Created
January 25, 2022 11:46
-
-
Save tombonner/70f9df512b649533c40cccc6f1a08c30 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| import "math" | |
| import "hash" | |
| rule IterateResourcesDemo | |
| { | |
| meta: | |
| description = "Example rule to iterate over PE resources and calculate entropy, MD5 and check for strings" | |
| strings: | |
| $test = "Test" | |
| condition: | |
| // Iterate over resources | |
| for any i in (0 .. pe.number_of_resources - 1): | |
| ( | |
| // Check resource entropy | |
| math.entropy(pe.resources[i].offset, pe.resources[i].length) > 7.0 or | |
| // Check resource hash | |
| hash.md5(pe.resources[i].offset, pe.resources[i].length) == "44d88612fea8a8f36de82e1278abb02f" or | |
| // Check for string in resource | |
| $test in (pe.resources[i].offset .. pe.resources[i].offset + pe.resources[i].length) | |
| ) | |
| } | |
| rule IterateSectionsDemo | |
| { | |
| meta: | |
| description = "Example rule to iterate over PE sections and calculate entropy, MD5 and check for strings" | |
| strings: | |
| $test = "Test" | |
| condition: | |
| // Iterate over sections | |
| for any i in (0 .. pe.number_of_sections - 1): | |
| ( | |
| // Check section entropy | |
| math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) > 7.0 or | |
| // Check section hash | |
| hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "44d88612fea8a8f36de82e1278abb02f" or | |
| // Check for string in section | |
| $test in (pe.sections[i].raw_data_offset .. pe.sections[i].raw_data_offset + pe.sections[i].raw_data_size) | |
| ) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment