[Vol-dev] Pythonisms and volatility-isms for structs

Blake Hartstein urule99 at gmail.com
Thu Apr 18 14:08:48 CDT 2013


Edwin,
I'm not sure if this helps you now, but check out this example rule from 
the yara manual 
(https://code.google.com/p/yara-project/downloads/detail?name=YARA%20User%27s%20Manual%201.6.pdf)

YARA manual v1.6 rule IsPE
{
! condition:
  !      // MZ signature at offset 0 and ...
! uint16(0) == 0x5A4D and
! // ... PE signature at offset stored in MZ header at 0x3C
! uint32(uint32(0x3C)) == 0x00004550
}

Most likely you can do a greater/less than match of this type provided 
you put it in the condition part of the rule (like the above rule) and 
have a way of specifying which offset you are looking at.

Blake


On 4/17/13 3:35 PM, Edwin Smulders wrote:
> My question was unclear, that was not what I meant, but I have decided
> to use another method anyway. Thanks for your time :)
>
> On 17 April 2013 20:23, Michael Hale Ligh <michael.hale at gmail.com> wrote:
>> Sure, both the BaseYaraScanner.scan() and DiscontigYaraScanner.scan()
>> functions take starting addresses and maxlen parameters. So you can just set
>> start to 0xBFFFF000 and maxlen to 0xFFF.
>>
>>
>> On Wed, Apr 17, 2013 at 9:24 AM, Edwin Smulders <edwin.smulders at gmail.com>
>> wrote:
>>> Followup question: can I use yara to match an integer(32) between a
>>> specific range? I did not find this in the documentation, but that
>>> does not always mean it is not possible.
>>> For example, I want to find a pointer of which I know it's in the
>>> 0xBFFFF000-0xBFFFFFFF range. I suppose I could work around that by
>>> searching for a hex string like "BF FF F? ??", but this does not feel
>>> quite the same... Plus the ranges are not known beforehand, I have to
>>> generate these rules.
>>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-dev/attachments/20130418/21c7cde2/attachment.html


More information about the Vol-dev mailing list