Re: Match On Export Directory Name

2019-06-26 Thread Wesley Shields 
Not sure where you got "pilot.dll" from but the file you referenced has one 
export by name and that is MSOProtect.

-- WXS

> On Jun 26, 2019, at 7:04 PM, Schrodinger  wrote:
> 
> Doesn't seem to work for me. Just trying a simple rule.
> 
> import "pe"
> 
> rule export_name
> {
> condition:
> uint16(0) == 0x5A4D
> and
> pe.exports("pilot.dll")
> }
> 
> Sample I tested with d5c679df69751936d0fa380f2e4bf017 can provide the sample 
> if you need.
> 
> Cheers.
> 
> On Wednesday, June 26, 2019 at 2:00:47 AM UTC+1, Wesley Shields wrote:
> For now you can do: pe.exports("pilot.dll"). 
> 
> -- WXS 
> 
> > On Jun 25, 2019, at 6:21 PM, Schrodinger  wrote: 
> > 
> > Hi everyone, 
> > 
> > I was wondering if there is a way to perform matching on the name in the 
> > DIRECTORY_ENTRY_EXPORT in a Portable Executable. Example from the Python 
> > pefile module: 
> > 
> > In [32]: pe.DIRECTORY_ENTRY_EXPORT.name 
> > Out[32]: 'pilot.dll' 
> > 
> > Cheers, 
> > Schrodinger. 
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups 
> > "YARA" group. 
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to yara-p...@googlegroups.com. 
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/yara-project/2f7a4837-7ce7-430f-a826-0bde055170af%40googlegroups.com.
> >  
> > For more options, visit https://groups.google.com/d/optout. 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/0ddcbcce-328e-4535-8e3f-f90b61616cd0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/D396795E-598D-4087-9117-33CB2B670390%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Match On Export Directory Name

2019-06-26 Thread Schrodinger 
Doesn't seem to work for me. Just trying a simple rule.

import "pe"

rule export_name
{
condition:
uint16(0) == 0x5A4D
and
pe.exports("pilot.dll")
}

Sample I tested with d5c679df69751936d0fa380f2e4bf017 can provide the 
sample if you need.

Cheers.

On Wednesday, June 26, 2019 at 2:00:47 AM UTC+1, Wesley Shields wrote:
>
> For now you can do: pe.exports("pilot.dll"). 
>
> -- WXS 
>
> > On Jun 25, 2019, at 6:21 PM, Schrodinger  > wrote: 
> > 
> > Hi everyone, 
> > 
> > I was wondering if there is a way to perform matching on the name in the 
> DIRECTORY_ENTRY_EXPORT in a Portable Executable. Example from the Python 
> pefile module: 
> > 
> > In [32]: pe.DIRECTORY_ENTRY_EXPORT.name 
> > Out[32]: 'pilot.dll' 
> > 
> > Cheers, 
> > Schrodinger. 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups "YARA" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to yara-p...@googlegroups.com . 
> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/2f7a4837-7ce7-430f-a826-0bde055170af%40googlegroups.com.
>  
>
> > For more options, visit https://groups.google.com/d/optout. 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/0ddcbcce-328e-4535-8e3f-f90b61616cd0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.