xorhex logo


Focus on Threat Research Things.

Day 3 of 100 Discontiguous Days of YARA

Improving YARA writing skills by writing more YARA rules.


2-Minute Read



Partaking in Greg’s #100DaysOfYARA, but to be honest it’s more likely to be #100DiscontiguousDaysOfYARA for me - if I make it that far.

I doubt that the rules shared these 100 days will contain any truly original ideas, but I’d still like to share what I’ve learned.

Day 3

rule no_mz_sig__no_pe_sig__but_could_be_a_pe_file {

    author = "xorhex"
    description = "Identifies PE files whose MZ sig and PE sig are wiped by inspecting the machine type value at the expected offset"
    warning = "Further tweaking maybe required to lessen the FP rate"
    HundredDaysOfYARA = "Day 3"

      uint16be(0) != 0x4d5a
      uint32(uint32(0x3C)) != 0x00004550
          uint16(uint32(0x3c) + 4 ) == 0x014c
          uint16(uint32(0x3c) + 4) == 0x8664

Sometimes adversaries will remove the MZ and PE signatures from their malware in the hopes that the malware will be lost in a sea of files. Making use of the PE file format, we can start hunting for these files by keying off other fields in the headers like the machine type.

Starting at the MS-DOS Stub, we read in the value at 0x3c. This offset points us to the PE Signature. Moving 4 byte further into the file, we arrive at the COFF File Header. The first value stored in the File Header is the machine type. We can target x86 and x64 machines by looking at the expected value list for:

IMAGE_FILE_MACHINE_I3860x14cIntel 386 or later processors and compatible processors

Here is a crude visual of what we are targeting.


Recent Posts



Hosting my custom tools, threat research, and general reverse engineering notes.