Re: [Vol-dev] Pythonisms and volatility-isms for structs
Blake Hartstein
18 Apr
2013
18 Apr
'13
3:08 p.m.
Edwin,
I'm not sure if this helps you now, but check out this example rule from
the yara manual
(https://code.google.com/p/yara-project/downloads/detail?name=YARA%20User%27…)
YARA manual v1.6 rule IsPE
{
! condition:
! // MZ signature at offset 0 and ...
! uint16(0) == 0x5A4D and
! // ... PE signature at offset stored in MZ header at 0x3C
! uint32(uint32(0x3C)) == 0x00004550
}
Most likely you can do a greater/less than match of this type provided
you put it in the condition part of the rule (like the above rule) and
have a way of specifying which offset you are looking at.
Blake
On 4/17/13 3:35 PM, Edwin Smulders wrote:
My question was unclear, that was not what I meant,
but I have decided
to use another method anyway. Thanks for your time :)
On 17 April 2013 20:23, Michael Hale Ligh <michael.hale(a)gmail.com> wrote:
> Sure, both the BaseYaraScanner.scan() and DiscontigYaraScanner.scan()
> functions take starting addresses and maxlen parameters. So you can just set
> start to 0xBFFFF000 and maxlen to 0xFFF.
>
>
> On Wed, Apr 17, 2013 at 9:24 AM, Edwin Smulders <edwin.smulders(a)gmail.com>
> wrote:
>> Followup question: can I use yara to match an integer(32) between a
>> specific range? I did not find this in the documentation, but that
>> does not always mean it is not possible.
>> For example, I want to find a pointer of which I know it's in the
>> 0xBFFFF000-0xBFFFFFFF range. I suppose I could work around that by
>> searching for a hex string like "BF FF F? ??", but this does not feel
>> quite the same... Plus the ranges are not known beforehand, I have to
>> generate these rules.
>>
Attachments:
- attachment.html (text/html — 2.7 KB)