Not equal to condition matching logic

[djlukic]

Hi,

I am trying to write a rule where the idea is to match samples without RT_VERSION info but I am having problems with matching logic. I know that there is precendence list in the documentation but I can't quite understand how it works.

This is the example condition:

uint16(0) == 0x5A4D
and for any i in (0..pe.number_of_resources - 1) : (
            pe.resources[i].type != pe.RESOURCE_TYPE_VERSION
)

With the condition above it matches a sample that has the VERSION resource which is not intended.

When I try with and not and equal to instead of not equal to I get the intended result.

uint16(0) == 0x5A4D
and not for any i in (0..pe.number_of_resources - 1) : (
            pe.resources[i].type == pe.RESOURCE_TYPE_VERSION
)

What is going on here?

Thanks!

[wxsBSD]

Without knowing exactly what file you're testing with but...

for any i in (0..pe.number_of_resources - 1) : (
            pe.resources[i].type != pe.RESOURCE_TYPE_VERSION
)

That will match on any resource that does not have that specific type. My guess is you are testing on a file that has multiple resources where one is a version and at least one is not. It is finding the one that is not a version and the loop is evaluation to true. If you want to make sure there are no version resources you can do your second statement or a logically equivalent statement would be:

for all i in (0..pe.number_of_resources - 1) : (
            pe.resources[i].type != pe.RESOURCE_TYPE_VERSION
)

[djlukic]

Yes, I tried to match a sample with multiple resource types present. Lesson learned, it was a bad logic that I used.

I guess then that logic in the 2nd rule with and not is correct.

Thanks for the reply!