That makes sense, thanks Wesley
I agree the condition should check is_pe
The case where I encountered this from, we had an unwrapped *or* condition
following a *uint16(0) == 0x5a4d and* , which caused that condition by
itself to match on any non-PE
so wrapping the or'ed condition statements in
This is likely due to the change made recently where comparing with UNDEFINED
values now evaluates to false. It used to evaluate to UNDEFINED.
> But shouldn't pe module conditions check first if the file is a PE header or
> valid base PE, then fail if the file isn't ?
Functions in the pe
Hi,
Wanted to post here before raising an issue on github project:
*To reproduce:*
import "pe"
rule pe_on_nonpe
{
condition:
not pe.sections[pe.section_index(pe.entry_point)].name contains
".text"
}
Run on non-PE file (e.g. Excel document zip)
yara pe_on_nonpe.yara excel_doc.xlsx
The
