From 071f1846771fee9ba731ad86021fada235231beb Mon Sep 17 00:00:00 2001 From: Ladislav Zezula Date: Wed, 28 Feb 2024 12:59:30 +0100 Subject: [PATCH] Added detection of PE in overlay --- support/yara_patterns/tools/pe/x86/packers.yara | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara index 31910fcf7..829b77e0e 100644 --- a/support/yara_patterns/tools/pe/x86/packers.yara +++ b/support/yara_patterns/tools/pe/x86/packers.yara @@ -184,6 +184,21 @@ rule eziriz_dotnet_reactor_62_or_newer { dotnet.user_strings[dotnet.number_of_user_strings - 2] == "{\x001\x001\x001\x001\x001\x00-\x002\x002\x002\x002\x002\x00-\x005\x000\x000\x000\x001\x00-\x000\x000\x000\x000\x001\x00}\x00" } +rule pe_file_in_overlay +{ + meta: + tool = "P" + name = "PE-in-Overlay" + version = "-" + extra = "Various binary tools" + condition: + pe.overlay.size != 0 and + pe.overlay.offset != 0 and + uint16(pe.overlay.offset) == 0x5A4D and + uint32(pe.overlay.offset + 0x3C) >= 4 and + uint32(pe.overlay.offset + uint32(pe.overlay.offset + 0x3C)) == 0x00004550 +} + rule spirit_15_01 { meta: tool = "P"