Wide character strings comparisons in conditions

[BitsOfBinary]

It is possible in YARA to do various string comparisons in a rule's condition, e.g. your_variable == "foo". However, some variables you want to compare (such as ones parsed out in modules) may be unicode/wide character strings, meaning you'd have to add null characters in the comparison, e.g. your_variable == "f\x00o\x00o\x00". This can be make rules more obscure/prone to errors when writing.

A possible solution to this could be to add a modifier to strings, similar to that of in C/C++, to indicate that a string is a wide character strings. I.e. L"foo" is equivalent to "f\x00o\x00o\x00". Therefore, the same condition as before would become your_variable == L"foo". This would make rules more concise, and prevent those writing rules having to worry about including null characters.

This would likely require some grammar updates in YARA, as well as tests to make sure operators like contains and matches still work as expected.

An alternative solution could be to have a function in, for example, the string module that will attempt to convert a wide character string to an ASCII string; but having a built in operator L"" feels easier to use.

[wxsBSD]

This has been brought up in the past, but never settled on a solution: #522.

I, for one, like the idea. ;)