Sure, i think this makes a lot of sense. Thank you for the suggestion. On Tue, Dec 1, 2015 at 10:05 PM, Glenn J <sir.pus...@gmail.com> wrote:
> rule SkDUndetectabler : SkDrat { > meta: > author = "me" > condition: > ( > borland_delphi or //check All FSG or > ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0 > )) > ) > and > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > < filesize) and > //is overlay at offset 2A00,1A00,C00,745,739 > //pe.overlay & pe.overlay_size would have been prettier > ( > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > == 0x00000739) or > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > == 0x00000745) or > //Uncompressed > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > == 0x00000C00) or > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > == 0x00002A00) or > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > == 0x00001A00) > ) > and > //is xored MZ ? > ( > > uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) > == 0x6275 or > > uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) > == 0x4057 > ) > } > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.