On Sat 11/Aug/2018 19:43:34 +0200 G.w. Haywood wrote: > Hi there, > > On Sat, 11 Aug 2018, Alessandro Vesely wrote: > > Re: Keymarble Yara rule? >> 00000000 4d 5a 74 68 69 73 20 69 73 20 61 20 64 75 6d 6d |MZthis is a >> dumm| >> 00000010 79 20 6b 65 79 6d 61 72 62 6c 65 20 66 69 6c 65 |y keymarble >> file| >> 00000020 20 63 72 65 61 74 65 64 20 66 6f 72 20 6d 61 6b | created for >> mak| >> 00000030 69 6e 67 20 74 65 73 74 73 0a 00 00 40 00 00 00 |ing >> tests...@...| >> 00000040 50 45 62 63 39 62 37 35 61 33 31 31 37 37 35 38 >> |PEbc9b75a3117758| >> ... >> (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and >> any of them > > The second offset looks wrong to me. >
Why? uint32(0x3c) is 0x00000040... _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
