You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One way to find PE files that start at offset 0 and have a single byte xor key:
rulesingle_byte_xor_pe_and_mz {
meta:
author="Wesley Shields <wxs@atarininja.org>"description="Look for single byte xor of a PE starting at offset 0"strings:$b="PE\x00\x00"xor(0x01-0xff)condition:
I've shared this technique with some people privately, but might as well share it publicly now since I was asked about it. I've been using this for a while now with good success. It works well for parsing .NET droppers and other things.
If you don't know what the -D flag to YARA does I suggest you import a module and run a file through using that flag. It will print, to stdout, everything the module parsed that doesn't involve you calling a function. This is a great way to get a quick idea for the structure of a file.