[clamav-users] Keymarble Yara rule?
Arnaud Jacques
webmaster at securiteinfo.com
Sun Aug 12 12:04:06 UTC 2018
Le 12/08/2018 à 13:59, Alessandro Vesely a écrit :
> On Sat 11/Aug/2018 19:43:34 +0200 G.w. Haywood wrote:
>
>> Hi there,
>>
>> On Sat, 11 Aug 2018, Alessandro Vesely wrote:
>>
>> Re: Keymarble Yara rule?
>>> 00000000 4d 5a 74 68 69 73 20 69 73 20 61 20 64 75 6d 6d |MZthis is a dumm|
>>> 00000010 79 20 6b 65 79 6d 61 72 62 6c 65 20 66 69 6c 65 |y keymarble file|
>>> 00000020 20 63 72 65 61 74 65 64 20 66 6f 72 20 6d 61 6b | created for mak|
>>> 00000030 69 6e 67 20 74 65 73 74 73 0a 00 00 40 00 00 00 |ing tests... at ...|
>>> 00000040 50 45 62 63 39 62 37 35 61 33 31 31 37 37 35 38 |PEbc9b75a3117758|
>>> ...
>>> (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and
>>> any of them
>>
>> The second offset looks wrong to me.
>>
>
> Why? uint32(0x3c) is 0x00000040...
Because, each line is 16 bytes long (0x10).
So "00000040" is in hexadecimal, not decimal.
--
Cordialement / Best regards,
Arnaud Jacques
Gérant de SecuriteInfo.com
Téléphone : +33-(0)3.44.39.76.46
E-mail : aj at securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
More information about the clamav-users
mailing list