pe.version_info when RT_VERSION doesn't exist

VirusTotal / yara

The pattern matching swiss knife

https://virustotal.github.io/yara/

BSD 3-Clause "New" or "Revised" License

8.13k stars 1.42k forks source link

pe.version_info when RT_VERSION doesn't exist #1931

Closed djlukic closed 1 year ago

djlukic commented 1 year ago

Hi,

I am having a weird situation where I am trying to match a sample where in condition I specified and not pe.version_info["FileDescription"] == "Test" and I also tried with pe.version_info["FileDescription"] != "Test" but it doesn't hit because RT_VERSION resource doesn't exist. Is this intended that and not or != won't have a match when RT_VERSION doesn't exist?

Thanks!

cherepanov74 commented 1 year ago

version_info can be YR_UNDEFINED, Try to use something like this: and (not defined pe.version_info["FileDescription"] or not (pe.version_info["FileDescription"] matches /Test/) )

djlukic commented 1 year ago

Thank you!