if you need.
> > >
> > > Cheers.
> > >
> > > On Wednesday, June 26, 2019 at 2:00:47 AM UTC+1, Wesley Shields wrote:
> > > For now you can do: pe.exports("pilot.dll").
> > >
> > > -- WXS
> > >
> > > > On Jun 25, 2019, at 6:21 PM, Schrodinger <[email protected]> wrote:
> > > >
> > > > Hi everyone,
> > > >
> > > > I was wondering if there is a way to perform matching on the name in
> the DIRECTORY_ENTRY_EXPORT in a Portable Executable. Example from the
> Python pefile module:
> > > >
> > > > In [32]: pe.DIRECTORY_ENTRY_EXPORT.name
> > > > Out[32]: 'pilot.dll'
> > > >
> > > > Cheers,
> > > > Schrodinger.
> > > >
> > > > --
> > > > You received this message because you are subscribed to the Google
> Groups "YARA" group.
> > > > To unsubscribe from this group and stop receiving emails from it,
> send an email to [email protected].
> > > > To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/2f7a4837-7ce7-430f-a826-0bde055170af%40googlegroups.com.
>
>
> > > > For more options, visit https://groups.google.com/d/optout.
> > >
> > >
> > > --
> > > You received this message because you are subscribed to the Google
> Groups "YARA" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected].
> > > To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/0ddcbcce-328e-4535-8e3f-f90b61616cd0%40googlegroups.com.
>
>
> > > For more options, visit https://groups.google.com/d/optout.
> >
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "YARA" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/7cb565f6-b437-4f3e-9224-f928c7538b71%40googlegroups.com.
>
>
> > For more options, visit https://groups.google.com/d/optout.
>
>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/yara-project/e60064bf-52c8-4f28-ae75-fe5bffb624c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
