search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
7.95k stars 1.42k forks source link

`pe.is_signed` does not report `False` when the PE is not signed. #2040

Closed frereit closed 5 months ago

frereit commented 5 months ago

Describe the bug Apparently, pe.is_signed "cannot be negated". Using it to check for verified signatures on a PE file works, but simply negating the result using not does not produce a True value for unsigned executables.

To Reproduce

First, create a ruleset:

import "pe"

rule SIGNED {
    condition:
        pe.is_pe and pe.is_signed
}

rule UNSIGNED {
    condition:
        pe.is_pe and not pe.is_signed
}

Then, run the ruleset on a signed binary and on an unsigned binary. For example:

> yara64 poc.txt C:\Windows\System32\ntoskrnl.exe
SIGNED C:\Windows\System32\ntoskrnl.exe

> yara64 poc.txt C:\Windows\System32\calc.exe

>

Expected behavior

The "UNSIGNED" rule should match on any unsigned PE file. The expected output would be:

> yara64 poc.txt C:\Windows\System32\ntoskrnl.exe
SIGNED C:\Windows\System32\ntoskrnl.exe

> yara64 poc.txt C:\Windows\System32\calc.exe
UNSIGNED C:\Windows\System32\calc.exe

>

Please complete the following information: