YARA v4.3.0-rc1

• Added a not operator for bytes in hex strings. Example: {01 ~02 03} (#1676).
• for statement can iterate over sets of literal strings (e.g. for any s in ("a", "b"): (pe.imphash() == s)) (#1787).
• of statement can be used with at (e.g. any of them at 0) (#1790).
• Added the --print-xor-key (-X in short form) command-line option that prints the XOR key for xored strings (#1745).
• Implement the --skip-larger command-line option in Windows (#1678).
• Add parsing of .NET user types from .NET metadata stream in "dotnet" module (#1605).
• Improve certificate parsing and validation in "pe" module (#1623).
• Add telfhash() function to "elf" module (#1624).
• Add to_int() and to_string() functions to "math" module (#1767).
• Improve error reporting on certain edge cases (#1709, #1722).
• BUGFIX: Fix multiple memory alignment issues causing crashes in non-x86 platforms (#1724).
• BUGFIX: Fix implementation of math.serial_correlation(#1771).
• BUGFIX: Fix infinite recursion in dotnet module (#1794).
• BUGFIX: Fix SIGFPE when dividing INT64_MIN by -1.

Thanks to @shanehuntley, @1ndahous3, @HoundThe, @wxsBSD, @vthib

YARA v4.2.3

• BUGFIX: Fix security issue that can lead to arbitrary code execution (b77e4f4, b77e4f4). Thanks to ANSSI - CERT-FR for the report.
• BUGFIX: Fix incorrect logic in expressions like <quantifier> of <string_set> in (start..end (#1757).

YARA v4.2.2

• BUGFIX: Fix buffer overrun in "dex" module (#1728).
• BUGFIX: Wrong offset used when checking Version string of .net metadata (#1708).
• BUGFIX: YARA doesn't compile if --with-debug-verbose flag is enabled (#1719).
• BUGFIX: Null-pointer dereferences while loading corrupted compiled rules (#1727).

Thanks to @sudhackar, @wxsBSD, @dangodangodango, @MatejKastak

YARA v4.2.1

• Implement the --skip-larger command-line option in Windows.
• BUGFIX: Error while scanning process memory in Linux (#1662). Thanks to @hillu.
• BUGFIX: Issue in "magic" module leading to wrong matches (#1663).
• BUGFIX: Multiple issues triggered in low-memory conditions (#1671, #1673, #1674, #1675). Reported by @1ndahous3.
• BUGFIX: Incorrect parsing of character classes in some regular expressions (#1690). Reported by @Sevaarcen.
• BUGFIX: Heap overflow in ARM. Reported by @briangreenery.

YARA v4.2.0

• New syntax for counting string occurrences within a range of offsets. Example: #a in (0..100) (#1565).
• New syntax for checking if a set of strings are found within a range of offsets all of them in (0..100) (#1554).
• of operator now accepts sets of rules, Examples: 2 of (rule1, rule2, rule3), 2 of (rule*) (##1597)
• New syntactic sugar allows writing 0 of ($a) as none of ($a*) (#1559).
• New operator % for string sets. Example: 20% of them (#1434).
• New operator defined (#1529).
• New operator iequals (#1536).
• Added functions abs, count, percentage and mode to math module (#1483).
• The dotnet module is now built into YARA by default.
• Added the is_dotnet field to dotnet module (#1568).
• Added new console module (#1594).
• Added support of delayed imports to pe module (#1523).
• Reduce memory pressure when scanning process memory in Linux (#1470).
• Improve performance while matching certain hex strings (#1526, #1552).
• Implement support for unicode file names in Windows (#1491).
• Add new API functions yr_get_configuration_uintXX and yr_set_configuration_uintXX (#1621).
• Add --max-process-memory-chunk option for controlling the size of the chunks while scanning a process memory (#1393).
• Add --skip-larger option for skipping files larger than a certain size while scanning directories.
• Improve scanning performance with better atom extraction (#1656).
• BUGFIX: fullword modifier not working properly under all locales (#1544).
• BUGFIX: Fix edge case when files have a numeric name that was interpreted as a PID number (#1541).
• BUGFIX: Fix memory leaks in magic module.
• BUGFIX: Fix integer overflow while scanning files larger than 2GB (#1615).

Thanks to @wxsBSD, @secDre4mer, @regeciovad, @ladislav-zezula, @hillu, @xbabka01, @LearnToGetBetter, @vlaci, @HoundThe

YARA v4.2.0-rc1

• New syntax for counting string occurrences within a range of offsets. Example: #a in (0..100) (#1565).
• New syntax for checking if a set of strings are found within a range of offsets all of them in (0..100) (#1554).
• of operator now accepts sets of rules, Examples: 2 of (rule1, rule2, rule3), 2 of (rule*) (##1597)
• New syntactic sugar allows writing 0 of ($a) as none of ($a*) (#1559).
• New operator % for string sets. Example: 20% of them (#1434).
• New operator defined (#1529).
• New operator iequals (#1536).
• Added functions abs, count, percentage and mode to math module (#1483).
• Added new console module (#1594).
• Added support of delayed imports to pe module (#1523).
• Reduce memory pressure when scanning process memory in Linux (#1470).
• Improve performance while matching certain hex strings (#1526, #1552).
• Implement support for unicode file names in Windows (#1491).
• Add new API functions yr_get_configuration_uintXX and yr_set_configuration_uintXX (#1621).
• Add --max-process-memory-chunk option for controlling the size of the chunks while scanning a process memory (#1393).
• Add --skip-larger option for skipping files larger than a certain size while scanning directories.
• BUGFIX: fullword modifier not working properly under all locales (#1544).
• BUGFIX: Fix edge case when files have a numeric name that was interpreted as a PID number (#1541).
• BUGFIX: Fix memory leaks in magic module.

Thanks to @wxsBSD, @secDre4mer, @regeciovad, @ladislav-zezula, @hillu, @xbabka01, @LearnToGetBetter

YARA v4.1.3

BUGFIX: Fix issue where ERROR_TOO_MANY_MATCHES was incorrectly returned (6085d3f).
BUGFIX: Fix potential buffer overrun due to incorrect macro (d5c83c6).

YARA v4.1.2

BUGFIX: TOO_MANY_MATCHES warning was causing strings to be globally disabled (#1532).
BUGFIX: fullworld modifier not working as expected in Mac OS due to locale issue (#1544, VirusTotal/yara-python#184).
BUGFIX: Default value for pe.number_of_imported_function not set to 0 (#1546).

YARA v4.1.1

BUGFIX: Accept the "+" character as valid in DLL names (#1501).
BUGFIX: Buffer overrun in "macho" module.
BUGFIX: Undefined behavior in Windows implementation of yr_filemap_xxx functions (#1302).
BUGFIX: Crash due to consecutive jumps in hex strings (#1492).

YARA v4.1.0

• New operators icontains, endswith, iendswith, startswith, istartswith.
• Accept \t escape sequence in text strings.
• Add --no-follow-links command-line option to yara.
• Prevent yara from following links to "." (@1D2D).
• Implemented non-blocking scanning API (@simonhf).
• When a string causes too many matches, YARA raises a warning instead of failing (@wxsBSD).
• BUGFIX: The use of --timeout could hang yara when scanning directories or lists of files (#1481).
• BUGFIX: Incorrect parsing of PE certificates (#1443).
• BUGFIX: Short-circuit evaluation not working fine with undefined expressions.