You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is possible in YARA to do various string comparisons in a rule's condition, e.g. your_variable == "foo". However, some variables you want to compare (such as ones parsed out in modules) may be unicode/wide character strings, meaning you'd have to add null characters in the comparison, e.g. your_variable == "f\x00o\x00o\x00". This can be make rules more obscure/prone to errors when writing.
A possible solution to this could be to add a modifier to strings, similar to that of in C/C++, to indicate that a string is a wide character strings. I.e. L"foo" is equivalent to "f\x00o\x00o\x00". Therefore, the same condition as before would become your_variable == L"foo". This would make rules more concise, and prevent those writing rules having to worry about including null characters.
This would likely require some grammar updates in YARA, as well as tests to make sure operators like contains and matches still work as expected.
An alternative solution could be to have a function in, for example, the string module that will attempt to convert a wide character string to an ASCII string; but having a built in operator L"" feels easier to use.
The text was updated successfully, but these errors were encountered:
It is possible in YARA to do various string comparisons in a rule's condition, e.g.
your_variable == "foo"
. However, some variables you want to compare (such as ones parsed out in modules) may be unicode/wide character strings, meaning you'd have to add null characters in the comparison, e.g.your_variable == "f\x00o\x00o\x00"
. This can be make rules more obscure/prone to errors when writing.A possible solution to this could be to add a modifier to strings, similar to that of in C/C++, to indicate that a string is a wide character strings. I.e.
L"foo"
is equivalent to"f\x00o\x00o\x00"
. Therefore, the same condition as before would becomeyour_variable == L"foo"
. This would make rules more concise, and prevent those writing rules having to worry about including null characters.This would likely require some grammar updates in YARA, as well as tests to make sure operators like
contains
andmatches
still work as expected.An alternative solution could be to have a function in, for example, the string module that will attempt to convert a wide character string to an ASCII string; but having a built in operator
L""
feels easier to use.The text was updated successfully, but these errors were encountered: