100 Days of YARA – Day 31: PDB Paths

On By DanielIn 100 days of Yara

This rule will find PE files that contain PDB paths. These paths can be useful for malware analysis in a number of ways as outlined in this FireEye blog post: https://www.fireeye.com/blog/threat-research/2019/10/definitive-dossier-of-devilish-debug-details-part-deux.html

This rule requires YARA version 4.0.0+: https://yara.readthedocs.io/en/stable/modules/pe.html

import "pe"

rule contains_pdb_path
{
	meta:
		description = "PE file containing PDB path"
		prereq = "Requires yara v4.0.0+"

	condition:
		pe.pdb_path
}

YARA Rules Index

One thought on “100 Days of YARA – Day 31: PDB Paths

  1. Pingback: Week 04 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s