Hi again. Sorry, I now see you mentioned you're using yara-python 4.0.2 (pip). Well, I don't know why but pip3 says my 3.10.0 version is up to date. I'm not that familiar with yara-python (I don't know if it follows yara version numbers for instance). I couldn't install this 4.0.2 version to test. :(
Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Tue, Jul 7, 2020 at 5:37 PM Fernando Mercês <nand...@gmail.com> wrote: > Hi, > > I couldn't reproduce it here. > > $ cat test_odd_pe_py_match.yara > import "pe" > > rule Odd_PE_Entry_Point > { > condition: > uint16(0) == 0x5a4d and > ((pe.entry_point >= pe.sections[pe.number_of_sections - > 1].raw_data_offset) or (not > pe.sections[pe.section_index(pe.entry_point)].name contains ".text")) > } > > $ yara -v > 4.0.2 > > $ yara test_odd_pe_py_match.yara > 154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8 > > $ python3 > Python 3.7.8 (default, Jul 4 2020, 10:17:17) > [Clang 11.0.3 (clang-1103.0.32.62)] on darwin > Type "help", "copyright", "credits" or "license" for more information. > >>> import yara > >>> scan = yara.compile("./test_odd_pe_py_match.yara") > >>> > scan.match(filepath="154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8") > [] > >>> yara.__version__ > '3.10.0' > > What's the yara-python version you're using? > > Att, > > Fernando Mercês <https://twitter.com/mer0x36> | menteb.in > > > On Tue, Jul 7, 2020 at 3:10 PM Wes Hurd <13hu...@gmail.com> wrote: > >> Hi, >> >> This is running with the following versions on macOS 10.14.6: >> >> *yara 4.0.2 homebrew* >> >> >> *yara-python 4.0.2 (pip) * >> *Python 3.7.7* >> >> I'm having a really weird case where a rule using pe module is >> unexpectedly matching certain files when run under yara-python , but not >> matching if running the yara binary directly. >> >> Running on this PE file: >> https://www.virustotal.com/gui/file/154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8/details >> >> "test_odd_pe_py_match.yara": >> rule Odd_PE_Entry_Point >> { >> condition: >> uint16(0) == 0x5a4d and >> ((pe.entry_point >= pe.sections[pe.number_of_sections - 1]. >> raw_data_offset) or (not pe.sections[pe.section_index(pe.entry_point)].name >> contains ".text")) >> } >> >> >> >> Python : >> import yara >> #print(yara.__version__) >> >> try: >> scan = yara.compile("./test_odd_pe_py_match.yara") >> except yara.Error as e: >> print("YARA compile error:", e) >> >> matches = scan.match(filepath= >> "154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe") >> print(matches) >> >> [Odd_PE_Entry_Point] >> >> >> >> yara bin: >> $ yara test_odd_pe_py_match.yara >> 154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe >> >> $ >> No matches >> >> >> Can someone tell what's going on here ? >> It seems to me there is some sort of either rule parsing bug under >> python, or race condition that causes the python run to match when the >> binary doesn't. >> >> Thanks, >> >> -- >> You received this message because you are subscribed to the Google Groups >> "YARA" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to yara-project+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/yara-project/48c4b198-182b-4f28-aecd-90db120ef1c8o%40googlegroups.com >> <https://groups.google.com/d/msgid/yara-project/48c4b198-182b-4f28-aecd-90db120ef1c8o%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CAM7p17OEu1P9sfdbOKYfCMhFkaFajTE6Jfns9U%3DGJhLHcggROg%40mail.gmail.com.
