Yara Corrupt Imports
Author: David Zimmer
Date: 03.11.20 - 6:28am
When Yara encounters a corrupted import table, it tries to get along as far as it can and skips what it must:
This can leave things like pe.imphash() and pe.number_of_imports in weird states with no way to detect that it has encountered errors.
I have submitted a proposed addition that would allow you to detect these errors through a new pe.import_errors member.
Since corrupt files can easily throw your signatures for a loop, but still be flagged by AV as malicious, corruption detection is a useful feature.
While researching this issue I also ended up adding a dll_imports array to get more insight into whats doing on.
begin_struct_array("dll_imports"); declare_string("name"); declare_integer("funcCount"); end_struct("dll_imports");This along with my dbg extension allows you to dump the partial info and watch it with a yara such as the following:
All of these extensions are already available in the latest Yara Workbench.