昨天写的YARA rule并不准确,对于比对重复出现的两个串时有问题,现在改写一下:
rule IsPEFile
{
strings:
$header = {4D 5A [64-256] 50 45}
condition:
$header
}
当然这只是演示,正确的写法是:
rule IsPE
{
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}