CyberSoft CVDL

CVDL Tutorial

7. Absolute Offsets

The ABS operator is used to specify an absolute offset from the beginning of the scanned data to match a pattern.

Example VDLs:

:a1, ABS 0, "#!", WS0, "/bin/sh" #
:a2, "abc", @0-20, "def" AND ABS 14, "01234" #
MS/VBA, ABS 0, "\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1" AND "\xFE\xCA" #

The a1 VDL checks for a Bourne shell script file header.

The a2 VDL checks for "abc" followed by "def" within the next 20 bytes, and "01234" at absolute position 14.

The MS/VBA VDL uses ABS 0 to check for the 8-byte Microsoft signature header which appears at the very beginning of most Microsoft application files.

Listen to the audio

Contents | Previous | Next