Skip to content

Windows_API_Function.yar problems #3

New issue
New issue
Open
Open
Windows_API_Function.yar problems#3
@ruppde

Description

@ruppde
ruppde
opened on Oct 8, 2023

hello,

Windows_API_Function.yar leaves me totally confused:

  1. it doesn't match on the referenced f9b62b2aee5937e4d7f33f04f52ad5b05c4a1ccde6553e18909d2dc0cb595209
  2. On VT it matched on bf8867ed4a4ac03112021e96ac8429db94db381da49cb37096ea3dadb5ef2c21 (and 24M other files), but shouldn't because the file is MZ ?
  3. It correctly doesn't match on my local system:
yara Windows_API_Function.yar bf8867ed4a4ac03112021e96ac8429db94db381da49cb37096ea3dadb5ef2c21
  1. Even if it worked properly, I guess it would produce lots of false positives because of the common strings ReadFile and WriteFile
  2. Dupplicate strings in rule:
    WriteFile
    ReadFile
    IsBadReadPtr
    SetFilePointer

regards
arnim

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions