Sections

As usual, there are 2 ways to look for sections in a binary. The easy way is using functions:

Functions

r2.section(name, flag)

Each parameter could be string or regex. In case any parameter is indiferent for you, can use empty string "", for instance:

We can search binaries with any section name called "dhscf" and doesn't matter flags:

r2.section("dhscf", "")

Array

The second way is using array of sections with the following fields:

name: string
flags: string
size: integer
vsize: integer
paddr: integer

To explain the array, we want to look for apps with a section size > 28KB, "writeable and executable" and which name contains "test", so, we need to iterate over the array checking those values:

rule sections {
    condition:
        for any i in ( 0..r2.number_of_sections ) : 
            (r2.sections[i].size > 28KB and 
             r2.sections[i].flags contains "r-x" and
             r2.sections[i].name contains "text")
}

Examples

Some Yara rules examples we can generate:

Rule to looking for sections writables with “.text” name and size > 28KB

import "r2" 
rule sections {
    Condition:
        for any i in ( 0..r2.number_of_sections ) : 
            (r2.sections[i].size > 28KB and     
             r2.sections[i].flags contains "-w-" and  
             r2.sections[i].name contains "text") }

We can to be interested in calculate the entropy by sections, and for example we can write a rule like this:

import "r2"
import "math"

rule rule_sections_entropy_s 
{ 
 condition:  
for any i in ( 0..r2.number_of_sections ) : 
(r2.sections[i].name contains "note.ABI_tag" and 
math.entropy(r2.sections[i].paddr,      
r2.section_array[i].size) > 1.5) 
}