From 07b99439b13ac7b018e2deb053ec131e37376a00 Mon Sep 17 00:00:00 2001
From: Simon Rozman <simon@rozman.si>
Date: Thu, 4 Apr 2024 14:52:30 +0200
Subject: [PATCH] Allow MSI files to contain Windows API functionality

Microsoft Installer files may contain custom action DLLs in an
uncompressed form. It is expected for those custom action DLLs to
contain Windows API calls.

Signed-off-by: Simon Rozman <simon@rozman.si>
---
 Windows_API_Function.yar | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Windows_API_Function.yar b/Windows_API_Function.yar
index 956bace..236b292 100644
--- a/Windows_API_Function.yar
+++ b/Windows_API_Function.yar
@@ -68,5 +68,8 @@ rule Windows_API_Function
         or
         /* trigger = 'PE' */
         (uint16be(uint32(0x3c)) == 0x5045)
+        or
+        /* MSI */
+        (uint32be(0x0) == 0xd0cf11e0)
     )
 }
\ No newline at end of file