File: rules.yara

package info (click to toggle)
plaso 20241006-3
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 673,224 kB
  • sloc: python: 91,831; sh: 557; xml: 97; makefile: 17; sql: 14; vhdl: 11
file content (16 lines) | stat: -rw-r--r-- 189 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 
rule PEfileBasic {
  strings:
    $mz = "MZ"

  condition:
    ($mz at 0)
}

rule PEfile {
  strings:
    $mz = "MZ"
    $pe = "PE"

  condition:
    ($mz at 0) and ($pe at uint32(0x3c))
}