Didier Stevens

YARA Rules

Here are some YARA rules I developed.

The maldoc rules were derived from Frank Boldewin’s shellcode signatures used in OfficeMalScanner.

JPEG Exif Eval rule is explained here.

PEiD signatures converted to YARA rules explained here.

yara-rules-V0.0.8.zip (https)
MD5: 83D10B0A18D3F8E2C744B8FEA10F5E67
SHA256: 2D47165757F909440F6D1A95FF5C0EA1355B355AE7475D2A0CF821D3B9A6235A


  1. […] You can find all my YARA rules here: YARA Rules. […]

    Pingback by YARA Rule: Detecting JPEG Exif With eval() | Didier Stevens — Tuesday 20 January 2015 @ 20:39

  2. […] Download my YARA Rules. […]

    Pingback by Converting PEiD Signatures To YARA Rules | Didier Stevens — Thursday 22 January 2015 @ 0:57

  3. rule contains_VBE_variant_3
    reference = “https://blog.didierstevens.com/2016/03/22/yara-rule-to-detect-vbe-scripts/ and https://gallery.technet.microsoft.com/Encode-and-Decode-a-VB-a480d74c and http://www.interclasse.com/scripts/decovbe.php and https://blog.didierstevens.com/2016/04/18/update-decode-vbe-py-version-0-0-2/
    author = “Drew Hunt”
    version = 1
    description = “Specific match VBE encoded VBS markers of samples observed. Didier’s original worked for specific short samples. ‘.+’ regex glob is not reliable for larger scripts.”
    date = “2016-04-25”

    $vbe_start = { 23 40 7E 5E [6] 3D 3D }
    $vbe_end = { 3D 3D 5E 23 7E 40 }

    (@vbe_start < @vbe_end)

    Comment by Anonymous — Monday 25 April 2016 @ 21:11

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.