# Sections

As usual, there are 2 ways to look for sections in a binary. The easy way is using functions:

## Functions

```
r2.section(name, flag)
```

Each parameter could be string or regex. In case any parameter is indiferent for you, can use empty string "", for instance:

We can search binaries with any section name called "dhscf" and doesn't matter flags:

```
r2.section("dhscf", "")
```

# Array

The second way is using array of sections with the following fields:

```
name: string
flags: string
size: integer
vsize: integer
paddr: integer
```

To explain the array, we want to look for apps with a section size > 28KB, "writeable and executable" and which name contains "test", so, we need to iterate over the array checking those values:

```
rule sections {
condition:
for any i in ( 0..r2.number_of_sections ) :
(r2.sections[i].size > 28KB and
r2.sections[i].flags contains "r-x" and
r2.sections[i].name contains "text")
}
```

## Examples

Some Yara rules examples we can generate:

Rule to looking for sections writables with “.text” name and size > 28KB

```
import "r2"
rule sections {
Condition:
for any i in ( 0..r2.number_of_sections ) :
(r2.sections[i].size > 28KB and
r2.sections[i].flags contains "-w-" and
r2.sections[i].name contains "text") }
```

We can to be interested in calculate the entropy by sections, and for example we can write a rule like this:

```
import "r2"
import "math"
rule rule_sections_entropy_s
{
condition:
for any i in ( 0..r2.number_of_sections ) :
(r2.sections[i].name contains "note.ABI_tag" and
math.entropy(r2.sections[i].paddr,
r2.section_array[i].size) > 1.5)
}
```