[clamav-users] Keymarble Yara rule?
Groach
groachmail-stopspammingme at yahoo.com
Sun Aug 12 17:29:59 UTC 2018
On 12/08/2018 13:04, Arnaud Jacques wrote:
>
>
> Le 12/08/2018 à 13:59, Alessandro Vesely a écrit :
>> On Sat 11/Aug/2018 19:43:34 +0200 G.w. Haywood wrote:
>>
>>> Hi there,
>>>
>>> On Sat, 11 Aug 2018, Alessandro Vesely wrote:
>>>
>>> Re: Keymarble Yara rule?
>>>> 00000000 4d 5a 74 68 69 73 20 69 73 20 61 20 64 75 6d 6d |MZthis
>>>> is a dumm|
>>>> 00000010 79 20 6b 65 79 6d 61 72 62 6c 65 20 66 69 6c 65 |y
>>>> keymarble file|
>>>> 00000020 20 63 72 65 61 74 65 64 20 66 6f 72 20 6d 61 6b |
>>>> created for mak|
>>>> 00000030 69 6e 67 20 74 65 73 74 73 0a 00 00 40 00 00 00 |ing
>>>> tests... at ...|
>>>> 00000040 50 45 62 63 39 62 37 35 61 33 31 31 37 37 35 38
>>>> |PEbc9b75a3117758|
>>>> ...
>>>> (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and
>>>> any of them
>>>
>>> The second offset looks wrong to me.
>>>
>>
>> Why? uint32(0x3c) is 0x00000040...
>
> Because, each line is 16 bytes long (0x10).
>
> So "00000040" is in hexadecimal, not decimal.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180812/335573f3/attachment.htm>
More information about the clamav-users
mailing list