[Vol-dev] Pythonisms and volatility-isms for structs
urule99 at gmail.com
Thu Apr 18 14:08:48 CDT 2013
I'm not sure if this helps you now, but check out this example rule from
the yara manual
YARA manual v1.6 rule IsPE
! // MZ signature at offset 0 and ...
! uint16(0) == 0x5A4D and
! // ... PE signature at offset stored in MZ header at 0x3C
! uint32(uint32(0x3C)) == 0x00004550
Most likely you can do a greater/less than match of this type provided
you put it in the condition part of the rule (like the above rule) and
have a way of specifying which offset you are looking at.
On 4/17/13 3:35 PM, Edwin Smulders wrote:
> My question was unclear, that was not what I meant, but I have decided
> to use another method anyway. Thanks for your time :)
> On 17 April 2013 20:23, Michael Hale Ligh <michael.hale at gmail.com> wrote:
>> Sure, both the BaseYaraScanner.scan() and DiscontigYaraScanner.scan()
>> functions take starting addresses and maxlen parameters. So you can just set
>> start to 0xBFFFF000 and maxlen to 0xFFF.
>> On Wed, Apr 17, 2013 at 9:24 AM, Edwin Smulders <edwin.smulders at gmail.com>
>>> Followup question: can I use yara to match an integer(32) between a
>>> specific range? I did not find this in the documentation, but that
>>> does not always mean it is not possible.
>>> For example, I want to find a pointer of which I know it's in the
>>> 0xBFFFF000-0xBFFFFFFF range. I suppose I could work around that by
>>> searching for a hex string like "BF FF F? ??", but this does not feel
>>> quite the same... Plus the ranges are not known beforehand, I have to
>>> generate these rules.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-dev