25 lines
609 B
Text
25 lines
609 B
Text
|
/*
|
||
|
|
Version 0.0.1 2016/05/14
|
||
|
|
Source code put in public domain by Didier Stevens, no Copyright
|
||
|
|
https://DidierStevens.com
|
||
|
|
Use at your own risk
|
||
|
|
|
||
|
|
Shortcomings, or todo's ;-) :
|
||
|
|
|
||
|
|
History:
|
||
|
|
2016/05/14: start
|
||
|
|
*/
|
||
|
|
|
||
|
|
import "pe"
|
||
|
|
|
||
|
|
rule PE_File_pyinstaller
|
||
|
|
{
|
||
|
|
meta:
|
||
|
|
author = "Didier Stevens (https://DidierStevens.com)"
|
||
|
|
description = "Detect PE file produced by pyinstaller"
|
||
|
|
reference = "https://blog.didierstevens.com/2016/05/16/new-yara-rule-pe_file_pyinstaller/"
|
||
|
|
strings:
|
||
|
|
$a = "pyi-windows-manifest-filename"
|
||
|
|
condition:
|
||
|
|
pe.number_of_resources > 0 and $a
|
||
|
|
}
|