08e8d462fe
RED PILL 🔴 💊
24 lines
No EOL
641 B
Text
24 lines
No EOL
641 B
Text
/*
|
|
Version 0.0.1 2014/12/13
|
|
Source code put in public domain by Didier Stevens, no Copyright
|
|
https://DidierStevens.com
|
|
Use at your own risk
|
|
|
|
Shortcomings, or todo's ;-) :
|
|
|
|
History:
|
|
2014/12/13: start
|
|
2014/12/15: documentation
|
|
*/
|
|
|
|
rule Contains_PE_File
|
|
{
|
|
meta:
|
|
author = "Didier Stevens (https://DidierStevens.com)"
|
|
description = "Detect a PE file inside a byte sequence"
|
|
method = "Find string MZ followed by string PE at the correct offset (AddressOfNewExeHeader)"
|
|
strings:
|
|
$a = "MZ"
|
|
condition:
|
|
for any i in (1..#a): (uint32(@a[i] + uint32(@a[i] + 0x3C)) == 0x00004550)
|
|
} |