Yara Undefined valuesAuthor: David Zimmer Date: 02.25.20 - 10:14am In the yara pe module, anything that is not explicitly set is initialized with the value UNDEFINED. This causes that section of rule (and or etc) to evaluate to a false in the condition statement, however there is no explicit way to test for the undefined value in itself. So what if you want to test to see if the rich_signature exists or not? The only way I have found to do this is to wrap it into its own distinct rule, which then gets properly cast to a boolean that you can then work with. private rule richHeaderExists { condition: pe.rich_signature.offset } rule noRichHeader { condition: not richHeaderExists }If you are up for modifying the yara source, you can also add a new function such as the following which I added to pe.c //declare_function("isdef", "s", "i", isdef); //ex: pe.dbg(pe.isdef("rich_signature.offset")) // pe.dbg(pe.isdef("number_of_signatures")) define_function(isdef) { YR_OBJECT* module = module(); char* txt = string_argument(1); if (yr_object_has_undefined_value(module, txt)){ return_integer(0); }else{ return_integer(1); } } Comments: (2)On 03.27.20 - 11:02pm Dave wrote:
On 11.08.21 - 5:52pm Dave wrote:
|
About Me More Blogs Main Site |
||