Sneed-Reactivity/yara-mikesxrs/Didier Stevens/PE_PyInstaller.yar

/*
  Version 0.0.1 2016/05/14
  Source code put in public domain by Didier Stevens, no Copyright
  https://DidierStevens.com
  Use at your own risk

  Shortcomings, or todo's ;-) :

  History:
    2016/05/14: start
*/

import "pe"

rule PE_File_pyinstaller
{
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
        description = "Detect PE file produced by pyinstaller"
        reference = "https://blog.didierstevens.com/2016/05/16/new-yara-rule-pe_file_pyinstaller/"
    strings:
        $a = "pyi-windows-manifest-filename"
    condition:
        pe.number_of_resources > 0 and $a
}