Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression on long hex strings in yarac #688

Closed
JusticeRage opened this issue Jun 25, 2017 · 5 comments
Closed

Regression on long hex strings in yarac #688

JusticeRage opened this issue Jun 25, 2017 · 5 comments

Comments

@JusticeRage
Copy link
Contributor

JusticeRage commented Jun 25, 2017
edited
Loading

Hi! I've recently upgraded to Yara 3.6 (latest master revision) and I'm hitting errors with previously functional rules.

Here is the first one:

rule error_1
{
	strings:
	    $a0 = { 4B 6B 1B E8 BF C4 93 21 28 66 CC 09 D8 61 91 A9 21 FB 60 AC 7C 48 32 80 EC 5D 5D 5D 84 EF B1 75 85 E9 02 23 26 DC 88 1B 65 EB 81 3E 89 23 C5 AC 96 D3 F3 6F 6D 0F 39 42 F4 83 82 44 0B 2E 04 20 84 A4 4A F0 C8 69 5E 9B 1F 9E 42 68 C6 21 9A 6C E9 F6 61 9C 0C 67 F0 88 D3 AB D2 A0 51 6A 68 2F 54 D8 28 A7 0F 96 A3 33 51 AB 6C 0B EF 6E E4 3B 7A 13 50 F0 3B BA 98 2A FB 7E 1D 65 F1 A1 76 01 AF 39 3E 59 CA 66 88 0E 43 82 19 86 EE 8C B4 9F 6F 45 C3 A5 84 7D BE 5E 8B 3B D8 75 6F E0 73 20 C1 85 9F 44 1A 40 A6 6A C1 56 62 AA D3 4E 06 77 3F 36 72 DF FE 1B 3D 02 9B 42 24 D7 D0 37 48 12 0A D0 D3 EA 0F DB 9B C0 F1 49 C9 72 53 07 7B 1B 99 80 D8 79 D4 25 F7 DE E8 F6 1A 50 FE E3 3B 4C 79 B6 BD E0 6C 97 BA 06 C0 04 B6 4F A9 C1 C4 60 9F 40 C2 9E 5C 5E 63 24 6A 19 AF 6F FB 68 B5 53 6C 3E EB B2 39 13 6F EC 52 3B 1F 51 FC 6D 2C 95 30 9B 44 45 81 CC 09 BD 5E AF 04 D0 E3 BE FD 4A 33 DE 07 28 0F 66 B3 4B 2E 19 57 A8 CB C0 0F 74 C8 45 39 5F 0B D2 DB FB D3 B9 BD C0 79 55 0A 32 60 1A C6 00 A1 D6 79 72 2C 40 FE 25 9F 67 CC A3 1F FB F8 E9 A5 8E F8 22 32 DB DF 16 75 3C 15 6B 61 FD C8 1E 50 2F AB 52 05 AD FA B5 3D 32 60 87 23 FD 48 7B 31 53 82 DF 00 3E BB 57 5C 9E A0 8C 6F CA 2E 56 87 1A DB 69 17 DF F6 A8 42 D5 C3 FF 7E 28 C6 32 67 AC 73 55 4F 8C B0 27 5B 69 C8 58 CA BB 5D A3 FF E1 A0 11 F0 B8 98 3D FA 10 B8 83 21 FD 6C B5 FC 4A 5B D3 D1 2D 79 E4 53 9A 65 45 F8 B6 BC 49 8E D2 90 97 FB 4B DA F2 DD E1 33 7E CB A4 41 13 FB 62 E8 C6 E4 CE DA CA 20 EF 01 4C 77 36 FE 9E 7E D0 B4 1F F1 2B 4D DA DB 95 98 91 90 AE 71 8E AD EA A0 D5 93 6B D0 D1 8E D0 E0 25 C7 AF 2F 5B 3C 8E B7 94 75 8E FB E2 F6 8F 64 2B 12 F2 12 B8 88 88 1C F0 0D 90 A0 5E AD 4F 1C C3 8F 68 91 F1 CF D1 AD C1 A8 B3 18 22 2F 2F 77 17 0E BE FE 2D 75 EA A1 1F 02 8B 0F CC A0 E5 E8 74 6F B5 D6 F3 AC 18 99 E2 89 CE E0 4F A8 B4 B7 E0 13 FD 81 3B C4 7C D9 A8 AD D2 66 A2 5F 16 05 77 95 80 14 73 CC 