15 lines
295 B
Text
15 lines
295 B
Text
|
// Copyright (C) 2013 Claudio "nex" Guarnieri
|
||
|
|
||
|
rule embedded_pe
|
||
|
{
|
||
|
meta:
|
||
|
author = "nex"
|
||
|
description = "Contains an embedded PE32 file"
|
||
|
|
||
|
strings:
|
||
|
$a = "PE32"
|
||
|
$b = "This program"
|
||
|
$mz = { 4d 5a }
|
||
|
condition:
|
||
|
($a and $b) and not ($mz at 0)
|
||
|
}
|