YARA's Console Module

Published: 2022-01-30. Last Updated: 2022-01-30 19:59:29 UTC
by Didier Stevens (Version: 1)
0 comment(s)

YARA release candidate 1 for version 4.2.0 introduces a new module: console.

This module features functions to output values to the console. This can be used to debug your YARA rules.

Take this rule for example, it should detect files that start with string MZ (0X4D5A), but it does not trigger on a PE file like yara32.exe:

We can now use module console, to print out the value of uint16(0) and try to figure out what is going wrong:

The output is 0x5a4d, and thus is does not match 0x4D5A. That's because uint16 is a little-endian function. Thus we need to test for MZ in little-endian format (0x5a4d):

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: console module yara
0 comment(s)

Comments


Diary Archives