xorhex logo


Focus on Threat Research Things.

Day 2 of 100 Discontiguous Days of YARA

Improving YARA writing skills by writing more YARA rules.


1-Minute Read



Partaking in Greg’s #100DaysOfYARA, but to be honest it’s more likely to be #100DiscontiguousDaysOfYARA for me - if I make it that far.

I doubt that the rules shared these 100 days will contain any truly original ideas, but I’d still like to share what I’ve learned.

Day 2

import "pe"

rule pe_created_after_cert_expired {
        author = "xorhex"
        description = "Find PE files that were compiled (assuming the timestamp was not modified) after their code signing certificate expired"
        HundredDaysOfYara = "Day 2"

        for any s in pe.signatures: (
            pe.timestamp > s.not_after

This rule loops through all of the signatures found in a PE file and compares that date against the pe timestamp to see if the binary was compiled after the certificate expired.

Recent Posts



Hosting my custom tools, threat research, and general reverse engineering notes.