split PE and embedded PE, closes #2 thanks @recvfrom

pedramamini · pedramamini · commit be9ffac9026a · 2021-08-02T15:23:05.000-07:00
diff --git a/Embedded_PE.rule b/Embedded_PE.rule
@@ -9,6 +9,6 @@ rule Embedded_PE
     condition:
         for any i in (1..#mz):
         (
-            uint32(@mz[i] + uint32(@mz[i] + 0x3C)) == 0x00004550
+            @mz[i] != 0 and uint32(@mz[i] + uint32(@mz[i] + 0x3C)) == 0x00004550
         )
 }
diff --git a/PE.rule b/PE.rule
@@ -0,0 +1,14 @@
+rule Embedded_PE
+{
+    meta:
+        Author      = "InQuest Labs"
+        URL         = "https://github.com/InQuest/yara-rules"
+        Description = "Discover embedded PE files, without relying on easily stripped/modified header strings."
+    strings:
+        $mz = { 4D 5A }
+    condition:
+        for any i in (1..#mz):
+        (
+            uint32(@mz[i] + uint32(@mz[i] + 0x3C)) == 0x00004550
+        )
+}
