I think pe.section_exists(name) would be a useful addition and make for cleaner sigs over having to write an inline for loop in the script to see if it exists. Possibly worth supporting regex for name?

//old: 
for any i in (0 .. pe.number_of_sections-1):(pe.sections[i].name == ".symtab")

//new: 
pe.section_exists(".symtab")

declare_function("section_exists", "s", "i", section_name

$ python3 loki.py
Traceback (most recent call last):
  File "loki.py", line 43, in <module>
    from lib.lokilogger import *
  File "/Users/w/Downloads/Loki/lib/lokilogger.py", line 15, in <module>
    from helpers import removeNonAsciiDrop
ModuleNotFoundError: No module named 'helpers'

Python 3.7.7 homebrew
Cloned directly from master.
helpers.py is present in

Currently, we're not detecting a lot of @wireghoul's htaceess-based webshells. It would be nice to improve the situation :)

There may be some overlap with other signatures, need to verify these samples are 100% independent;

3f98e8d89e42ecafadb529e96c8305707c4a42d9ca97500b91b8da2fc93e07c3
b7a0d51599ff8955f0f77bd946c92433d5241e14fa84e6cbe49e0ad98898ad94
d64e1e2d0847becd4a4cd9c5804e42093719c77c15b2560c2c8bc993e90dda3b
963ee42c96a25f4a5413d8c4c455575e473516aa58c55b575e86a4fbae4aa3aa
bd6d7d8e519a3ba240d8a18d1b22

Wouldn't it be a good idea to create a simple introduction to the system, i.e. how to go from cloning the repo, to actually be able to analyze a file. This would be a great part, such that more people can use the framework.

git clone --recursive https://github.com/VirusTotal/yara-python
cd yara-python
git checkout v3.10.0

This would cause yara-python to be at v3.10.0 but its submodule yara would stay at master (which currently happens to be v3.11.0). User should instead use: git checkout --recurse-submodules v3.10.0.

Documentation may want to include this information to prevent any confusion

Right now, any change in (for example) react frontend will rebuild:

• dev-frontend from dev dockerfile (correctly, expected behaviour)
• web (expected, but should only rebuild the frontend, not everything)
• daemon (unnecessary)
• dev-web (unnecessary)

Right now we recommend docker-compose for development. We should strive to make rebuilds a faster operation.

I think we could:

• mo

Yextend is designed to be compiled from source and invokes a couple of subprocesses (pdfdetach, pdftotext, yara). This makes it challenging to build and run in an isolated environment (e.g. AWS Lambda).

Ideally, yextend could be a pip package (or similar) which could be installed on any platform (much like yara itself).

For reference, the [BinaryAlert documentation](https://githu

DbChange class is clearly used in ways it was not designed for.

The class definition:

enum class DbChangeType {
    Insert = 1,
    Drop = 2,
    Reload = 3,
    ToggleTaint = 4,
    NewIterator = 5,
    UpdateIterator = 6
};

class DBChange {
   public:
    DbChangeType type;
    std::string obj_name;
    std::string parameter;

    DBChange(const DbChangeType &type

General Issues

• The GET link has a space inside the <a> tag and no comma after it.
  
• There is no documentation on expected content-type, but the API appears to only accept JSON, not standard POST data.
• "Arguments: None" and "Optional Arguments: ..." is confusin