I can't replicate this - it does not match on 4.0.2 on my system. There is no rule parsing bug here - the same C code is used when compiling rules using yara on the command line or via python. I've had a couple of people tell me something weird is going on when using pip to install yara-python, especially if you have an older install of libyara laying around. It's almost as if it isn't picking up the bundled version of yara and is instead falling back to whatever you have laying around. You commented out the printing of the version in your python snippet, but just to confirm that is printing the correct version of yara?
To be clear, I think this is a local problem and your evaluation is possibly incorrect. I think the bug is that it DOES match under yara-python when it should not. It not matching when running yara from the command line is the correct behavior (I think). -- WXS > On Jul 7, 2020, at 2:10 PM, Wes Hurd <13hu...@gmail.com> wrote: > > Hi, > > This is running with the following versions on macOS 10.14.6: > > yara 4.0.2 homebrew > > yara-python 4.0.2 (pip) > Python 3.7.7 > > I'm having a really weird case where a rule using pe module is unexpectedly > matching certain files when run under yara-python , but not matching if > running the yara binary directly. > > Running on this PE file: > https://www.virustotal.com/gui/file/154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8/details > > > "test_odd_pe_py_match.yara": > rule Odd_PE_Entry_Point > { > condition: > uint16(0) == 0x5a4d and > ((pe.entry_point >= pe.sections[pe.number_of_sections - > 1].raw_data_offset) or (not > pe.sections[pe.section_index(pe.entry_point)].name contains ".text")) > } > > > > Python : > import yara > #print(yara.__version__) > > try: > scan = yara.compile("./test_odd_pe_py_match.yara") > except yara.Error as e: > print("YARA compile error:", e) > > matches = > scan.match(filepath="154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe") > print(matches) > > [Odd_PE_Entry_Point] > > > yara bin: > $ yara test_odd_pe_py_match.yara > 154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe > > $ > No matches > > > Can someone tell what's going on here ? > It seems to me there is some sort of either rule parsing bug under python, or > race condition that causes the python run to match when the binary doesn't. > > Thanks, > > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com > <mailto:yara-project+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/48c4b198-182b-4f28-aecd-90db120ef1c8o%40googlegroups.com > > <https://groups.google.com/d/msgid/yara-project/48c4b198-182b-4f28-aecd-90db120ef1c8o%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/4BA5B724-FCC0-4854-BCCD-5D06F2D150F2%40atarininja.org.
