Sneed-Reactivity/yara-mikesxrs/Didier Stevens/contains_pe_file.yara

24 lines
641 B
Text
Raw Normal View History

/*
Version 0.0.1 2014/12/13
Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk
Shortcomings, or todo's ;-) :
History:
2014/12/13: start
2014/12/15: documentation
*/
rule Contains_PE_File
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
description = "Detect a PE file inside a byte sequence"
method = "Find string MZ followed by string PE at the correct offset (AddressOfNewExeHeader)"
strings:
$a = "MZ"
condition:
for any i in (1..#a): (uint32(@a[i] + uint32(@a[i] + 0x3C)) == 0x00004550)
}