rule SkDUndetectabler : SkDrat {
meta:
author = "me"
condition:
(
borland_delphi or //check All FSG or
((pe.linker_version.major == 6) and (pe.linker_version.minor == 0 ))
)
and
(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
< filesize) and
//is overlay at offset 2A00,1A00,C00,745,739
//pe.overlay & pe.overlay_size would have been prettier
(
(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
== 0x00000739) or
(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
== 0x00000745) or
//Uncompressed
(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
== 0x00000C00) or
(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
== 0x00002A00) or
(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
== 0x00001A00)
)
and
//is xored MZ ?
(
uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)
== 0x6275 or
uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)
== 0x4057
)
}
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
