/* Version 0.0.1 2016/05/14 Source code put in public domain by Didier Stevens, no Copyright https://DidierStevens.com Use at your own risk Shortcomings, or todo's ;-) : History: 2016/05/14: start */ import "pe" rule PE_File_pyinstaller { meta: author = "Didier Stevens (https://DidierStevens.com)" description = "Detect PE file produced by pyinstaller" reference = "https://blog.didierstevens.com/2016/05/16/new-yara-rule-pe_file_pyinstaller/" strings: $a = "pyi-windows-manifest-filename" condition: pe.number_of_resources > 0 and $a }