Target samples that have no version_info

[Tigzy]

Hi,
I'd like to target a sample that has no version_info defined.
It looks like the way it's designed there's no way to do something like
pe.version_info_list.size == 0, is this something you could consider adding ?
Unless there's a workaround in current version ?

[djlukic]

@Tigzy I asked about it some time ago, is this what you wanted to do?
#1931

[Tigzy]

@djlukic thanks, yes it may work. Though I'm not sure not defined means also empty string ?
I'm trying to target PEs that have no version_info block defined at all. Like RT_VERSION does not exist.

[djlukic]

@Tigzy I stumbled upon an Autoit script and rule I tried didn't hit. I found that pe.number_of_signatures == 0 prevented detection because obviously it was not a PE file. So you must take into consideration what if version info is missing and in my example use PE related condition only on PE files.

Once I put not defined pe.number_of_signatures == 0 there was a detection on that script file.
I learned that whenever I want to check signatures I must use uint16(0) == 0x5A4D and pe.number_of_signatures == 0 together.