Skip to content

Releases: VirusTotal/yara

YARA v4.3.0-rc1

30 Dec 17:23
Compare
Choose a tag to compare
YARA v4.3.0-rc1 Pre-release
Pre-release
  • Added a not operator for bytes in hex strings. Example: {01 ~02 03} (#1676).
  • for statement can iterate over sets of literal strings (e.g. for any s in ("a", "b"): (pe.imphash() == s)) (#1787).
  • of statement can be used with at (e.g. any of them at 0) (#1790).
  • Added the --print-xor-key (-X in short form) command-line option that prints the XOR key for xored strings (#1745).
  • Implement the --skip-larger command-line option in Windows (#1678).
  • Add parsing of .NET user types from .NET metadata stream in "dotnet" module (#1605).
  • Improve certificate parsing and validation in "pe" module (#1623).
  • Add telfhash() function to "elf" module (#1624).
  • Add to_int() and to_string() functions to "math" module (#1767).
  • Improve error reporting on certain edge cases (#1709, #1722).
  • BUGFIX: Fix multiple memory alignment issues causing crashes in non-x86 platforms (#1724).
  • BUGFIX: Fix implementation of math.serial_correlation(#1771).
  • BUGFIX: Fix infinite recursion in dotnet module (#1794).
  • BUGFIX: Fix SIGFPE when dividing INT64_MIN by -1.

Thanks to @shanehuntley, @1ndahous3, @HoundThe, @wxsBSD, @vthib

YARA v4.2.3

09 Aug 07:43
Compare
Choose a tag to compare
  • BUGFIX: Fix security issue that can lead to arbitrary code execution (b77e4f4, b77e4f4). Thanks to ANSSI - CERT-FR for the report.
  • BUGFIX: Fix incorrect logic in expressions like <quantifier> of <string_set> in (start..end (#1757).

YARA v4.2.2

30 Jun 09:08
Compare
Choose a tag to compare
  • BUGFIX: Fix buffer overrun in "dex" module (#1728).
  • BUGFIX: Wrong offset used when checking Version string of .net metadata (#1708).
  • BUGFIX: YARA doesn't compile if --with-debug-verbose flag is enabled (#1719).
  • BUGFIX: Null-pointer dereferences while loading corrupted compiled rules (#1727).

Thanks to @sudhackar, @wxsBSD, @dangodangodango, @MatejKastak

YARA v4.2.1

26 Apr 09:11
Compare
Choose a tag to compare
  • Implement the --skip-larger command-line option in Windows.
  • BUGFIX: Error while scanning process memory in Linux (#1662). Thanks to @hillu.
  • BUGFIX: Issue in "magic" module leading to wrong matches (#1663).
  • BUGFIX: Multiple issues triggered in low-memory conditions (#1671, #1673, #1674, #1675). Reported by @1ndahous3.
  • BUGFIX: Incorrect parsing of character classes in some regular expressions (#1690). Reported by @Sevaarcen.
  • BUGFIX: Heap overflow in ARM. Reported by @briangreenery.

YARA v4.2.0

10 Mar 15:18
1367943
Compare
Choose a tag to compare
  • New syntax for counting string occurrences within a range of offsets. Example: #a in (0..100) (#1565).
  • New syntax for checking if a set of strings are found within a range of offsets all of them in (0..100) (#1554).
  • of operator now accepts sets of rules, Examples: 2 of (rule1, rule2, rule3), 2 of (rule*) (##1597)
  • New syntactic sugar allows writing 0 of ($a) as none of ($a*) (#1559).
  • New operator % for string sets. Example: 20% of them (#1434).
  • New operator defined (#1529).
  • New operator iequals (#1536).
  • Added functions abs, count, percentage and mode to math module (#1483).
  • The dotnet module is now built into YARA by default.
  • Added the is_dotnet field to dotnet module (#1568).
  • Added new console module (#1594).
  • Added support of delayed imports to pe module (#1523).
  • Reduce memory pressure when scanning process memory in Linux (#1470).
  • Improve performance while matching certain hex strings (#1526, #1552).
  • Implement support for unicode file names in Windows (#1491).
  • Add new API functions yr_get_configuration_uintXX and yr_set_configuration_uintXX (#1621).
  • Add --max-process-memory-chunk option for controlling the size of the chunks while scanning a process memory (#1393).
  • Add --skip-larger option for skipping files larger than a certain size while scanning directories.
  • Improve scanning performance with better atom extraction (#1656).
  • BUGFIX: fullword modifier not working properly under all locales (#1544).
  • BUGFIX: Fix edge case when files have a numeric name that was interpreted as a PID number (#1541).
  • BUGFIX: Fix memory leaks in magic module.
  • BUGFIX: Fix integer overflow while scanning files larger than 2GB (#1615).

Thanks to @wxsBSD, @secDre4mer, @regeciovad, @ladislav-zezula, @hillu, @xbabka01, @LearnToGetBetter, @vlaci, @HoundThe

YARA v4.2.0-rc1

10 Jan 16:41
45a2883
Compare
Choose a tag to compare
YARA v4.2.0-rc1 Pre-release
Pre-release
  • New syntax for counting string occurrences within a range of offsets. Example: #a in (0..100) (#1565).
  • New syntax for checking if a set of strings are found within a range of offsets all of them in (0..100) (#1554).
  • of operator now accepts sets of rules, Examples: 2 of (rule1, rule2, rule3), 2 of (rule*) (##1597)
  • New syntactic sugar allows writing 0 of ($a) as none of ($a*) (#1559).
  • New operator % for string sets. Example: 20% of them (#1434).
  • New operator defined (#1529).
  • New operator iequals (#1536).
  • Added functions abs, count, percentage and mode to math module (#1483).
  • Added new console module (#1594).
  • Added support of delayed imports to pe module (#1523).
  • Reduce memory pressure when scanning process memory in Linux (#1470).
  • Improve performance while matching certain hex strings (#1526, #1552).
  • Implement support for unicode file names in Windows (#1491).
  • Add new API functions yr_get_configuration_uintXX and yr_set_configuration_uintXX (#1621).
  • Add --max-process-memory-chunk option for controlling the size of the chunks while scanning a process memory (#1393).
  • Add --skip-larger option for skipping files larger than a certain size while scanning directories.
  • BUGFIX: fullword modifier not working properly under all locales (#1544).
  • BUGFIX: Fix edge case when files have a numeric name that was interpreted as a PID number (#1541).
  • BUGFIX: Fix memory leaks in magic module.

Thanks to @wxsBSD, @secDre4mer, @regeciovad, @ladislav-zezula, @hillu, @xbabka01, @LearnToGetBetter

YARA v4.1.3

21 Oct 11:17
Compare
Choose a tag to compare

BUGFIX: Fix issue where ERROR_TOO_MANY_MATCHES was incorrectly returned (6085d3f).
BUGFIX: Fix potential buffer overrun due to incorrect macro (d5c83c6).

YARA v4.1.2

23 Aug 14:11
Compare
Choose a tag to compare

BUGFIX: TOO_MANY_MATCHES warning was causing strings to be globally disabled (#1532).
BUGFIX: fullworld modifier not working as expected in Mac OS due to locale issue (#1544, VirusTotal/yara-python#184).
BUGFIX: Default value for pe.number_of_imported_function not set to 0 (#1546).

YARA v4.1.1

24 May 10:36
Compare
Choose a tag to compare

BUGFIX: Accept the "+" character as valid in DLL names (#1501).
BUGFIX: Buffer overrun in "macho" module.
BUGFIX: Undefined behavior in Windows implementation of yr_filemap_xxx functions (#1302).
BUGFIX: Crash due to consecutive jumps in hex strings (#1492).

YARA v4.1.0

26 Apr 12:06
e1360f6
Compare
Choose a tag to compare
  • New operators icontains, endswith, iendswith, startswith, istartswith.
  • Accept \t escape sequence in text strings.
  • Add --no-follow-links command-line option to yara.
  • Prevent yara from following links to "." (@1D2D).
  • Implemented non-blocking scanning API (@simonhf).
  • When a string causes too many matches, YARA raises a warning instead of failing (@wxsBSD).
  • BUGFIX: The use of --timeout could hang yara when scanning directories or lists of files (#1481).
  • BUGFIX: Incorrect parsing of PE certificates (#1443).
  • BUGFIX: Short-circuit evaluation not working fine with undefined expressions.