stvemillertime/ExportEngine_xArch.yar

## ExportEngine_xArch.yar
import "pe"
rule ExportEngine_xArch
{
    meta:
        author = "@stvemillertime"
        description = "This looks for Win PEs where Export DLL name is a something like x32.dat"
	strings:
    	$pcre = /[\x00-\x7F]{0,100}x(32|64|86)[\x00-\x7F]{0,100}\.(dat|dll|sys|exe)\x00/
	condition:
    	uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))
}
	import "pe"
	rule ExportEngine_xArch
	{
	meta:
	author = "@stvemillertime"
	description = "This looks for Win PEs where Export DLL name is a something like x32.dat"
	strings:
	$pcre = /[\x00-\x7F]{0,100}x(32\|64\|86)[\x00-\x7F]{0,100}\.(dat\|dll\|sys\|exe)\x00/
	condition:
	uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))
	}