Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Victor M. Alvarez
    @plusvic
    ?
    HostageBrain
    @HostageBrain
    yes
    moment
    oh
    Victor M. Alvarez
    @plusvic
    ok, now I think I fully understand the issue
    HostageBrain
    @HostageBrain
    it returns 0
    i missed one thing)
    after yr_parser_emit_with_arg_reloc:
        size    0x0000000000020000    unsigned __int64
        used    0x000000000001fff4    unsigned __int64
    then _STRINGIDENTIFIER:
    after yr_parser_reduce_string_identifier:
        size    0x0000000000020000    unsigned __int64
        used    0x000000000001fffd    unsigned __int64
    then in same _STRINGIDENTIFIER:
    yr_parser_emit
    after it
        size    0x0000000000020000    unsigned __int64
        used    0x000000000001fffe    unsigned __int64
    Victor M. Alvarez
    @plusvic
    I'll try to reproduce the issue. I think I know the root cause, but in order to confirm it and have a test bed a need to reproduce it.
    With the information you sent I think I should be able to reproduce it
    I'll let you know later. Thanks for your help!
    HostageBrain
    @HostageBrain
    thanks for your patience)
    here are the picture:

    boolean_expression AND
    after compiler->last_result = yr_parser_emit_with_arg_reloc executed
    after it:
    size 0x0000000000020000 unsigned int64
    used 0x000000000001fff4 unsigned
    int64

    _STRINGIDENTIFIER ($cmd2 '-removekys')
    yr_parser_reduce_string_identifier executed.
    after it:
    size 0x0000000000020000 unsigned int64
    used 0x000000000001fffd unsigned
    int64
    yr_parser_emit executed.
    after it:
    size 0x0000000000020000 unsigned int64
    used 0x000000000001fffe unsigned
    int64

    boolean_expression
    compiler->last_result = yr_arena_reserve_memory - ok
    yr_parser_emit executed.
    after it:
    size 0x0000000000020000 unsigned int64
    used 0x000000000001ffff unsigned
    int64
    (void**)(fixup->address) = (void)(and_addr + 1);

    boolean_expression
    yr_arena_reserve_memory - allocs new page!

    duplicated with formatting: https://pastebin.com/7Syg2Fau
    HostageBrain
    @HostageBrain
    I've notices there are silently appeared release yara 3.6.0 ten days ago (https://github.com/VirusTotal/yara/releases). But it looks quite uncompleted - no release notes; no info in twitter; on 'yara.readthedocs.io' default version is still 3.5.0 and nobody writes news about it - on twitter etc - looks like nobody knows of new version. Is it really 3.6.0 or it's some preliminary release candidate & actual release will be later?
    Victor M. Alvarez
    @plusvic
    I'm preparing the 3.6.0 release, but it's not ready yet
    Wesley Shields
    @wxs_twitter
    I am going to try and be more active here as necessary, but I just put up a pull request to make the dotnet module reject stream names with no null byte
    Would be awesome to get that in before 3.6.0
    Hilko Bengen
    @hillu
    so, 3.6.0 has been tagged ... I'm going to do an upload to Debian/unstable today ... and I'm going to try to get that included with the upcoming stretch release, too. Any objections there?
    Wesley Shields
    @wxs_twitter
    Hilko: my objection is it isn't ready (see above)
    Hilko Bengen
    @hillu
    @wxs_twitter sure, a bunch of fixes have landed on master since, so I wondered about that, too. @plusvic Are you going to move the tag or will there be a 3.6.1 release really soon?
    Wesley Shields
    @wxs_twitter
    Congrats on the release!
    Hilko Bengen
    @hillu
    I have now uploaded 3.6.0+dfsg-1 to Debian/unstable.
    Michael Salsone
    @Popsiclestick
    Is there good documentation anywhere on the different parameters for the meta section in yara? I've gone through all of the docs I can find. No dice.
    Victor M. Alvarez
    @plusvic
    @Popsiclestick What do you mean exactly? The meta section is for users defining arbitrary metadata for their rules, there's no a predefined set of variables.
    Michael Salsone
    @Popsiclestick
    Ah nvm then. Didn't realize it was completely arbitrary. I saw commonly reused variables, didn't know if they got bubbled up in other things that use yara or had a use outside of that.
    M0rk
    @kevien
    i don’t know how to debug yara...
    in unix system
    anyone who has switch to CLion?
    Victor M. Alvarez
    @plusvic
    @kevien I don't have any experience with CLion :(
    M0rk
    @kevien
    i got it ,thanks
    M0rk
    @kevien
    how to build libyara as as dll?
    M0rk
    @kevien
    is there anyone who transform it to cmake project ?
    M0rk
    @kevien
    anyone has test it on win10 process scan?
    X64
    M0rk
    @kevien
    i use 3.7.0 scan process ,it can not recognize ,but 3.6.0 can
    any changes?
    Victor M. Alvarez
    @plusvic
    @kevien can you explain a little mora about the issue? what do you mean with "can not recognize" ?
    Victor M. Alvarez
    @plusvic
    @kevien your problem probably was because of this VirusTotal/yara@4546fb2
    try with the latest version and let me know if it works fine for you
    M0rk
    @kevien
    @plusvic thanks i will try it