Yara isPCode rule


Author: David Zimmer
Date: 02.14.22 - 1:39pm



just a quickie, the 2nd rule "test" can be used in yara workbench to see dumped values for debugging.

import "pe"
//ywbPath: ./ -r

rule isVB6_PCode
{
    condition:
        pe.is_32bit() and pe.imports("msvbvm60.dll") and
        uint32( //vbheader.projectInfo.isNativeCode 
            uint32(
                uint32(pe.entry_point+1)-pe.image_base+0x30
            )-pe.image_base+0x20 
        ) == 0
}


rule test { condition: pe.is_32bit() and pe.imports("msvbvm60.dll") and ( pe.dbg(pe.image_base) and pe.dbg("vbheader struct va:", uint32(pe.entry_point+1)) and pe.dbg("project info struct:", uint32((uint32(pe.entry_point+1)-pe.image_base)+0x30)) and pe.dbg("isNativeCode:", uint32(uint32((uint32(pe.entry_point+1)-pe.image_base)+0x30)-pe.image_base+0x20) ) ) }





Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 80 + 50 = ? followed by the letter: I 



About Me
More Blogs
Main Site
Posts: (All)
2023 ( 3 )
2022 (6)
     VB6 Implements
     vbdec remote scripting
     VB6 Stubs BS
     VB6 TypeInfo
     VB6 VTable Layout
     Yara isPCode rule
2021 (4)
     VB6 Hijacking
     rtcTypeName
     VB6 Gosub
     VB App object
2020 (6)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Vb6 PCode Internals
     Yara Corrupt Imports
     Yara Undefined values
2019 ( 6 )
2017 ( 5 )
2016 ( 4 )
2015 ( 6 )
2014 ( 5 )
2013 ( 9 )
2012 ( 13 )
2011 ( 19 )
2010 ( 11 )
2009 ( 1 )