xorhex logo

xorhex

Focus on Threat Research Things.

Day 2 of 100 Discontiguous Days of YARA

Improving YARA writing skills by writing more YARA rules.

xorhex

1-Minute Read

#100DaysOfDiscontiguousDaysOfYARA

Summary

Partaking in Greg’s #100DaysOfYARA, but to be honest it’s more likely to be #100DiscontiguousDaysOfYARA for me - if I make it that far.

I doubt that the rules shared these 100 days will contain any truly original ideas, but I’d still like to share what I’ve learned.

Day 2

import "pe"

rule pe_created_after_cert_expired {
    meta:
        author = "xorhex"
        description = "Find PE files that were compiled (assuming the timestamp was not modified) after their code signing certificate expired"
        HundredDaysOfYara = "Day 2"

    condition:
        for any s in pe.signatures: (
            pe.timestamp > s.not_after
        )
}

This rule loops through all of the signatures found in a PE file and compares that date against the pe timestamp to see if the binary was compiled after the certificate expired.

Recent Posts

Categories

About

Hosting my custom tools, threat research, and general reverse engineering notes.