93 77 14 1A 21 65 20 AD E6 86 FA B5 77 F5 42 54 C7 CF 35 9D FB 0C AF CD EB A0 89 3E 7B D3 1B 41 D6 49 7E 1E AE 2D 0E 25 00 5E B3 71 20 BB 00 68 22 AF E0 B8 57 9B 36 64 24 1E B9 09 F0 1D 91 63 55 AA A6 DF 59 89 43 C1 78 7F 53 5A D9 A2 5B 7D 20 C5 B9 E5 02 76 03 26 83 A9 CF 95 62 68 19 C8 11 41 4A 73 4E CA 2D 47 B3 4A A9 14 7B 52 00 51 1B 15 29 53 9A 3F 57 0F D6 E4 C6 9B BC 76 A4 60 2B 00 74 E6 81 B5 6F BA 08 1F E9 1B 57 6B EC 96 F2 15 D9 0D 2A 21 65 63 B6 B6 F9 B9 E7 2E 05 34 FF 64 56 85 C5 5D 2D B0 53 A1 8F 9F A9 99 47 BA 08 6A 07 85 6E E9 70 7A 4B 44 29 B3 B5 2E 09 75 DB 23 26 19 C4 B0 A6 6E AD 7D DF A7 49 B8 60 EE 9C 66 B2 ED 8F 71 8C AA EC FF 17 9A 69 6C 52 64 56 E1 9E B1 C2 A5 02 36 19 29 4C 09 75 40 13 59 A0 3E 3A 18 E4 9A 98 54 3F 65 9D 42 5B D6 E4 8F 6B D6 3F F7 99 07 9C D2 A1 F5 30 E8 EF E6 38 2D 4D C1 5D 25 F0 86 20 DD 4C 26 EB 70 84 C6 E9 82 63 5E CC 1E 02 3F 6B 68 09 C9 EF BA 3E 14 18 97 3C A1 70 6A 6B 84 35 7F 68 86 E2 A0 52 05 53 9C B7 37 07 50 AA 1C 84 07 3E 5C AE DE 7F EC 44 7D 8E B8 F2 16 57 37 DA 3A B0 0D 0C 50 F0 04 1F 1C F0 FF B3 00 02 1A F5 0C AE B2 74 B5 3C 58 7A 83 25 BD 21 09 DC F9 13 91 D1 F6 2F A9 7C 73 47 32 94 01 47 F5 22 81 E5 E5 3A 46 61 44 A9 0E 03 D0 0F 3E C7 C8 EC 41 1E 75 A4 99 CD 38 E2 2F 0E EA 3B A1 BB 80 32 31 B3 3E 18 38 8B 54 4E 08 B9 6D 4F 03 0D 42 6F BF 04 0A F6 90 12 B8 2C 79 7C 97 24 72 B0 79 56 AF 89 AF BC 1F 77 9A DE 10 08 93 D9 12 AE 8B B3 2E 3F CF DC 1F 72 12 55 24 71 6B 2E E6 DD 1A 50 87 CD 84 9F 18 47 58 7A 17 DA 08 74 BC 9A 9F BC 8C 7D 4B E9 3A EC 7A EC FA 1D 85 DB 66 43 09 63 D2 C3 64 C4 47 18 1C EF 08 D9 15 32 37 3B 43 DD 16 BA C2 24 43 4D A1 12 51 C4 65 2A 02 00 94 50 DD E4 3A 13 9E F8 DF 71 55 4E 31 10 D6 77 AC 81 9B 19 11 5F F1 56 35 04 6B C7 A3 D7 3B 18 11 3C 09 A5 24 59 ED E6 8F F2 FA FB F1 97 2C BF BA 9E 6E 3C 15 1E 70 45 E3 86 B1 6F E9 EA 0A 5E 0E 86 B3 2A 3E 5A 1C E7 1F 77 FA 06 3D 4E B9 DC 65 29 0F 1D E7 99 D6 89 3E 80 25 C8 66 52 78 C9 4C 2E 6A B3 10 9C BA 0E 15 C6 78 EA E2 94 53 3C FC A5 F4 2D 0A 1E A7 4E F7 F2 3D 2B 1D 36 0F 26 39 19 60 79 C2 19 08 A7 23 52 B6 12 13 F7 6E FE AD EB 66 1F C3 EA 95 45 BC E3 83 C8 7B A6 D1 37 7F B1 28 FF 8C 01 EF DD 32 C3 A5 5A 6C BE 85 21 58 65 02 98 AB 68 0F A5 CE EE 3B 95 2F DB AD 7D EF 2A 84 2F 6E 5B 28 B6 21 15 70 61 07 29 75 47 DD EC 10 15 9F 61 30 A8 CC 13 96 BD 61 EB 1E FE 34 03 CF 63 03 AA 90 5C 73 B5 39 A2 70 4C 0B 9E 9E D5 14 DE AA CB BC 86 CC EE A7 