Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Defining the same variable twice results in incorrect behaviour #25

Closed
CapacitorSet opened this issue Jul 8, 2018 · 2 comments
Closed

Defining the same variable twice results in incorrect behaviour #25

CapacitorSet opened this issue Jul 8, 2018 · 2 comments

Comments

@CapacitorSet
Copy link

CapacitorSet commented Jul 8, 2018
edited
Loading

I found that if I define the same variable twice in the compiler, scanning gives incorrect results.

Here's a minimal testcase:

package main

import (
	"fmt"
	"github.com/hillu/go-yara"
)

func errcheck(err error) { if err != nil { panic(err) } }

func main() {
	c, err := yara.NewCompiler()
	errcheck(err)
	err = c.DefineVariable("category", "")
	errcheck(err)
	err = c.DefineVariable("category", "")
	errcheck(err)
	err = c.AddString(`rule category_is_empty { condition: category == ""}`, "")
	errcheck(err)
	r, err := c.GetRules()
	errcheck(err)
	r.DefineVariable("category", "http")
	z, err := r.ScanMem([]byte{}, 0, 0)
	fmt.Printf("%#v\n", z)
}

One would expect that the rule category_is_empty wouldn't be matched, since category was defined to be equal to "http". However, the rule does get matched.

If you remove the second definition, the code works as intended.
@CapacitorSet CapacitorSet changed the title Defining the same variable twice leads to different behaviours Defining the same variable twice leads to incorrect behaviour Jul 8, 2018
@CapacitorSet CapacitorSet changed the title Defining the same variable twice leads to incorrect behaviour Defining the same variable twice results in incorrect behaviour Jul 8, 2018
@hillu hillu mentioned this issue Jul 10, 2018
Closed
@hillu
Copy link
Owner

hillu commented Jul 10, 2018

This is a bug in YARA itself.

@CapacitorSet
Copy link
Author

Fixed upstream, closing this. Thank you for the quick response!

CapacitorSet added a commit to CapacitorSet/honeytrap that referenced this issue Jul 10, 2018
@CapacitorSet
Make vars unique (workaround for hillu/go-yara#25)
2b43dab
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hillu @CapacitorSet