Created
March 18, 2019 13:38
-
-
Save stvemillertime/8cb84d37d47d9ff70182ca2f6a711fcb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule methodology_golang_build_strings | |
| { | |
| meta: | |
| author = "smiller" | |
| version = "1.0" | |
| date = "10/5/2038" | |
| description = "Looks for PEs with a Golang build ID" | |
| reference_hash = "94fa902d1473c35659d2396eccde596c" | |
| strings: | |
| $a01 = "go.buildid" | |
| $a02 = "Go build ID:" | |
| condition: | |
| uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 2 of them and filesize < 8MB | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment