secDre4mer
secDre4mer
On Windows, scanning a process takes an amount of memory that is (roughly) proportional to the amount of memory the process uses. E.g., if a process has allocated 1GB on...
The YR_RULE* pointer from the compiler callback originates from `yr_arena_get_ptr`, which refers to `yr_arena_ref_to_ptr`, which has the following comment: > This pointer is valid only until the next call to...
A small YARA module (inspired by https://twitter.com/NinjaParanoid/status/1712743509961380325) that allows rules to query memory protection for live process memory. This allows writing conditions like `for any i in (1..#a) : (...
When unpacking `Cscan(.net_2x_3x).exe` from https://github.com/k8gege/K8tools/blob/master/K8Cscan5.4_20191101.rar, rardecode panics in decodeSymbol2, line 805: `for m.charMask[states[i].sym] == m.escCount {` Apparently `i` equals `len(states)` (both 22), causing the issue. If there is any further...
Adds support for the new CALLBACK_MSG_TOO_SLOW_SCANNING. This change increases the required YARA version to 4.4.0.
Add support for parsing (and returning) additional nested signatures. Also fixes an issue where the signature algorithm of the file was detected incorrectly.
The contract from io.ReaderAt requires that err != nil if less than len(p) bytes are returned, and that 0 self.N, n is limited and thus n < len(p), but no...
As documented in https://msopenspecs.azureedge.net/files/MS-OVBA/%5bMS-OVBA%5d.pdf, section 2.3.4.2.1, the dir stream may contain an optional CompatVersionRecord. The ProjectConstants record is also optional and not required.
Parsing of Windows command lines currently uses go-shellwords, which is not accurate on Windows. The autorun entries typically call CreateProcess, which has some logic for extracting the image path from...
Add two methods for listing registered providers and looking them up.