I wrote condition in YARA rule like this pe.entry_point == {12 A5 26} but I am getting unexpected _HEX_STRING_ error. What is the problem? How can I get address of entry_point? What is the type of output of pe.entry_point?
How can I use pe.entry_point to write YARA rules?
1k Views Asked by Pasazade At
2
There are 2 best solutions below
Related Questions in PORTABLE-EXECUTABLE
- How can I patch a function call to a Windows DLL (e.g. kernel32 LoadLibrary)? Is this even possible?
- How to protect MSI installer digital signature from tampering
- How can I extract raw bytes of DOS stub using python's pefile library?
- How can I decompile an exe protected by a PE packer?
- Spurious trampoline when calling function from DLL
- Trying to convert MASM into C equivalent, but getting different result
- Parse PE File with C in Windows
- PE Loader with Relocation
- How do file pointers point to the of data on the disk?
- Software copyright infringement
- Getting the forwarded function name
- parsing a PE file to find the export table address using CFF explorer and msdn doc
- Extract/parse resources from Portable Executable (PE) file
- A “universal” binary?
- Relocation Table and IDA
Related Questions in MALWARE-DETECTION
- Executable generated with gitlab-ci, blocked by Windows Defender (Program:Win32/Wacapew.C!ml)
- How can I be sure that my keyboard is doing only what it supposed to do?
- Is deleting all partitions on USB is safe?
- Malware and Phishing Detection Discrepancy between Google Web Risk Lookup API and VirusTotal
- Can Android Studio be setup as an environment for malware analysis?
- Powershell script to monitor a process with services
- How to disable antivirus software (Windows Defender?) on GitLab's Windows runner?
- How do I make a Multimodal dataset of image and general tabular data of mobile malware?
- Alternatives to URLVoid and VirusTotal that can be run offline
- How Does the Zero Trust Paradigm Work at Nucleon EDR?
- how yara express a string at half of a file
- How to collect in memory strings of process which executes for a second and terminates
- Python Modules Safe?
- Simple Kotlin application getting malware warning
- Siteground detects malware in SimpleCaptchaClass.php file
Related Questions in YARA
- getting error while compiling a VC++ program using yara librarary yaralib in release mode
- Issue to create a Yara rule using the ssdeep fuzzy hashing technique
- how yara express a string at half of a file
- Rule outcomes in YARA-L (Google Cloud Chronicle)
- How to write a REGEX search that will search through blocks of multiline patterns and only match on a block that contains a specified string?
- Yara command line throws non-ascii character error
- Build yara static lib with a musl-gcc for rust project
- Yara Rules not matching a String - Windows Event
- Install yara-python gives "Cannot open include file: 'openssl/asn1.h'" on Windows 11
- Is there a way to get specific information of yara rules on Python?
- Counting regex strings in Yara
- Specifying an unknown number of conditions
- Using YARA in windows machine WAZUH
- Python FileNotFoundError: Could not find module 'venv\DLLs\libyara.dll' (or one of its dependencies) on Windows 11
- YARA Rule - Regex - String with at least one digit
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
pe.entry_pointis aDWORDfound inIMAGE_OPTIONAL_HEADER.The implementation of this function (that is, how Yara retrieves the
pe.entry_pointvalue from portable executable files) is available on the Yara Github page.Regarding the error you encountered, try changing the rule to
pe.entry_point == 0x12A526. I'm basing this suggestion off the sample test rule here.