metas is a pointer to a YR_META structure
(https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/types.h#L225).
You can see how yara handles it when printing metadata about a rule here:
https://github.com/VirusTotal/yara/blob/master/cli/yara.c#L1004
-- WXS
> On May 22, 2021, at
The string you are highlighting is not indicative of a file running on Windows
10 or not. That string is in the DOS stub, which is executed when you try to
run the program under DOS. Why this particular file is not running on your
system is a different issue but it has nothing to do with that
or yara?
>
>
> Jonathan
>
> On Mon, Feb 22, 2021 at 11:33 AM Wesley Shields <mailto:w...@atarininja.org>> wrote:
> See the warning at the top of
> https://yara.readthedocs.io/en/stable/modules/hash.html
> <https://yara.readthedocs.io/en/stable/modules/has
See the warning at the top of
https://yara.readthedocs.io/en/stable/modules/hash.html - all hashes are
returned in lowercase.
-- WXS
> On Feb 22, 2021, at 11:30 AM, Jonathan Livolsi wrote:
>
> Hi,
>
> I am going through a lab to learn yara rules and have a simple problem but I
> am not
I'm far from an expert but "these samples cluster around this rule or this
subset of rules" is far from machine learning. There's no learning there at all.
We have used YARA to extract out features from various documents (specifically
things like RTF where you can easily count the number of
something being detected?
>
> On Tuesday, 11 August 2020 10:41:48 UTC+10, Wesley Shields wrote:
> The format is .
>
> In your case, YARA matched two rules on the file c:\Temp\yarfile.yar
>
> -- WXS
>
>> On Aug 10, 2020, at 8:33 PM, Michael Fry > wrote:
>>
The format is .
In your case, YARA matched two rules on the file c:\Temp\yarfile.yar
-- WXS
> On Aug 10, 2020, at 8:33 PM, Michael Fry wrote:
>
> Hi All,
>
> So I have recently been asked to use Yara to scan some servers for some IOCs
> and I am using the command line version.
>
> The yar
It looks like yara64 won't run because you have a 32bit install of Windows,
that can't run 64bit binaries.
The problem with yara32 looks like it is permissions, and you don't have access
to execute it.
Without further information this looks like it has nothing to do with YARA, and
is a local
I can't replicate this - it does not match on 4.0.2 on my system. There is no
rule parsing bug here - the same C code is used when compiling rules using yara
on the command line or via python. I've had a couple of people tell me
something weird is going on when using pip to install yara-python,
I don't think fullword makes sense here, given that the base64 modifiers are
meant to work when the string you're searching for is embedded anywhere in a
base64 encoded string. This requires that it strip some leading and trailing
bytes. If you want to find it without this behavior just put the
This is likely due to the change made recently where comparing with UNDEFINED
values now evaluates to false. It used to evaluate to UNDEFINED.
> But shouldn't pe module conditions check first if the file is a PE header or
> valid base PE, then fail if the file isn't ?
Functions in the pe
a to find samples with the same Export
> name, not the name of an exported function.
>
> Cheers,
> Schrodinger.
>
> On Thursday, June 27, 2019 at 12:40:03 AM UTC+1, Wesley Shields wrote:
> Not sure where you got "pilot.dll" from but the file you referenced has one
> rule export_name
> {
> condition:
> uint16(0) == 0x5A4D
> and
> pe.exports("pilot.dll")
> }
>
> Sample I tested with d5c679df69751936d0fa380f2e4bf017 can provide the sample
> if you need.
>
> Cheers.
>
> On Wednesday,
For now you can do: pe.exports("pilot.dll").
-- WXS
> On Jun 25, 2019, at 6:21 PM, Schrodinger wrote:
>
> Hi everyone,
>
> I was wondering if there is a way to perform matching on the name in the
> DIRECTORY_ENTRY_EXPORT in a Portable Executable. Example from the Python
> pefile module:
>
What about:
./configure --enable-static --enable-cuckoo --enable-magic --enable-dotnet
-- WXS
> On May 3, 2019, at 5:22 AM, Shakarim Utepbergenov
> wrote:
>
> Hello guys, I need to build a executable binary file on Ubuntu 18.04
> i've tried configure with static libs
> ./configure
Filename is not something YARA knows about, nor should it IMO. The filename is
a property of the filesystem upon which the file resides, and has no bearing on
the content of the file. If you want to use filename in your rule you have to
pass it in as an external variable. Check out
It should be —enable-dotnet
— WXS
On Wed, Nov 7, 2018 at 2:09 PM wrote:
>
> Newbie question - The instructions to get .net rules appear to be
> straight-forward, but it doesn't appear to be working.
>
>
> I've followed the install and configure instructions:
>
> ./bootstrap.sh
> ./configure
The inner quotes are not escaped.
— WXS
On Sun, Mar 18, 2018 at 8:24 PM wrote:
> Hi
>
> I ran this rule while learning:
> echo "rule a { strings: $h = "arnav" condition: $h } > a
>
> but when I run
> yara a a
>
> it gives me this error:
> error: syntax error, unexpected
This should show you what is going on:
>>> f = open('/bin/ls')
>>> data = f.read()
>>> f.close()
>>> import yara
>>> rules = yara.compile(source='import "pe" rule a { condition: false }')
>>> def foo(data):
... global resources
... resources = data.get('number_of_resources')
...
