hello,
Windows_API_Function.yar leaves me totally confused:
- it doesn't match on the referenced f9b62b2aee5937e4d7f33f04f52ad5b05c4a1ccde6553e18909d2dc0cb595209
- On VT it matched on bf8867ed4a4ac03112021e96ac8429db94db381da49cb37096ea3dadb5ef2c21 (and 24M other files), but shouldn't because the file is MZ ?
- It correctly doesn't match on my local system:
yara Windows_API_Function.yar bf8867ed4a4ac03112021e96ac8429db94db381da49cb37096ea3dadb5ef2c21
- Even if it worked properly, I guess it would produce lots of false positives because of the common strings ReadFile and WriteFile
- Dupplicate strings in rule:
WriteFile
ReadFile
IsBadReadPtr
SetFilePointer
regards
arnim
hello,
Windows_API_Function.yar leaves me totally confused:
WriteFile
ReadFile
IsBadReadPtr
SetFilePointer
regards
arnim