PE Module: YARA vs YARA-X

[xorhex]

yr treats pe.dll_name == "" differently than yara. Yara will find a match where as yr won't match on it.

import "pe"

rule empty_dllname
{
    condition:
        pe.dll_name == ""
}

test hash: f30b9f6e913798ca52154c88725ee262a7bf92fe7caac1ae2e5147e457b9b08a

When using yara -D shows dll_name = "" where as yr dump does not show any dll_name fields.

[plusvic]

I'm thinking about what's the best solution here. Allow empty DLL names in YARA-X? Or fix YARA to make it behave as YARA-X. Changing YARA implies that this will be a backward incompatible change, so I'm wondering if this a real-life rule and would be broken or just an example to illustrate the bug?

[xorhex]

This was 1 of 3 conditions of a rule I'm using to track a malware family, so it does break my detection; however, I can switch that condition to be something like this when using yr:

rule undefined_dllname
{
    condition:
        not defined pe.dll_name
}

Guess my question is, is there a difference between the field existing with an empty value versus the field not existing at all? From a detection standpoint, those could mean two different things - but I'm no PE format wizard either.

[plusvic]

I've decided to maintain backward compatibility with YARA. The difference between empty values versus non existing fields is subtle. A relative virtual address (RVA) in the file header points to the DLL name. If this RVA is incorrect (i.e: can't be translated into a file offset) we can't determine the DLL name and the field will be missing. In the other hand, the RVA can point to a valid file offset containing a 0, which will be interpreted as the NULL terminator of an empty string. In those cases the DLL name will be empty.