search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
7.95k stars 1.42k forks source link

Target samples that have no version_info #2023

Open Tigzy opened 7 months ago

Tigzy commented 7 months ago

Hi, I'd like to target a sample that has no version_info defined. It looks like the way it's designed there's no way to do something like pe.version_info_list.size == 0, is this something you could consider adding ? Unless there's a workaround in current version ?

image

djlukic commented 6 months ago

@Tigzy I asked about it some time ago, is this what you wanted to do? https://github.com/VirusTotal/yara/issues/1931

Tigzy commented 6 months ago

@djlukic thanks, yes it may work. Though I'm not sure not defined means also empty string ? I'm trying to target PEs that have no version_info block defined at all. Like RT_VERSION does not exist.

djlukic commented 4 months ago

@Tigzy I stumbled upon an Autoit script and rule I tried didn't hit. I found that pe.number_of_signatures == 0 prevented detection because obviously it was not a PE file. So you must take into consideration what if version info is missing and in my example use PE related condition only on PE files.

Once I put not defined pe.number_of_signatures == 0 there was a detection on that script file. I learned that whenever I want to check signatures I must use uint16(0) == 0x5A4D and pe.number_of_signatures == 0 together.