This module features functions to output values to the console. This can be used to debug your YARA rules.
Take this rule for example, it should detect files that start with string MZ (0X4D5A), but it does not trigger on a PE file like yara32.exe:
We can now use module console, to print out the value of uint16(0) and try to figure out what is going wrong:
The output is 0x5a4d, and thus is does not match 0x4D5A. That’s because uint16 is a little-endian function. Thus we need to test for MZ in little-endian format (0x5a4d):
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.