Closed xorhex closed 3 months ago
I'm thinking about what's the best solution here. Allow empty DLL names in YARA-X? Or fix YARA to make it behave as YARA-X. Changing YARA implies that this will be a backward incompatible change, so I'm wondering if this a real-life rule and would be broken or just an example to illustrate the bug?
This was 1 of 3 conditions of a rule I'm using to track a malware family, so it does break my detection; however, I can switch that condition to be something like this when using yr
:
rule undefined_dllname
{
condition:
not defined pe.dll_name
}
Guess my question is, is there a difference between the field existing with an empty value versus the field not existing at all? From a detection standpoint, those could mean two different things - but I'm no PE format wizard either.
I've decided to maintain backward compatibility with YARA. The difference between empty values versus non existing fields is subtle. A relative virtual address (RVA) in the file header points to the DLL name. If this RVA is incorrect (i.e: can't be translated into a file offset) we can't determine the DLL name and the field will be missing. In the other hand, the RVA can point to a valid file offset containing a 0, which will be interpreted as the NULL terminator of an empty string. In those cases the DLL name will be empty.
yr treats
pe.dll_name == ""
differently than yara. Yara will find a match where as yr won't match on it.test hash: f30b9f6e913798ca52154c88725ee262a7bf92fe7caac1ae2e5147e457b9b08a
When using
yara -D
showsdll_name = ""
where asyr dump
does not show any dll_name fields.