Pasazade
Reputation: 1
How can I use pe.entry_point to write YARA rules?
I wrote condition in YARA rule like this pe.entry_point == {12 A5 26} but I am getting unexpected _HEX_STRING_ error. What is the problem? How can I get address of entry_point? What is the type of output of pe.entry_point?
Upvotes: 0
Views: 1218
Answers (2)
3xp101t
Reputation: 1
Been 5 years but I believe using the at syntax would work
strings:
$ep_data = { 12 A5 26 }
condition:
$ep_data at pe.entry_point
Upvotes: 0
Samantha
Reputation: 975
pe.entry_point is a DWORD found in IMAGE_OPTIONAL_HEADER.
The implementation of this function (that is, how Yara retrieves the pe.entry_point value from portable executable files) is available on the Yara Github page.
Regarding the error you encountered, try changing the rule to pe.entry_point == 0x12A526. I'm basing this suggestion off the sample test rule here.
Upvotes: 1
Related Questions
- How can I dump YAML 1.1 booleans (y, n, T, F, etc) as quoted strings with ruamel.yaml
- How to properly set up YAML flow style dumping using round-trip with ruamel.yaml?
- yaml variable in python
- How to validate yaml file from python script?
- Executable access to yaml configuration file using setuptools
- Introducing a YAML string in a python script
- Writing yara rules in Python
- Error using a YAML config file with Python nosetests
- How to write YARA rules based on IOC script?
- YAP initialization file?