Use at your own risk
explode_rtf.py
Installation:
- Add explode_rtf.py to modules folder
- Modify dispatch.yara to include the module:
rule type_is_rtf
{
meta:
scan_modules = "EXPLODE_RTF"
file_type = "rtf"
condition:
uint32(0) == 0x74725c7b
}
explode_dotnet.py Decompiles .NET executables and puts them in folder in output dir.
Dependency:
- Install Mono
- Download dnSpy
Installation:
- Add explode_dotnet.py to modules folder
- Modify dispatch.yara to include the module:
rule type_is_dotnet
{
meta:
scan_modules = "EXPLODE_DOTNET"
file_type = "pe dotnet"
strings:
$lib = "mscoree.dll"
$func = "_CorExeMain"
condition:
type_is_mz and $lib and $func
}