Best thing to do at this point is submit it as a PR and see what Victor and others think about it! :)
-- WXS > On Aug 15, 2016, at 4:45 PM, Fernando Mercês <[email protected]> wrote: > > Another excelent suggestion, Wesley. Thanks! It's done now. ;-) > > https://github.com/merces/yara/commit/c6ab8e39d4f9611de54681376de528f605634a72 > > > Att, > > @MercesFernando > mentebinaria.com.br > --------------------------- > > On Mon, Aug 15, 2016 at 5:26 PM, Wesley Shields <[email protected]> wrote: > Is it possible to do this in the loop at the end of pe_parse_header()? The > construct to walk the section headers is already there so walking them a > second time in your function is redundant. Otherwise it looks correct to me. > I'll hopefully be able to test it out tonight, but assume it looks good to me > (for whatever that is worth) unless I speak up. > > -- WXS > > > On Aug 15, 2016, at 4:11 PM, Fernando Mercês <[email protected]> wrote: > > > > Hi Wesley, > > > > Thanks for that. Indeed it looks better this way. I've put overlay integers > > "offset" and "size" under an "overlay" struct. If you have time, I'll be > > happy to hear your feedback: > > https://github.com/merces/yara/commit/2751a8938e5b6cc2178118d956c4c905c90bc170 > > > > Thank you. > > > > Att, > > > > @MercesFernando > > mentebinaria.com.br > > --------------------------- > > > > On Mon, Aug 15, 2016 at 10:23 AM, Wesley Shields <[email protected]> wrote: > > I haven't looked at the code, but there is precedent to use > > pe.overlay.offset and pe.overlay.size. > > > > -- WXS > > > > > On Aug 15, 2016, at 12:02 AM, Fernando Mercês <[email protected]> wrote: > > > > > > Sorry to reply to an old thread but I had the same need and decided to > > > create a patch (discussion at > > > https://github.com/VirusTotal/yara/issues/432), that is on my Yara fork > > > at https://github.com/merces/yara/ > > > > > > This commit adds pe.overlay location: > > > https://github.com/merces/yara/commit/39447516d82454f46988fac7313aebe8ce356f88 > > > This one adds the pe.overlay_size integer: > > > https://github.com/merces/yara/commit/089e8915c1cde8274ab729789a1edc9cc2235b0c > > > > > > So rules like these would work: > > > > > > rule overlay_bytes { > > > strings: > > > $bytes = { 41 42 43 44 45 } > > > condition: > > > $bytes at pe.overlay > > > } > > > > > > rule has_overlay { > > > condition: > > > pe.overlay > > > } > > > > > > rule big_overlay { > > > condition: > > > pe.overlay_size > 10 > > > } > > > > > > > > > @Victor, do you believe the patch is good enough for a pull request? > > > > > > Att, > > > > > > @MercesFernando > > > mentebinaria.com.br > > > --------------------------- > > > > > > On Wed, Dec 2, 2015 at 7:46 AM, Víctor Manuel Álvarez García > > > <[email protected]> wrote: > > > Sure, i think this makes a lot of sense. Thank you for the suggestion. > > > > > > On Tue, Dec 1, 2015 at 10:05 PM, Glenn J <[email protected]> wrote: > > > rule SkDUndetectabler : SkDrat { > > > meta: > > > author = "me" > > > condition: > > > ( > > > borland_delphi or //check All FSG or > > > ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0 > > > )) > > > ) > > > and > > > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > > > < filesize) and > > > //is overlay at offset 2A00,1A00,C00,745,739 > > > //pe.overlay & pe.overlay_size would have been prettier > > > ( > > > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > > > == 0x00000739) or > > > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > > > == 0x00000745) or > > > //Uncompressed > > > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > > > == 0x00000C00) or > > > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > > > == 0x00002A00) or > > > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size > > > == 0x00001A00) > > > ) > > > and > > > //is xored MZ ? > > > ( > > > > > > uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) > > > == 0x6275 or > > > > > > uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) > > > == 0x4057 > > > ) > > > } > > > > > > -- > > > You received this message because you are subscribed to the Google Groups > > > "YARA" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > > > email to [email protected]. > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > -- > > > You received this message because you are subscribed to the Google Groups > > > "YARA" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > > > email to [email protected]. > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > -- > > > You received this message because you are subscribed to the Google Groups > > > "YARA" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > > > email to [email protected]. > > > For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