2C 62 60 AB 5C AB 9C 6E 84 F3 B2 AF 1E 8B 64 CA F0 BD 19 B9 69 23 A0 50 BB 5A 65 32 5A 68 40 B3 B4 2A 3C D5 E9 9E 31 F7 B8 21 C0 19 0B 54 9B 99 A0 5F 87 7E 99 F7 95 A8 7D 3D 62 9A 88 37 F8 77 2D E3 97 5F 93 ED 11 81 12 68 16 29 88 35 0E D6 1F E6 C7 A1 DF DE 96 99 BA 58 78 A5 84 F5 57 63 72 22 1B FF C3 83 9B 96 46 C2 1A EB 0A B3 CD 54 30 2E 53 E4 48 D9 8F 28 31 BC 6D EF F2 EB 58 EA FF C6 34 61 ED 28 FE 73 3C 7C EE D9 14 4A 5D E3 B7 64 E8 14 5D 10 42 E0 13 3E 20 B6 E2 EE 45 EA AB AA A3 15 4F 6C DB D0 4F CB FA 42 F4 42 C7 B5 BB 6A EF 1D 3B 4F 65 05 21 CD 41 9E 79 1E D8 C7 4D 85 86 6A 47 4B E4 50 62 81 3D F2 A1 62 CF 46 26 8D 5B A0 83 88 FC A3 B6 C7 C1 C3 24 15 7F 92 74 CB 69 0B 8A 84 47 85 B2 92 56 00 BF 5B 09 9D 48 19 AD 74 B1 62 14 00 0E 82 23 2A 8D 42 58 EA F5 55 0C 3E F4 AD 1D 61 70 3F 23 92 F0 72 33 41 7E 93 8D F1 EC 5F D6 DB 3B 22 6C 59 37 DE 7C 60 74 EE CB A7 F2 85 40 6E 32 77 CE 84 80 07 A6 9E 50 F8 19 55 D8 EF E8 35 97 D9 61 AA A7 69 A9 C2 06 0C C5 FC AB 04 5A DC CA 0B 80 2E 7A 44 9E 84 34 45 C3 05 67 D5 FD C9 9E 1E 0E D3 DB 73 DB CD 88 55 10 79 DA 5F 67 40 43 67 E3 65 34 C4 C5 D8 38 3E 71 9E F8 28 3D 20 FF 6D F1 E7 21 3E 15 4A 3D B0 8F 2B 9F E3 E6 F7 AD 83 DB 68 5A 3D E9 F7 40 81 94 1C 26 4C F6 34 29 69 94 F7 20 15 41 F7 D4 02 76 2E 6B F4 BC 68 00 A2 D4 71 24 08 D4 6A F4 20 33 B7 D4 B7 43 AF 61 00 50 2E F6 39 1E 46 45 24 97 74 4F 21 14 40 88 8B BF 1D FC 95 4D AF 91 B5 96 D3 DD F4 70 45 2F A0 66 EC 09 BC BF 85 97 BD 03 D0 6D AC 7F 04 85 CB 31 B3 27 EB 96 41 39 FD 55 E6 47 25 DA 9A 0A CA AB 25 78 50 28 F4 29 04 53 DA 86 2C 0A FB 6D B6 E9 62 14 DC 68 00 69 48 D7 A4 C0 0E 68 EE 8D A1 27 A2 FE 3F 4F 8C AD 87 E8 06 E0 8C B5 B6 D6 F4 7A 7C 1E CE AA EC 5F 37 D3 99 A3 78 CE 42 2A 6B 40 35 9E FE 20 B9 85 F3 D9 AB D7 39 EE 8B 4E 12 3B F7 FA C9 1D 56 18 6D 4B 31 66 A3 26 B2 97 E3 EA 74 FA 6E 3A 32 43 5B DD F7 E7 41 68 FB 20 78 CA 4E F5 0A FB 97 B3 FE D8 AC 56 40 45 27 95 48 BA 3A 3A 53 55 87 8D 83 20 B7 A9 6B FE 4B 95 96 D0 BC 67 A8 55 58 9A 15 A1 63 29 A9 CC 33 DB E1 99 56 4A 2A A6 F9 25 31 3F 1C 7E F4 5E 7C 31 29 90 02 E8 F8 FD 70 2F 27 04 5C 15 BB 80 E3 2C 28 05 48 15 C1 95 22 6D C6 E4 3F 13 C1 48 DC 86 0F C7 EE C9 F9 07 0F 1F 04 41 A4 79 47 40 17 6E 88 5D EB 51 5F 32 D1 C0 9B D5 8F C1 BC F2 64 35 11 41 34 78 7B 25 60 9C 2A 60 A3 E8 F8 DF 1B 6C 63 1F C2 B4 12 0E 9E 32 E1 02 D1 4F 66 AF 15 81 D1 CA E0 95 23 6B E1 92 3E 33 62 0B 24 3B 22 B9 BE EE 0E A2 