Created
May 21, 2018 01:16
-
-
Save wxsBSD/2936585412fd57f039fd7ecd7b24cd1b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * fmtid + 24 == number of property identifiers and offsets | |
| * fmtid + 28 == start of property identifier and offsets (4 bytes each) | |
| */ | |
| rule test { | |
| strings: | |
| //$fmtid = { 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae } | |
| $fmtid = { e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 } | |
| $redacted_author = "REDACTED AUTHOR" | |
| condition: | |
| $fmtid and | |
| for 3 i in (0..(uint32(@fmtid + 24) - 1) * 2): | |
| ( | |
| i % 2 == 0 and // Skip every other dword (offsets) | |
| ( | |
| ( | |
| uint32(@fmtid[1] + 28 + (4 * i)) == 0x01 and // Codepage property | |
| uint32(@fmtid[1] + 20 + (uint32(@fmtid[1] + 28 + (4 * i) + 4))) == 0x02 and // VT_I2 type | |
| uint32(@fmtid[1] + 24 + (uint32(@fmtid[1] + 28 + (4 * i) + 4))) == 0x01b5 // OEM United States | |
| ) | |
| or | |
| ( | |
| uint32(@fmtid[1] + 28 + (4 * i)) == 0x08 and // Last author property | |
| uint32(@fmtid[1] + 20 + (uint32(@fmtid[1] + 28 + (4 * i) + 4))) == 0x1e and // VT_LPSTR type | |
| $redacted_author at (@fmtid[1] + 24 + (uint32(@fmtid[1] + 28 + (4 * i) + 4)) + 4) | |
| ) | |
| or | |
| ( | |
| uint32(@fmtid[1] + 28 + (4 * i)) == 0x0d and // Last saved property | |
| uint32(@fmtid[1] + 20 + (uint32(@fmtid[1] + 28 + (4 * i) + 4))) == 0x40 and // VT_FILETIME type | |
| uint32(@fmtid[1] + 24 + (uint32(@fmtid[1] + 28 + (4 * i) + 4))) == 0xffffffff and // dwLowDateTime | |
| uint32(@fmtid[1] + 24 + (uint32(@fmtid[1] + 28 + (4 * i) + 4)) + 4) == 0xffffffff // dwHighDateTime | |
| ) | |
| ) | |
| ) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment