gregclermont

gregclermont / ms13_098.yar

Last active November 29, 2025 02:06

	import "pe"

	rule ms13_098 {

	condition:
	pe.is_dll() and filesize < 10MB and pe.data_directories[
	pe.IMAGE_DIRECTORY_ENTRY_SECURITY].size > 0x8000
	and (
	(uint16be(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address+8) == 0x3082
	and uint16be(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address+10) <