Re: how to output yara rule file information in C language

metas is a pointer to a YR_META structure (https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/types.h#L225). You can see how yara handles it when printing metadata about a rule here: https://github.com/VirusTotal/yara/blob/master/cli/yara.c#L1004 -- WXS > On May 22, 2021, at

Re: Yara rule: how to detect unsupported PE file for Windows 10?

The string you are highlighting is not indicative of a file running on Windows 10 or not. That string is in the DOS stub, which is executed when you try to run the program under DOS. Why this particular file is not running on your system is a different issue but it has nothing to do with that

Re: Learning YARA - hashes not being recognized?

or yara? > > > Jonathan > > On Mon, Feb 22, 2021 at 11:33 AM Wesley Shields <mailto:w...@atarininja.org>> wrote: > See the warning at the top of > https://yara.readthedocs.io/en/stable/modules/hash.html > <https://yara.readthedocs.io/en/stable/modules/has

Re: Learning YARA - hashes not being recognized?

See the warning at the top of https://yara.readthedocs.io/en/stable/modules/hash.html - all hashes are returned in lowercase. -- WXS > On Feb 22, 2021, at 11:30 AM, Jonathan Livolsi wrote: > > Hi, > > I am going through a lab to learn yara rules and have a simple problem but I > am not

Re: Machine Learning

I'm far from an expert but "these samples cluster around this rule or this subset of rules" is far from machine learning. There's no learning there at all. We have used YARA to extract out features from various documents (specifically things like RTF where you can easily count the number of

Re: Hopefully a simple question

something being detected? > > On Tuesday, 11 August 2020 10:41:48 UTC+10, Wesley Shields wrote: > The format is . > > In your case, YARA matched two rules on the file c:\Temp\yarfile.yar > > -- WXS > >> On Aug 10, 2020, at 8:33 PM, Michael Fry > wrote: >>

Re: Hopefully a simple question

The format is . In your case, YARA matched two rules on the file c:\Temp\yarfile.yar -- WXS > On Aug 10, 2020, at 8:33 PM, Michael Fry wrote: > > Hi All, > > So I have recently been asked to use Yara to scan some servers for some IOCs > and I am using the command line version. > > The yar

Re: Issues - Win2K3 w/ PS Ver:2.0 + YARA 4.0.2

It looks like yara64 won't run because you have a 32bit install of Windows, that can't run 64bit binaries. The problem with yara32 looks like it is permissions, and you don't have access to execute it. Without further information this looks like it has nothing to do with YARA, and is a local

Re: PE rule matches when run under yara-python but not in yara ??!

I can't replicate this - it does not match on 4.0.2 on my system. There is no rule parsing bug here - the same C code is used when compiling rules using yara on the command line or via python. I've had a couple of people tell me something weird is going on when using pip to install yara-python,

Re: Matching only fullword standalone base64 strings (ending in '==') ?

I don't think fullword makes sense here, given that the base64 modifiers are meant to work when the string you're searching for is embedded anywhere in a base64 encoded string. This requires that it strip some leading and trailing bytes. If you want to find it without this behavior just put the

Re: PE module: 'not' logic conditions will match on non-PE files - should pe functions first check if file is PE ?

This is likely due to the change made recently where comparing with UNDEFINED values now evaluates to false. It used to evaluate to UNDEFINED. > But shouldn't pe module conditions check first if the file is a PE header or > valid base PE, then fail if the file isn't ? Functions in the pe

Re: Match On Export Directory Name

a to find samples with the same Export > name, not the name of an exported function. > > Cheers, > Schrodinger. > > On Thursday, June 27, 2019 at 12:40:03 AM UTC+1, Wesley Shields wrote: > Not sure where you got "pilot.dll" from but the file you referenced has one

Re: Match On Export Directory Name

> rule export_name > { > condition: > uint16(0) == 0x5A4D > and > pe.exports("pilot.dll") > } > > Sample I tested with d5c679df69751936d0fa380f2e4bf017 can provide the sample > if you need. > > Cheers. > > On Wednesday,

Re: Match On Export Directory Name

For now you can do: pe.exports("pilot.dll"). -- WXS > On Jun 25, 2019, at 6:21 PM, Schrodinger wrote: > > Hi everyone, > > I was wondering if there is a way to perform matching on the name in the > DIRECTORY_ENTRY_EXPORT in a Portable Executable. Example from the Python > pefile module: >

Re: Yara configure statically with modules

What about: ./configure --enable-static --enable-cuckoo --enable-magic --enable-dotnet -- WXS > On May 3, 2019, at 5:22 AM, Shakarim Utepbergenov > wrote: > > Hello guys, I need to build a executable binary file on Ubuntu 18.04 > i've tried configure with static libs > ./configure

Re: YARA rule to search for a file with a certain name

Filename is not something YARA knows about, nor should it IMO. The filename is a property of the filesystem upon which the file resides, and has no bearing on the content of the file. If you want to use filename in your rule you have to pass it in as an external variable. Check out

Re: './configure --dotnet' doesn't work - 'import dotnet' returns error

It should be —enable-dotnet — WXS On Wed, Nov 7, 2018 at 2:09 PM wrote: > > Newbie question - The instructions to get .net rules appear to be > straight-forward, but it doesn't appear to be working. > > > I've followed the install and configure instructions: > > ./bootstrap.sh > ./configure

Re: error: syntax error, unexpected '=', expecting _STRING_IDENTIFIER_

The inner quotes are not escaped. — WXS On Sun, Mar 18, 2018 at 8:24 PM wrote: > Hi > > I ran this rule while learning: > echo "rule a { strings: $h = "arnav" condition: $h } > a > > but when I run > yara a a > > it gives me this error: > error: syntax error, unexpected

