/* Version 0.0.1 2014/12/13 Source code put in public domain by Didier Stevens, no Copyright https://DidierStevens.com Use at your own risk Shortcomings, or todo's ;-) : History: 2014/12/13: start 2014/12/15: documentation */ rule Contains_PE_File { meta: author = "Didier Stevens (https://DidierStevens.com)" description = "Detect a PE file inside a byte sequence" method = "Find string MZ followed by string PE at the correct offset (AddressOfNewExeHeader)" strings: $a = "MZ" condition: for any i in (1..#a): (uint32(@a[i] + uint32(@a[i] + 0x3C)) == 0x00004550) }