B2 85 99 0D BA E6 8C 0C 72 DE 62 08 7D 64 F0 F5 CC E7 6F A3 49 54 FA 48 7D 87 27 FD 9D C3 1E 8D 3E F3 41 63 47 0A 74 FF 2E 99 AB 6E 6F 3A 37 FD F8 F4 60 DC 12 A8 F8 DD EB A1 4C E1 1B 99 0D 6B 6E DB 10 55 7B C6 37 2C 67 6D 3B D4 65 27 04 E8 D0 DC C7 0D 29 F1 A3 FF 00 CC 92 0F 39 B5 0B ED 0F 69 FB 9F 7B 66 9C 7D DB CE 0B CF 91 A0 A3 5E 15 D9 88 2F 13 BB 24 AD 5B 51 BF 79 94 7B EB D6 3B 76 B3 2E 39 37 79 59 11 CC 97 E2 26 80 2D 31 2E F4 A7 AD 42 68 3B 2B 6A C6 CC 4C 75 12 1C F1 2E 78 37 42 12 6A E7 51 92 B7 E6 BB A1 06 50 63 FB 4B 18 10 6B 1A FA ED CA 11 D8 BD 25 3D C9 C3 E1 E2 59 16 42 44 86 13 12 0A 6E EC 0C D9 2A EA AB D5 4E 67 AF 64 5F A8 86 DA 88 E9 BF BE FE C3 E4 64 57 80 BC 9D 86 C0 F7 F0 F8 7B 78 60 4D 60 03 60 46 83 FD D1 B0 1F 38 F6 04 AE 45 77 CC FC 36 D7 33 6B 42 83 71 AB 1E F0 87 41 80 B0 5F 5E 00 3C BE 57 A0 77 24 AE E8 BD 99 42 46 55 61 2E 58 BF 8F F4 58 4E A2 FD DD F2 38 EF 74 F4 C2 BD 89 87 C3 F9 66 53 74 8E B3 C8 55 F2 75 B4 B9 D9 FC 46 61 26 EB 7A 84 DF 1D 8B 79 0E 6A 84 E2 95 5F 91 8E 59 6E 46 70 57 B4 20 91 55 D5 8C 4C DE 02 C9 E1 AC 0B B9 D0 05 82 BB 48 62 A8 11 9E A9 74 75 B6 19 7F B7 09 DC A9 E0 A1 09 2D 66 33 46 32 C4 02 1F 5A E8 8C BE F0 09 25 A0 99 4A 10 FE 6E 1D 1D 3D B9 1A DF A4 A5 0B 0F F2 86 A1 69 F1 68 28 83 DA B7 DC FE 06 39 57 9B CE E2 A1 52 7F CD 4F 01 5E 11 50 FA 83 06 A7 C4 B5 02 A0 27 D0 E6 0D 27 8C F8 9A 41 86 3F 77 06 4C 60 C3 B5 06 A8 61 28 7A 17 F0 E0 86 F5 C0 AA 58 60 00 62 7D DC 30 D7 9E E6 11 63 EA 38 23 94 DD C2 53 34 16 C2 C2 56 EE CB BB DE B6 BC 90 A1 7D FC EB 76 1D 59 CE 09 E4 05 6F 88 01 7C 4B 3D 0A 72 39 24 7C 92 7C 5F 72 E3 86 B9 9D 4D 72 B4 5B C1 1A FC B8 9E D3 78 55 54 ED B5 A5 FC 08 D3 7C 3D D8 C4 0F AD 4D 5E EF 50 1E F8 E6 61 B1 D9 14 85 A2 3C 13 51 6C E7 C7 D5 6F C4 4E E1 56 CE BF 2A 36 37 C8 C6 DD 34 32 9A D7 12 82 63 92 8E FA 0E 67 E0 00 60 40 37 CE 39 3A CF F5 FA D3 37 77 C2 AB 1B 2D C5 5A 9E 67 B0 5C 42 37 A3 4F 40 27 82 D3 BE 9B BC 99 9D 8E 11 D5 15 73 0F BF 7E 1C 2D D6 7B C4 00 C7 6B 1B 8C B7 45 90 A1 21 BE B1 6E B2 B4 6E 36 6A 2F AB 48 57 79 6E 94 BC D2 76 A3 C6 C8 C2 49 65 EE F8 0F 53 7D DE 8D 46 1D 0A 73 D5 C6 4D D0 4C DB BB 39 29 50 46 BA A9 E8 26 95 AC 04 E3 5E BE F0 D5 FA A1 9A 51 2D 6A E2 8C EF 63 22 EE 86 9A B8 C2 89 C0 F6 2E 24 43 AA 03 1E A5 A4 D0 F2 9C BA 61 C0 83 4D 6A E9 9B 50 15 E5 8F D6 5B 64 BA F9 A2 26 28 E1 3A 3A A7 86 95 A9 4B E9 62 55 EF D3 EF 2F C7 DA F7 52 F7 69 6F }

