TechQA.

How can I use pe.entry_point to write YARA rules?

1k views Asked by At

I wrote condition in YARA rule like this pe.entry_point == {12 A5 26} but I am getting unexpected _HEX_STRING_ error. What is the problem? How can I get address of entry_point? What is the type of output of pe.entry_point?

portable-executable malware-detection yara
Original Q&A
2

There are 2 answers

0
Samantha On

pe.entry_point is a DWORD found in IMAGE_OPTIONAL_HEADER.

The implementation of this function (that is, how Yara retrieves the pe.entry_point value from portable executable files) is available on the Yara Github page.

Regarding the error you encountered, try changing the rule to pe.entry_point == 0x12A526. I'm basing this suggestion off the sample test rule here.

0
3xp101t On

Been 5 years but I believe using the at syntax would work

strings:
  $ep_data = { 12 A5 26 }
condition:
  $ep_data at pe.entry_point

Related Questions in PORTABLE-EXECUTABLE

Related Questions in MALWARE-DETECTION

Related Questions in YARA

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions