mquery icon indicating copy to clipboard operation
mquery copied to clipboard
verified publisher icon CERT-Polska

Add a support for `pe` module

Open msm-code opened this issue 4 years ago • 0 comments

Feature Category

  • [ ] Correctness
  • [ ] User Interface / User Experience
  • [ ] Performance
  • [x] Other (please explain)

Describe the problem

Reported by a user: It's some organisations it's very common to use a pe module in Yara rules. Having a (limited) support for it would be great.

Describe the solution you'd like

This rule should be optimised by the backend:

import "pe"

rule single_section
{
    condition:
        pe.number_of_sections == 1
}

Describe alternatives you've considered

Teach users not to use pe or other auxiliary modules in their yara rules. It worked for all places I've worked at, but this makes life of researchers a bit more difficult.

msm-code avatar Nov 24 '21 22:11 msm-code