David Cannings

icon indicating a website link http://edeca.net

icon location UK

Results 14 comments of David Cannings

Can't import "hash"

Also see: https://github.com/VirusTotal/yara-python/issues/27

Add --with-crypto Yara build option

Relates to: https://github.com/VirusTotal/yara-python/issues/28

Decode embedded data back to original format

Consider also whether direct integration with oletools would be easier: https://github.com/decalage2/oletools/blob/4f51278fda8d349d8b35d7f939986d14f554772a/oletools/oleobj.py#L340

Add initial UAC bypass with RPC rule

Needs mandiant/capa-testfiles#144 merged to pass CI.

Rule for lzo compression

[PR for sample file](https://github.com/mandiant/capa-testfiles/pull/143).

Rule for lzo compression

Ready for review. CI needs the sample file merged to pass.

Rule for accessing Windows directory from KUSER_SHARED_DATA

Thanks @mr-tz - after reviewing the other rule I think I was obsessing too much over reducing false positives. Simplified.

64-bit Delphi programs will not correctly parse

Sample `0e32fc7697d8aa1ad4f2e481043795483c170c00406cc89a3f32bd04c3d174e2` is x86-64 and could be used for further development.

Vftables in multiple sections not correctly parsed

Number of exceptions greatly reduced due to minor improvement in vftable search strategy. Hunt for executables that contain vftables in multiple sections continues.

ascii problems

Encode your domain in punycode. If that's a valid domain name, then `xn--e1alhsoq4c.xn--p1ai` is the correct encoding.