Hello.
Do you mean Windows executables? If so, there's a PE module you should use.
A sample rule is as follows:
import "pe"
rule exe {
condition:
pe.is_pe
and not (pe.characteristics & pe.DLL)
and pe.subsystem != pe.SUBSYSTEM_NATIVE
}
The above rule matches executables (.exe) only. The second condition
prevents the rule from matching DLLs (.dll) and the third condition
prevents it from matching Windows drivers (.sys). Feel free to change it to
meet your needs. ;)
Please, check the module documentation for other possible conditions [1].
When you are happy with your rule, you can use the -r / --recursive option
from the command-line with yara [2].
Good luck!
[1] https://yara.readthedocs.io/en/latest/modules/pe.html
[2] https://yara.readthedocs.io/en/latest/commandline.html
On Wed, Oct 26, 2022 at 11:08 PM SJGG <sergio3...@gmail.com> wrote:
> Any solution or help on this ask?
>
> On Tuesday, 28 June 2022 at 00:39:58 UTC-4 muhammadz...@gmail.com wrote:
>
>> I want to write yara rule to detect only executable files in any drive,
>> can any one help me out
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/20f17ce5-9f57-4cfb-ac5f-1948378380d9n%40googlegroups.com
> <https://groups.google.com/d/msgid/yara-project/20f17ce5-9f57-4cfb-ac5f-1948378380d9n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/yara-project/CAM7p17Oa8dNUeEKnqq%3DBX1bHjWBvGv_kbenp3%3DdkXLM-O8UdFQ%40mail.gmail.com.
