That makes sense, thanks Wesley
I agree the condition should check is_pe
The case where I encountered this from, we had an unwrapped *or* condition
following a *uint16(0) == 0x5a4d and* , which caused that condition by
itself to match on any non-PE
so wrapping the or'ed condition statements in par
This is likely due to the change made recently where comparing with UNDEFINED
values now evaluates to false. It used to evaluate to UNDEFINED.
> But shouldn't pe module conditions check first if the file is a PE header or
> valid base PE, then fail if the file isn't ?
Functions in the pe module
Hi,
Wanted to post here before raising an issue on github project:
*To reproduce:*
import "pe"
rule pe_on_nonpe
{
condition:
not pe.sections[pe.section_index(pe.entry_point)].name contains
".text"
}
Run on non-PE file (e.g. Excel document zip)
yara pe_on_nonpe.yara excel_doc.xlsx
The r