	conditions:
	    any of them
}

~/code/yara$ ./yarac test.rule out
test.rule(4): error: invalid hex string "$a0": ��

I tried reducing the test case, but if I delete any more bytes, I get the following error:

./yarac test.rule out
test.rule(6): error: syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_

Upon further inspection, it seems that this issue only happens when the hexadecimal string is very long.
There also seems to be new rules rejected because the "regular expression is too complex". That didn't happen before, can you comment on this?
Finally,is there a way to compile the rules anyway by ignoring the ones that cause an error?

Thanks!
@JusticeRage JusticeRage changed the title Regressions on long hex strings in yarac Regression on long hex strings in yarac Jun 25, 2017
@hillu
Copy link
Contributor

hillu commented Jun 25, 2017

@JusticeRage The second error message means that you used conditions: where condition: would have been correct.

@hillu
Copy link
Contributor

hillu commented Jun 25, 2017

I can reproduce the error with a hex string describing 3004 or more bytes.

JusticeRage added a commit to JusticeRage/yara that referenced this issue Jun 25, 2017
@JusticeRage
Increased the regexp complexity limit because of some ClamAV rules.
b911315 
A critical upstream bug (VirusTotal/yara#688) is still unresolved.
@plusvic
Copy link
Member

plusvic commented Jun 26, 2017
edited
Loading

This is because this other issue #674

RE_MAX_AST_LEVELS was introduced to avoid stack overflows and it currently has a value of 3000. It can be set to a larger value, maybe 3000 is too low for some existing rules.

But I highly discourage the use of such long strings as they are usually unnecessary. A few hundred bytes should be enough, you don't need thousands of bytes for creating a very unique string.

@plusvic
Copy link
Member

plusvic commented Jun 26, 2017

RE_MAX_AST_LEVELS increased to 6000 in 2451491

@plusvic plusvic closed this as completed Jun 26, 2017
@JusticeRage
Copy link
Contributor Author

Thanks! I agree completely on the principle,but some of my rules are generated automatically from external sources, so I don't have full control over their quality.
This is a case where #645 would be preferable.

@mbandzi mbandzi mentioned this issue Jun 29, 2017
Closed
@apolkosnik apolkosnik mentioned this issue Aug 20, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hillu @plusvic @JusticeRage