Re: Yara needs overlay offset

2016-08-16 Thread Fernando Mercês
Nice. Just did that. Thanks for all your support, Wesley. Att, @MercesFernando mentebinaria.com.br --- On Tue, Aug 16, 2016 at 10:40 AM, Wesley Shields wrote: > Best thing to do at this point is submit it as a PR and see what Victor > a

Re: Yara needs overlay offset

2016-08-16 Thread Wesley Shields
Best thing to do at this point is submit it as a PR and see what Victor and others think about it! :) -- WXS > On Aug 15, 2016, at 4:45 PM, Fernando Mercês wrote: > > Another excelent suggestion, Wesley. Thanks! It's done now. ;-) > > https://github.com/merces/yara/commit/c6ab8e39d4f9611de546

Re: Yara needs overlay offset

2016-08-15 Thread Fernando Mercês
Another excelent suggestion, Wesley. Thanks! It's done now. ;-) https://github.com/merces/yara/commit/c6ab8e39d4f9611de54681376de528f605634a72 Att, @MercesFernando mentebinaria.com.br --- On Mon, Aug 15, 2016 at 5:26 PM, Wesley Shields

Re: Yara needs overlay offset

2016-08-15 Thread Wesley Shields
Is it possible to do this in the loop at the end of pe_parse_header()? The construct to walk the section headers is already there so walking them a second time in your function is redundant. Otherwise it looks correct to me. I'll hopefully be able to test it out tonight, but assume it looks good

Re: Yara needs overlay offset

2016-08-15 Thread Fernando Mercês
Hi Wesley, Thanks for that. Indeed it looks better this way. I've put overlay integers "offset" and "size" under an "overlay" struct. If you have time, I'll be happy to hear your feedback: https://github.com/merces/yara/commit/2751a8938e5b6cc2178118d956c4c905c90bc170 Thank you. Att, @MercesFern

Re: Yara needs overlay offset

2016-08-15 Thread Wesley Shields
I haven't looked at the code, but there is precedent to use pe.overlay.offset and pe.overlay.size. -- WXS > On Aug 15, 2016, at 12:02 AM, Fernando Mercês wrote: > > Sorry to reply to an old thread but I had the same need and decided to create > a patch (discussion at https://github.com/VirusT

Re: Yara needs overlay offset

2016-08-14 Thread Fernando Mercês
Sorry to reply to an old thread but I had the same need and decided to create a patch (discussion at https://github.com/VirusTotal/yara/issues/432), that is on my Yara fork at https://github.com/merces/yara/ This commit adds pe.overlay location: https://github.com/merces/yara/commit/39447516d82454

Re: Yara needs overlay offset

2015-12-02 Thread Víctor Manuel Álvarez García
Sure, i think this makes a lot of sense. Thank you for the suggestion. On Tue, Dec 1, 2015 at 10:05 PM, Glenn J wrote: > rule SkDUndetectabler : SkDrat { > meta: > author = "me" > condition: > ( > borland_delphi or //check All FSG or > ((pe.linker_version.

Re: Yara needs overlay offset

2015-12-01 Thread Glenn J
rule SkDUndetectabler : SkDrat { meta: author = "me" condition: ( borland_delphi or //check All FSG or ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0 )) ) and (pe.sections[pe.number_of_sections-1].raw_data_offset+pe

Re: Yara needs overlay offset

2015-12-01 Thread Glenn J
This works: uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x6275 but pe.overlay & pe.overlay_size would have been prettier ;) -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsu

Yara needs overlay offset

2015-11-15 Thread Glenn J
something like this: rule Overlay_check { meta: author = "Me" condition: int16be(pe.overlayoffset) == 0x5a44 } that would make it easier to make detections. Would be nice if that was implemented :) -- You received this message because you are subscribed to the Google Gr