>>>
Sure, I've been using it to unpack and handle config blocks from .NET binaries
using this technique:
https://gist.github.com/wxsBSD/1e518cef545fee7bb991a9dc6c14a0f7
Substitute the dotnet module for the pe module and you will get access to all
the information exposed via the PE module (you
You will need to provide an example. Please include the rule and exact commands
and outputs you're getting when running things. Also, please include versions
of things you're using.
-- WXS
> On Feb 23, 2018, at 9:47 AM, Binaries 4 Breakfast
> wrote:
>
> Sorry,
Can you share the rule and the version of YARA you're using? If true it is a
bug but I suspect it isn't true. I think you may have a local problem.
-- WXS
> On Feb 23, 2018, at 9:45 AM, Binaries 4 Breakfast
> wrote:
>
> Folks, I recently found that a yara-python
The first one is because you don't have the androguard module compiled. The
second one is because you don't have the cuckoo module compiled. The androguard
requirement, which isn't part of YARA (yet?), is documented in their README.
The cuckoo module can be enabled with ./configure
You could do that. You would lose any capabilities based upon most of the
modules (PE, elf, etc). The math module would still work but I'm not sure how
relevant it would be. More importantly I'm not sure what doing this would get
you that running YARA on the original files wouldn't also get
I'm afraid I cannot post the exact files. I'll create a working
>> environment that replicates all the variables required, and I'll post it
>> here when I've gotten this done.
>>
>> Den onsdag den 16. august 2017 kl. 16.31.35 UTC+2 skrev Wesley Shields:
>>>
>>
I've attempted to replicate it using my own instructions, coupled with your
> misc.yar, and the result is that it works just fine.
>
> So I'm guessing the issue is with my own setup, and I'll continue evaluating
> the specifics and return with a response when I've found the culprit.
>
> Den m
I can't replicate this behavior using 3.5.0 or latest master.
wxs@wxs-mbp yara % cat foo
include "./global.yar"
include "./misc.yar"
wxs@wxs-mbp yara % cat global.yar
global rule fileSizeLimit { condition: filesize < 1KB }
wxs@wxs-mbp yara % cat misc.yar
rule foo { condition: true }
wxs@wxs-mbp
Based upon my understanding I don't think this is expected behavior. Can you
share a minimal proof of concept which shows this happening?
-- WXS
> On May 17, 2017, at 8:18 AM, tofbaas...@gmail.com wrote:
>
> Hello again ,
>
> I'm using yara python to match rules against a lot of files . The
What about this:
wxs@wxs-mbp yara % cat foo
foo
wxs@wxs-mbp yara % cat bar
rule test {
strings:
$a = "foo"
$b = "bar"
condition:
all of them
}
wxs@wxs-mbp yara % ./yara -ns bar foo
test foo
0x0:$a: foo
wxs@wxs-mbp yara %
This prints all rules that DO NOT match and the strings in
I haven't looked at the code, but there is precedent to use pe.overlay.offset
and pe.overlay.size.
-- WXS
> On Aug 15, 2016, at 12:02 AM, Fernando Mercês wrote:
>
> Sorry to reply to an old thread but I had the same need and decided to create
> a patch (discussion at
If you are infected with a rootkit moving YARA into the kernel is not an answer
since the rootkit has full access to muck around with YARA even if it is in the
kernel.
My recommendation is don't run YARA on a system which is potentially
compromised with a rootkit like you describe. If the
>
> Yara rules with jump constructs would make it easy to get code execution in
> the kernel.
>
> On Fri, Mar 18, 2016 at 6:03 AM Wesley Shields <wshie...@gmail.com> wrote:
> If you are infected with a rootkit moving YARA into the kernel is not an
> answer since the ro
What happens if you move the crashing folders off CIF and onto local disk? If
it still crashes can you narrow it down to a single file and rule (or set of
rules) that crash? If you can do that then I can try to replicate and debug
from there.
-- WXS
> On Mar 1, 2016, at 6:19 PM, Patrick Olsen
I don't recall exactly when it was added but probably is in newer versions
than what you have.
-- WXS
On Friday, March 4, 2016, Robert Giczewski <robert.giczew...@gmail.com>
wrote:
> yara 3.2.0
> yara-python 2.0
>
> Am Freitag, 4. März 2016 14:35:21 UTC+1 schrieb Wesley S
g, 4. März 2016 13:59:11 UTC+1 schrieb Wesley Shields:
>>
>> I believe there is support for this that was added a while back. Totally
>> untested but I believe it goes like this:
>>
>> for rule in rules:
>> print rule.identifier
>>
>> -- WXS
>&g
I think the documentation applies to the most recent release, and it looks like
you may be using the latest master. If that is the case, the yara-python code
now lives in a separate repository.
-- WXS
> On Feb 11, 2016, at 10:26 AM, Geoffrey Van Den Berge
> wrote:
36 matches
Mail list logo