Nice. Just did that. Thanks for all your support, Wesley.
Att, @MercesFernando mentebinaria.com.br <http://www.mentebinaria.com.br> --------------------------- On Tue, Aug 16, 2016 at 10:40 AM, Wesley Shields <wshie...@gmail.com> wrote: > Best thing to do at this point is submit it as a PR and see what Victor > and others think about it! :) > > -- WXS > > > On Aug 15, 2016, at 4:45 PM, Fernando Mercês <nand...@gmail.com> wrote: > > > > Another excelent suggestion, Wesley. Thanks! It's done now. ;-) > > > > https://github.com/merces/yara/commit/c6ab8e39d4f9611de54681376de528 > f605634a72 > > > > > > Att, > > > > @MercesFernando > > mentebinaria.com.br > > --------------------------- > > > > On Mon, Aug 15, 2016 at 5:26 PM, Wesley Shields <wshie...@gmail.com> > wrote: > > Is it possible to do this in the loop at the end of pe_parse_header()? > The construct to walk the section headers is already there so walking them > a second time in your function is redundant. Otherwise it looks correct to > me. I'll hopefully be able to test it out tonight, but assume it looks good > to me (for whatever that is worth) unless I speak up. > > > > -- WXS > > > > > On Aug 15, 2016, at 4:11 PM, Fernando Mercês <nand...@gmail.com> > wrote: > > > > > > Hi Wesley, > > > > > > Thanks for that. Indeed it looks better this way. I've put overlay > integers "offset" and "size" under an "overlay" struct. If you have time, > I'll be happy to hear your feedback: https://github.com/merces/ > yara/commit/2751a8938e5b6cc2178118d956c4c905c90bc170 > > > > > > Thank you. > > > > > > Att, > > > > > > @MercesFernando > > > mentebinaria.com.br > > > --------------------------- > > > > > > On Mon, Aug 15, 2016 at 10:23 AM, Wesley Shields <wshie...@gmail.com> > wrote: > > > I haven't looked at the code, but there is precedent to use > pe.overlay.offset and pe.overlay.size. > > > > > > -- WXS > > > > > > > On Aug 15, 2016, at 12:02 AM, Fernando Mercês <nand...@gmail.com> > wrote: > > > > > > > > Sorry to reply to an old thread but I had the same need and decided > to create a patch (discussion at https://github.com/VirusTotal/ > yara/issues/432), that is on my Yara fork at https://github.com/merces/ > yara/ > > > > > > > > This commit adds pe.overlay location: https://github.com/merces/ > yara/commit/39447516d82454f46988fac7313aebe8ce356f88 > > > > This one adds the pe.overlay_size integer: > https://github.com/merces/yara/commit/089e8915c1cde8274ab729789a1edc > 9cc2235b0c > > > > > > > > So rules like these would work: > > > > > > > > rule overlay_bytes { > > > > strings: > > > > $bytes = { 41 42 43 44 45 } > > > > condition: > > > > $bytes at pe.overlay > > > > } > > > > > > > > rule has_overlay { > > > > condition: > > > > pe.overlay > > > > } > > > > > > > > rule big_overlay { > > > > condition: > > > > pe.overlay_size > 10 > > > > } > > > > > > > > > > > > @Victor, do you believe the patch is good enough for a pull request? > > > > > > > > Att, > > > > > > > > @MercesFernando > > > > mentebinaria.com.br > > > > --------------------------- > > > > > > > > On Wed, Dec 2, 2015 at 7:46 AM, Víctor Manuel Álvarez García < > plus...@gmail.com> wrote: > > > > Sure, i think this makes a lot of sense. Thank you for the > suggestion. > > > > > > > > On Tue, Dec 1, 2015 at 10:05 PM, Glenn J <sir.pus...@gmail.com> > wrote: > > > > rule SkDUndetectabler : SkDrat { > > > > meta: > > > > author = "me" > > > > condition: > > > > ( > > > > borland_delphi or //check All FSG or > > > > ((pe.linker_version.major == 6) and (pe.linker_version.minor > == 0 )) > > > > ) > > > > and > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size < filesize) and > > > > //is overlay at offset 2A00,1A00,C00,745,739 > > > > //pe.overlay & pe.overlay_size would have been prettier > > > > ( > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000739) or > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000745) or > > > > //Uncompressed > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000C00) or > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00002A00) or > > > > (pe.sections[pe.number_of_sections-1].raw_data_offset+ > pe.sections[pe.number_of_sections-1].raw_data_size == 0x00001A00) > > > > ) > > > > and > > > > //is xored MZ ? > > > > ( > > > > uint16(pe.sections[pe.number_of_sections-1].raw_data_ > offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x6275 or > > > > uint16(pe.sections[pe.number_of_sections-1].raw_data_ > offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x4057 > > > > ) > > > > } > > > > > > > > -- > > > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > > > To unsubscribe from this group and stop receiving emails from it, > send an email to yara-project+unsubscr...@googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > > > -- > > > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > > > To unsubscribe from this group and stop receiving emails from it, > send an email to yara-project+unsubscr...@googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > > > -- > > > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > > > To unsubscribe from this group and stop receiving emails from it, > send an email to yara-project+unsubscr...@googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to yara-project+unsubscr...@googlegroups.com. > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to yara-project+unsubscr...@googlegroups.com. > > > For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to yara-project+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to yara-project+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.