Wesley Shields

Though, to be fair... The original request for some of these features came from Sir Tom of the House of Lancaster (@tlansec). Credit where credit is due, of course. ;)

Since I convert the RVA to a file offset you can even check to see if enough functions are all "xor eax, eax; retn;" - which is pretty dope to be able to do so easily. There are other things this branch lets you do too, but I'll leave that up to you all to come up with. ;) 3/?

If you're one of the places which use the dotnet module (we use it at $job) it's worth noting that it will break rules if you're looking for specific user strings. I don't like breaking backwards compatibility but getting parsing correct is important in this case. 2/2

I spent this week without a laptop, with my family in Disney World. I’m super far behind on most things, but I don’t care. I’ll start digging out as soon as I’m home. Expect some neat projects from me this winter...

So @silascutler is testing my base64 YARA work and discovered he can't use "base64" as a tag in his rule. This is not specific to base64 as you can't use any keyword as a tag. If you have base64 as a tag, your rule will fail to compile when my work is merged. Heads up!

Listening to On The Metal from yesterday and I suddenly need “f00f on your lambda” in shirt and sticker form. Seriously, there are some amazing stories in all the episodes.

This report is a good example of confirmation bias and failure of critical analysis. The rule was triggering on strings that were unique to bat2exe which until now was only used by OilRig but is not indicative of malicious behavior. Be rigorous in your analysis!https://twitter.com/MalwareRE/status/1216807295092477959 …

These were not the first living robot. That distinction belongs to yours truly.https://twitter.com/simplenomad/status/1217459238215262208 …

Performance management cycles are one of the top things I loathe. I do things I enjoy and am motivated to do, you pay me. That’s what I signed up for, that’s what I want. I don’t want to write down what I accomplished and the impact it had. I want to talk about what I’m proud of.https://twitter.com/bcantrill/status/1216491216356823040 …

And now that this is done I will go back to fixing up my base64 work so it can be included in the next release. Sometimes you just have to take a break and do something completely useless but fun.

Got new laptop and am seriously debating the value of slack. There are a handful of chats on there I mostly lurk in, but people do ping me on there. Migrating my keybase stuff was SO EASY, but do I really want to do the "log in to N slack teams" dance, again?

I've tested and it runs "hello world" and "cat" brainfuck programs. It's pretty dope if you're into esoteric languages running on a VM not meant to execute that language. ;)

I implemented bf2y again over the last couple of nights. A simple "cat" program works but the more complex "hello world" does not. I know why, and it's due to a massive oversight on my part in the design. The fix requires another YARA instruction, which I don't want to do. :(