Sneed-Reactivity/yara-mikesxrs/nex/embedded_pe.yar

15 lines
295 B
Text
Raw Permalink Normal View History

// Copyright (C) 2013 Claudio "nex" Guarnieri
rule embedded_pe
{
meta:
author = "nex"
description = "Contains an embedded PE32 file"
strings:
$a = "PE32"
$b = "This program"
$mz = { 4d 5a }
condition:
($a and $b) and not ($mz at 0)
}