Hi, This is running with the following versions on macOS 10.14.6:
*yara 4.0.2 homebrew* *yara-python 4.0.2 (pip) * *Python 3.7.7* I'm having a really weird case where a rule using pe module is unexpectedly matching certain files when run under yara-python , but not matching if running the yara binary directly. Running on this PE file: https://www.virustotal.com/gui/file/154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8/details "test_odd_pe_py_match.yara": rule Odd_PE_Entry_Point { condition: uint16(0) == 0x5a4d and ((pe.entry_point >= pe.sections[pe.number_of_sections - 1]. raw_data_offset) or (not pe.sections[pe.section_index(pe.entry_point)].name contains ".text")) } Python : import yara #print(yara.__version__) try: scan = yara.compile("./test_odd_pe_py_match.yara") except yara.Error as e: print("YARA compile error:", e) matches = scan.match(filepath= "154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe") print(matches) [Odd_PE_Entry_Point] yara bin: $ yara test_odd_pe_py_match.yara 154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe $ No matches Can someone tell what's going on here ? It seems to me there is some sort of either rule parsing bug under python, or race condition that causes the python run to match when the binary doesn't. Thanks, -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/48c4b198-182b-4f28-aecd-90db120ef1c8o%40googlegroups.com.
