Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: YARA's Console Module - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
YARA's Console Module

YARA release candidate 1 for version 4.2.0 introduces a new module: console.

This module features functions to output values to the console. This can be used to debug your YARA rules.

Take this rule for example, it should detect files that start with string MZ (0X4D5A), but it does not trigger on a PE file like yara32.exe:

We can now use module console, to print out the value of uint16(0) and try to figure out what is going wrong:

The output is 0x5a4d, and thus is does not match 0x4D5A. That's because uint16 is a little-endian function. Thus we need to test for MZ in little-endian format (0x5a4d):

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

DidierStevens

638 Posts
ISC Handler
Jan 30th 2022

Sign Up for Free or Log In to start participating in the conversation!