foregenix

## modpipe_disk_rules.yara
import "pe"

rule ModPipe_Loader
{
    condition:
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
        for any i in (0..pe.number_of_sections - 1): (
            pe.sections[i].name == ".flat" and (
                pe.sections[i].characteristics & pe.SECTION_MEM_EXECUTE and
                pe.sections[i].characteristics & pe.SECTION_MEM_WRITE) and
	import "pe"

	rule ModPipe_Loader
	{
	condition:
	uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
	for any i in (0..pe.number_of_sections - 1): (
	pe.sections[i].name == ".flat" and (
	pe.sections[i].characteristics & pe.SECTION_MEM_EXECUTE and
	pe.sections[i].characteristics & pe.SECTION_MEM_WRITE) and