Re: Using module_callback more than once

This should show you what is going on: >>> f = open('/bin/ls') >>> data = f.read() >>> f.close() >>> import yara >>> rules = yara.compile(source='import "pe" rule a { condition: false }') >>> def foo(data): ... global resources ... resources = data.get('number_of_resources') ... >>>

Re: Getting information about PE using yara-python

Sure, I've been using it to unpack and handle config blocks from .NET binaries using this technique: https://gist.github.com/wxsBSD/1e518cef545fee7bb991a9dc6c14a0f7 Substitute the dotnet module for the pe module and you will get access to all the information exposed via the PE module (you

Re: Yara-python and Warning for RegEx Resonable Value for N

You will need to provide an example. Please include the rule and exact commands and outputs you're getting when running things. Also, please include versions of things you're using. -- WXS > On Feb 23, 2018, at 9:47 AM, Binaries 4 Breakfast > wrote: > > Sorry,

Re: Yara-python and Warning for RegEx Resonable Value for N

Can you share the rule and the version of YARA you're using? If true it is a bug but I suspect it isn't true. I think you may have a local problem. -- WXS > On Feb 23, 2018, at 9:45 AM, Binaries 4 Breakfast > wrote: > > Folks, I recently found that a yara-python

Re: problem compiling yara rules downloaded from yara-rules repository also doing this in Python2.7 using yara-python

The first one is because you don't have the androguard module compiled. The second one is because you don't have the cuckoo module compiled. The androguard requirement, which isn't part of YARA (yet?), is documented in their README. The cuckoo module can be enabled with ./configure

Re: Are raw files necessary for Yara? Can the outputs of "strings" be fed to the yara processor?

You could do that. You would lose any capabilities based upon most of the modules (PE, elf, etc). The math module would still work but I'm not sure how relevant it would be. More importantly I'm not sure what doing this would get you that running YARA on the original files wouldn't also get

Re: Yara not using global rules

I'm afraid I cannot post the exact files. I'll create a working >> environment that replicates all the variables required, and I'll post it >> here when I've gotten this done. >> >> Den onsdag den 16. august 2017 kl. 16.31.35 UTC+2 skrev Wesley Shields: >>> >>

Re: Yara not using global rules

I've attempted to replicate it using my own instructions, coupled with your > misc.yar, and the result is that it works just fine. > > So I'm guessing the issue is with my own setup, and I'll continue evaluating > the specifics and return with a response when I've found the culprit. > > Den m

Re: Yara not using global rules

I can't replicate this behavior using 3.5.0 or latest master. wxs@wxs-mbp yara % cat foo include "./global.yar" include "./misc.yar" wxs@wxs-mbp yara % cat global.yar global rule fileSizeLimit { condition: filesize < 1KB } wxs@wxs-mbp yara % cat misc.yar rule foo { condition: true } wxs@wxs-mbp

Re: yara python callback function , slow performance

Based upon my understanding I don't think this is expected behavior. Can you share a minimal proof of concept which shows this happening? -- WXS > On May 17, 2017, at 8:18 AM, tofbaas...@gmail.com wrote: > > Hello again , > > I'm using yara python to match rules against a lot of files . The

Re: determining which strings causes a rule to fail

What about this: wxs@wxs-mbp yara % cat foo foo wxs@wxs-mbp yara % cat bar rule test { strings: $a = "foo" $b = "bar" condition: all of them } wxs@wxs-mbp yara % ./yara -ns bar foo test foo 0x0:$a: foo wxs@wxs-mbp yara % This prints all rules that DO NOT match and the strings in

Re: Yara needs overlay offset

I haven't looked at the code, but there is precedent to use pe.overlay.offset and pe.overlay.size. -- WXS > On Aug 15, 2016, at 12:02 AM, Fernando Mercês wrote: > > Sorry to reply to an old thread but I had the same need and decided to create > a patch (discussion at

Re: How about importing yara into kernel space ?

If you are infected with a rootkit moving YARA into the kernel is not an answer since the rootkit has full access to muck around with YARA even if it is in the kernel. My recommendation is don't run YARA on a system which is potentially compromised with a rootkit like you describe. If the

Re: How about importing yara into kernel space ?

> > Yara rules with jump constructs would make it easy to get code execution in > the kernel. > > On Fri, Mar 18, 2016 at 6:03 AM Wesley Shields <wshie...@gmail.com> wrote: > If you are infected with a rootkit moving YARA into the kernel is not an > answer since the ro

Re: Yara - Bus error: 10

What happens if you move the crashing folders off CIF and onto local disk? If it still crashes can you narrow it down to a single file and rule (or set of rules) that crash? If you can do that then I can try to replicate and debug from there. -- WXS > On Mar 1, 2016, at 6:19 PM, Patrick Olsen

Re: [yara-python] How to get the rule name of every compiled rule?

I don't recall exactly when it was added but probably is in newer versions than what you have. -- WXS On Friday, March 4, 2016, Robert Giczewski <robert.giczew...@gmail.com> wrote: > yara 3.2.0 > yara-python 2.0 > > Am Freitag, 4. März 2016 14:35:21 UTC+1 schrieb Wesley S

Re: [yara-python] How to get the rule name of every compiled rule?

g, 4. März 2016 13:59:11 UTC+1 schrieb Wesley Shields: >> >> I believe there is support for this that was added a while back. Totally >> untested but I believe it goes like this: >> >> for rule in rules: >> print rule.identifier >> >> -- WXS >&g

Re: No yara-python after make installing

I think the documentation applies to the most recent release, and it looks like you may be using the latest master. If that is the case, the yara-python code now lives in a separate repository. -- WXS > On Feb 11, 2016, at 10:26 AM, Geoffrey Van Den Berge > wrote: