Created
November 22, 2021 20:38
-
-
Save strictlymike/e597a493cec92428f0a6b3c6d60c31dc to your computer and use it in GitHub Desktop.
Top 3 PE headers through offset 0x3B (not rigorous, mostly Win10)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule top3mz { | |
| meta: | |
| author = "Michael Bailey (@mykill)" | |
| strings: | |
| // More precision than with just IMAGE_DOS_SIGNATURE, at a risk of losing some valid hits | |
| $imghdr_mz_01 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } // 905 mal + 4,157 system32 and 35,983 Windows\ overall (Win10) | |
| $imghdr_mz_02 = { 4d 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } // 385 under Windows\ (recursive) | |
| $imghdr_mz_03 = { 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } // 15 mal + 2 system32 | |
| condition: | |
| any of ($imghdr_mz_*) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment