Hi,
Wanted to post here before raising an issue on github project:
*To reproduce:*
import "pe"
rule pe_on_nonpe
{
condition:
not pe.sections[pe.section_index(pe.entry_point)].name contains
".text"
}
Run on non-PE file (e.g. Excel document zip)
yara pe_on_nonpe.yara excel_doc.xlsx
The rule matches on non-PE files
But shouldn't pe module conditions check first if the file is a PE header
or valid base PE, then fail if the file isn't ?
So *pe.sections* implies the file is PE, does check for valid PE first
Regards,
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/yara-project/558ba95d-4f7c-4bd7-a8bb-71fab8c97db0o%40googlegroups.com.
