The next release of YARA will have pe.is_dll() which you can use. In the meantime you can always use this (untested):
pe.characteristics & pe.IMAGE_FILE_DLL -- WXS > On Jan 20, 2016, at 9:28 AM, Glenn J <[email protected]> wrote: > > This works: > rule IsDLL : PECheck > { > condition: > // MZ signature at offset 0 and ... > uint16(0) == 0x5A4D and > // ... PE signature at offset stored in MZ header at 0x3C > (uint8(uint32(0x3C)+0x17) == 0x21) > } > > but id like to use another code: > it complains about unexpected _NOT_ .. what todo ? > > rule IsDLL : PECheck > { > condition: > // MZ signature at offset 0 and ... > uint16(0) == 0x5A4D and > //Result := ((PEHeader.Flags And IMAGE_FILE_DLL) <> 0) > ((uint16(uint32(0x3C)+0x16) & 0x2000) not 0x0)==1 > } > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
