plusvic
commented
3 months ago What do you mean with "crash"? I'm testing with both YARA and YARA-X, and they are extracting 8001 strings from that file without crashes.
Closed ddash-ct closed 3 months ago
plusvic
commented
3 months ago What do you mean with "crash"? I'm testing with both YARA and YARA-X, and they are extracting 8001 strings from that file without crashes.
ddash-ct
commented
3 months ago Sorry for the lack of clarity, seems I was mistaken about what is going wrong. What I meant was that it doesn't finish processing using the dotnet module, such as extracting/identifying classes, constants, etc. On an initial look it seemed like it was a threshold on the number of user strings, but that clearly was incorrect.
That sample should have 12,890 methods in 1,718 classes, but YARA reports the following:
number_of_streams: 5
number_of_guids: 1
number_of_resources: 0
number_of_classes: 0
number_of_assembly_refs: 0
number_of_modulerefs: 0
number_of_user_strings: 8001
number_of_constants: 0
number_of_field_offsets: 0
The dotnet module seems to crash and end processing if a binary contains more than 8000 user strings, such as https://www.virustotal.com/gui/file/67984703c89ee30cadaa8d7dd5c1a0e9f7f5d096ab0d6d03fdb01115780fa7c3.