Releases: VirusTotal/yara
Releases · VirusTotal/yara
YARA v4.3.0-rc1
- Added a not operator for bytes in hex strings. Example:
{01 ~02 03}
(#1676). for
statement can iterate over sets of literal strings (e.g.for any s in ("a", "b"): (pe.imphash() == s)
) (#1787).of
statement can be used withat
(e.g.any of them at 0
) (#1790).- Added the
--print-xor-key
(-X
in short form) command-line option that prints the XOR key for xored strings (#1745). - Implement the
--skip-larger
command-line option in Windows (#1678). - Add parsing of .NET user types from .NET metadata stream in "dotnet" module (#1605).
- Improve certificate parsing and validation in "pe" module (#1623).
- Add
telfhash()
function to "elf" module (#1624). - Add
to_int()
andto_string()
functions to "math" module (#1767). - Improve error reporting on certain edge cases (#1709, #1722).
- BUGFIX: Fix multiple memory alignment issues causing crashes in non-x86 platforms (#1724).
- BUGFIX: Fix implementation of
math.serial_correlation
(#1771). - BUGFIX: Fix infinite recursion in
dotnet
module (#1794). - BUGFIX: Fix SIGFPE when dividing INT64_MIN by -1.
Thanks to @shanehuntley, @1ndahous3, @HoundThe, @wxsBSD, @vthib
YARA v4.2.3
- BUGFIX: Fix security issue that can lead to arbitrary code execution (b77e4f4, b77e4f4). Thanks to ANSSI - CERT-FR for the report.
- BUGFIX: Fix incorrect logic in expressions like
<quantifier> of <string_set> in (start..end
(#1757).
YARA v4.2.2
- BUGFIX: Fix buffer overrun in "dex" module (#1728).
- BUGFIX: Wrong offset used when checking Version string of .net metadata (#1708).
- BUGFIX: YARA doesn't compile if
--with-debug-verbose
flag is enabled (#1719). - BUGFIX: Null-pointer dereferences while loading corrupted compiled rules (#1727).
Thanks to @sudhackar, @wxsBSD, @dangodangodango, @MatejKastak
YARA v4.2.1
- Implement the
--skip-larger
command-line option in Windows. - BUGFIX: Error while scanning process memory in Linux (#1662). Thanks to @hillu.
- BUGFIX: Issue in "magic" module leading to wrong matches (#1663).
- BUGFIX: Multiple issues triggered in low-memory conditions (#1671, #1673, #1674, #1675). Reported by @1ndahous3.
- BUGFIX: Incorrect parsing of character classes in some regular expressions (#1690). Reported by @Sevaarcen.
- BUGFIX: Heap overflow in ARM. Reported by @briangreenery.
YARA v4.2.0
- New syntax for counting string occurrences within a range of offsets. Example:
#a in (0..100)
(#1565). - New syntax for checking if a set of strings are found within a range of offsets
all of them in (0..100)
(#1554). of
operator now accepts sets of rules, Examples:2 of (rule1, rule2, rule3)
,2 of (rule*)
(##1597)- New syntactic sugar allows writing
0 of ($a)
asnone of ($a*)
(#1559). - New operator
%
for string sets. Example:20% of them
(#1434). - New operator
defined
(#1529). - New operator
iequals
(#1536). - Added functions
abs
,count
,percentage
andmode
tomath
module (#1483). - The
dotnet
module is now built into YARA by default. - Added the
is_dotnet
field todotnet
module (#1568). - Added new
console
module (#1594). - Added support of delayed imports to
pe
module (#1523). - Reduce memory pressure when scanning process memory in Linux (#1470).
- Improve performance while matching certain hex strings (#1526, #1552).
- Implement support for unicode file names in Windows (#1491).
- Add new API functions
yr_get_configuration_uintXX
andyr_set_configuration_uintXX
(#1621). - Add
--max-process-memory-chunk
option for controlling the size of the chunks while scanning a process memory (#1393). - Add
--skip-larger
option for skipping files larger than a certain size while scanning directories. - Improve scanning performance with better atom extraction (#1656).
- BUGFIX:
fullword
modifier not working properly under all locales (#1544). - BUGFIX: Fix edge case when files have a numeric name that was interpreted as a PID number (#1541).
- BUGFIX: Fix memory leaks in
magic
module. - BUGFIX: Fix integer overflow while scanning files larger than 2GB (#1615).
Thanks to @wxsBSD, @secDre4mer, @regeciovad, @ladislav-zezula, @hillu, @xbabka01, @LearnToGetBetter, @vlaci, @HoundThe
YARA v4.2.0-rc1
- New syntax for counting string occurrences within a range of offsets. Example:
#a in (0..100)
(#1565). - New syntax for checking if a set of strings are found within a range of offsets
all of them in (0..100)
(#1554). of
operator now accepts sets of rules, Examples:2 of (rule1, rule2, rule3)
,2 of (rule*)
(##1597)- New syntactic sugar allows writing
0 of ($a)
asnone of ($a*)
(#1559). - New operator
%
for string sets. Example:20% of them
(#1434). - New operator
defined
(#1529). - New operator
iequals
(#1536). - Added functions
abs
,count
,percentage
andmode
tomath
module (#1483). - Added new
console
module (#1594). - Added support of delayed imports to
pe
module (#1523). - Reduce memory pressure when scanning process memory in Linux (#1470).
- Improve performance while matching certain hex strings (#1526, #1552).
- Implement support for unicode file names in Windows (#1491).
- Add new API functions
yr_get_configuration_uintXX
andyr_set_configuration_uintXX
(#1621). - Add
--max-process-memory-chunk
option for controlling the size of the chunks while scanning a process memory (#1393). - Add
--skip-larger
option for skipping files larger than a certain size while scanning directories. - BUGFIX:
fullword
modifier not working properly under all locales (#1544). - BUGFIX: Fix edge case when files have a numeric name that was interpreted as a PID number (#1541).
- BUGFIX: Fix memory leaks in
magic
module.
Thanks to @wxsBSD, @secDre4mer, @regeciovad, @ladislav-zezula, @hillu, @xbabka01, @LearnToGetBetter
YARA v4.1.3
YARA v4.1.2
BUGFIX: TOO_MANY_MATCHES
warning was causing strings to be globally disabled (#1532).
BUGFIX: fullworld
modifier not working as expected in Mac OS due to locale issue (#1544, VirusTotal/yara-python#184).
BUGFIX: Default value for pe.number_of_imported_function not set to 0 (#1546).
YARA v4.1.1
YARA v4.1.0
- New operators
icontains
,endswith
,iendswith
,startswith
,istartswith
. - Accept
\t
escape sequence in text strings. - Add
--no-follow-links
command-line option to yara. - Prevent yara from following links to "." (@1D2D).
- Implemented non-blocking scanning API (@simonhf).
- When a string causes too many matches, YARA raises a warning instead of failing (@wxsBSD).
- BUGFIX: The use of
--timeout
could hangyara
when scanning directories or lists of files (#1481). - BUGFIX: Incorrect parsing of PE certificates (#1443).
- BUGFIX: Short-circuit evaluation not working fine with undefined expressions.