Hi,
I couldn't reproduce it here.
$ cat test_odd_pe_py_match.yara
import "pe"
rule Odd_PE_Entry_Point
{
condition:
uint16(0) == 0x5a4d and
((pe.entry_point >= pe.sections[pe.number_of_sections -
1].raw_data_offset) or (not
pe.sections[pe.section_index(pe.entry_point)].name contains ".text"))
}
$ yara -v
4.0.2
$ yara test_odd_pe_py_match.yara
154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8
$ python3
Python 3.7.8 (default, Jul 4 2020, 10:17:17)
[Clang 11.0.3 (clang-1103.0.32.62)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import yara
>>> scan = yara.compile("./test_odd_pe_py_match.yara")
>>>
scan.match(filepath="154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8")
[]
>>> yara.__version__
'3.10.0'
What's the yara-python version you're using?
Att,
Fernando Mercês <https://twitter.com/mer0x36> | menteb.in
On Tue, Jul 7, 2020 at 3:10 PM Wes Hurd <[email protected]> wrote:
> Hi,
>
> This is running with the following versions on macOS 10.14.6:
>
> *yara 4.0.2 homebrew*
>
>
> *yara-python 4.0.2 (pip) *
> *Python 3.7.7*
>
> I'm having a really weird case where a rule using pe module is
> unexpectedly matching certain files when run under yara-python , but not
> matching if running the yara binary directly.
>
> Running on this PE file:
> https://www.virustotal.com/gui/file/154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8/details
>
> "test_odd_pe_py_match.yara":
> rule Odd_PE_Entry_Point
> {
> condition:
> uint16(0) == 0x5a4d and
> ((pe.entry_point >= pe.sections[pe.number_of_sections - 1].
> raw_data_offset) or (not pe.sections[pe.section_index(pe.entry_point)].name
> contains ".text"))
> }
>
>
>
> Python :
> import yara
> #print(yara.__version__)
>
> try:
> scan = yara.compile("./test_odd_pe_py_match.yara")
> except yara.Error as e:
> print("YARA compile error:", e)
>
> matches = scan.match(filepath=
> "154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe")
> print(matches)
>
> [Odd_PE_Entry_Point]
>
>
>
> yara bin:
> $ yara test_odd_pe_py_match.yara
> 154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe
>
> $
> No matches
>
>
> Can someone tell what's going on here ?
> It seems to me there is some sort of either rule parsing bug under python,
> or race condition that causes the python run to match when the binary
> doesn't.
>
> Thanks,
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/48c4b198-182b-4f28-aecd-90db120ef1c8o%40googlegroups.com
> <https://groups.google.com/d/msgid/yara-project/48c4b198-182b-4f28-aecd-90db120ef1c8o%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/yara-project/CAM7p17N%3DczeTZnETbR3rmWsnyJ43yHg4Bmd_rRWBgq%2Bf4qdPMQ%40mail.gmail.com.
