yara icon indicating copy to clipboard operation
yara copied to clipboard
verified publisher icon VirusTotal

module console not returning True on pe.signatures[0].subject if there is not signature

Open ruppde opened this issue 3 years ago • 2 comments

Describe the bug module console not returning True on pe.signatures[0].subject if there is not signature

To Reproduce This rule doesn't match on files which don't contain a signature:

import "pe"
import "console"

rule test
{
    condition:
        console.log(pe.signatures[0].subject)
}

It hits on e.g. the signed peexe e41e10673db41b13ba17c828beb94fc39e8d3aa43b01f9fe437a2f6e0b8ae443

Expected behavior Cited from the console module doc: "Every function in the console module returns true for the purposes of condition evaluation."

Please complete the following information:

  • OS: Linux
  • YARA version: 4.3.0

ruppde avatar Mar 05 '23 22:03 ruppde

What is actually happening is a bit obscure. The console.log() call never happens because the argument is undefined.

wxsBSD avatar Mar 05 '23 23:03 wxsBSD

(console.log(pe.signatures[0].subject) or true)

albertzsigovits avatar Apr 05 '23 07:04 albertzsigovits