On Sun 12/Aug/2018 14:04:06 +0200 Arnaud Jacques wrote: > > > Le 12/08/2018 à 13:59, Alessandro Vesely a écrit : >> On Sat 11/Aug/2018 19:43:34 +0200 G.w. Haywood wrote: >> >>> Hi there, >>> >>> On Sat, 11 Aug 2018, Alessandro Vesely wrote: >>> >>> Re: Keymarble Yara rule? >>>> 00000000 4d 5a 74 68 69 73 20 69 73 20 61 20 64 75 6d 6d |MZthis is a >>>> dumm| >>>> 00000010 79 20 6b 65 79 6d 61 72 62 6c 65 20 66 69 6c 65 |y keymarble >>>> file| >>>> 00000020 20 63 72 65 61 74 65 64 20 66 6f 72 20 6d 61 6b | created for >>>> mak| >>>> 00000030 69 6e 67 20 74 65 73 74 73 0a 00 00 40 00 00 00 |ing >>>> tests...@...| >>>> 00000040 50 45 62 63 39 62 37 35 61 33 31 31 37 37 35 38 >>>> |PEbc9b75a3117758| >>>> ... >>>> (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and >>>> any of them >>> >>> The second offset looks wrong to me. >>> >> >> Why? uint32(0x3c) is 0x00000040... > > Because, each line is 16 bytes long (0x10). > > So "00000040" is in hexadecimal, not decimal.
Hm... yes, addresses in the first column are hex too. "PE" is there. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
