Is it possible to do this in the loop at the end of pe_parse_header()? The construct to walk the section headers is already there so walking them a second time in your function is redundant. Otherwise it looks correct to me. I'll hopefully be able to test it out tonight, but assume it looks good to me (for whatever that is worth) unless I speak up.
-- WXS > On Aug 15, 2016, at 4:11 PM, Fernando Mercês <[email protected]> wrote: > > Hi Wesley, > > Thanks for that. Indeed it looks better this way. I've put overlay integers > "offset" and "size" under an "overlay" struct. If you have time, I'll be > happy to hear your feedback: > https://github.com/merces/yara/commit/2751a8938e5b6cc2178118d956c4c905c90bc170 > > Thank you. > > Att, > > @MercesFernando > mentebinaria.com.br > --------------------------- > > On Mon, Aug 15, 2016 at 10:23 AM, Wesley Shields <[email protected]> wrote: > I haven't looked at the code, but there is precedent to use pe.overlay.offset > and pe.overlay.size. > > -- WXS > > > On Aug 15, 2016, at 12:02 AM, Fernando Mercês <[email protected]> wrote: > > > > Sorry to reply to an old thread but I had the same need and decided to > > create a patch (discussion at > > https://github.com/VirusTotal/yara/issues/432), that is on my Yara fork at > > https://github.com/merces/yara/ > > > > This commit adds pe.overlay location: > > https://github.com/merces/yara/commit/39447516d82454f46988fac7313aebe8ce356f88 > > This one adds the pe.overlay_size integer: > > https://github.com/merces/yara/commit/089e8915c1cde8274ab729789a1edc9cc2235b0c > > > > So rules like these would work: > > > > rule overlay_bytes { > > strings: > > $bytes = { 41 42 43 44 45 } > > condition: > > $bytes at pe.overlay > > } > > > > rule has_overlay { > > condition: > > pe.overlay > > } > > > > rule big_overlay { > > condition: > > pe.overlay_size > 10 > > } > > > > > > @Victor, do you believe the patch is good enough for a pull request? > > > > Att, > > > > @MercesFernando > > mentebinaria.com.br > > --------------------------- > > > > On Wed, Dec 2, 2015 at 7:46 AM, Víctor Manuel Álvarez García > > <[email protected]> wrote: > > Sure, i think this makes a lot of sense. Thank you for the suggestion. > > > > On Tue, Dec 1, 2015 at 10:05 PM, Glenn J <[email protected]> wrote: > > rule SkDUndetectabler : SkDrat { > > meta: > > author = "me" > > condition: > > ( > > borland_delphi or //check All FSG or > > ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0 )) > > ) > > and > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > > < filesize) and > > //is overlay at offset 2A00,1A00,C00,745,739 > > //pe.overlay & pe.overlay_size would have been prettier > > ( > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > > == 0x00000739) or > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > > == 0x00000745) or > > //Uncompressed > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > > == 0x00000C00) or > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > > == 0x00002A00) or > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > > == 0x00001A00) > > ) > > and > > //is xored MZ ? > > ( > > > > uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) > > == 0x6275 or > > > > uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) > > == 0x4057 > > ) > > } > > > > -- > > You received this message because you are subscribed to the Google Groups > > "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
