Yara isPCode ruleAuthor: David Zimmer Date: 02.14.22 - 1:39pm just a quickie, the 2nd rule "test" can be used in yara workbench to see dumped values for debugging. import "pe" //ywbPath: ./ -r rule isVB6_PCode { condition: pe.is_32bit() and pe.imports("msvbvm60.dll") and uint32( //vbheader.projectInfo.isNativeCode uint32( uint32(pe.entry_point+1)-pe.image_base+0x30 )-pe.image_base+0x20 ) == 0 } Comments: (0) |
About Me More Blogs Main Site
|
||||||||||||||||||||||||||