Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    HostageBrain
    @HostageBrain

    boolean_expression AND
    after compiler->last_result = yr_parser_emit_with_arg_reloc executed
    after it:
    size 0x0000000000020000 unsigned int64
    used 0x000000000001fff4 unsigned     int64

    _STRINGIDENTIFIER ($cmd2 '-removekys')
    yr_parser_reduce_string_identifier executed.
    after it:
    size 0x0000000000020000 unsigned int64
    used 0x000000000001fffd unsigned     int64
    yr_parser_emit executed.
    after it:
    size 0x0000000000020000 unsigned int64
    used 0x000000000001fffe unsigned     int64

    boolean_expression
    compiler->last_result = yr_arena_reserve_memory - ok
    yr_parser_emit executed.
    after it:
    size 0x0000000000020000 unsigned int64
    used 0x000000000001ffff unsigned     int64
    (void**)(fixup->address) = (void)(and_addr + 1);

    boolean_expression
    yr_arena_reserve_memory - allocs new page!

    duplicated with formatting: https://pastebin.com/7Syg2Fau
    HostageBrain
    @HostageBrain
    I've notices there are silently appeared release yara 3.6.0 ten days ago (https://github.com/VirusTotal/yara/releases). But it looks quite uncompleted - no release notes; no info in twitter; on 'yara.readthedocs.io' default version is still 3.5.0 and nobody writes news about it - on twitter etc - looks like nobody knows of new version. Is it really 3.6.0 or it's some preliminary release candidate & actual release will be later?
    Victor M. Alvarez
    @plusvic
    I'm preparing the 3.6.0 release, but it's not ready yet
    Wesley Shields
    @wxs_twitter
    I am going to try and be more active here as necessary, but I just put up a pull request to make the dotnet module reject stream names with no null byte
    Would be awesome to get that in before 3.6.0
    Hilko Bengen
    @hillu
    so, 3.6.0 has been tagged ... I'm going to do an upload to Debian/unstable today ... and I'm going to try to get that included with the upcoming stretch release, too. Any objections there?
    Wesley Shields
    @wxs_twitter
    Hilko: my objection is it isn't ready (see above)
    Hilko Bengen
    @hillu
    @wxs_twitter sure, a bunch of fixes have landed on master since, so I wondered about that, too. @plusvic Are you going to move the tag or will there be a 3.6.1 release really soon?
    Wesley Shields
    @wxs_twitter
    Congrats on the release!
    Hilko Bengen
    @hillu
    I have now uploaded 3.6.0+dfsg-1 to Debian/unstable.
    Michael Salsone
    @Popsiclestick
    Is there good documentation anywhere on the different parameters for the meta section in yara? I've gone through all of the docs I can find. No dice.
    Victor M. Alvarez
    @plusvic
    @Popsiclestick What do you mean exactly? The meta section is for users defining arbitrary metadata for their rules, there's no a predefined set of variables.
    Michael Salsone
    @Popsiclestick
    Ah nvm then. Didn't realize it was completely arbitrary. I saw commonly reused variables, didn't know if they got bubbled up in other things that use yara or had a use outside of that.
    M0rk
    @kevien
    i don’t know how to debug yara...
    in unix system
    anyone who has switch to CLion?
    Victor M. Alvarez
    @plusvic
    @kevien I don't have any experience with CLion :(
    M0rk
    @kevien
    i got it ,thanks
    M0rk
    @kevien
    how to build libyara as as dll?
    M0rk
    @kevien
    is there anyone who transform it to cmake project ?
    M0rk
    @kevien
    anyone has test it on win10 process scan?
    X64
    M0rk
    @kevien
    i use 3.7.0 scan process ,it can not recognize ,but 3.6.0 can
    any changes?
    Victor M. Alvarez
    @plusvic
    @kevien can you explain a little mora about the issue? what do you mean with "can not recognize" ?
    Victor M. Alvarez
    @plusvic
    @kevien your problem probably was because of this VirusTotal/yara@4546fb2
    try with the latest version and let me know if it works fine for you
    M0rk
    @kevien
    @plusvic thanks i will try it
    HostageBrain
    @HostageBrain
    Hi guys. I'm watching to yara executable and see --fast-scan flag. I watched sources and found SCAN_FLAGS_FAST_MODE flag. As I see - this flag is just a performance improvement - yara wont create linked_list where no need to store all offsets. I mean - as I see there is obvious performance improvement with fully saved semantic. So why this flag isnt turned on by default? If I turn on this flag in my project where I'm using yara library - will I get some detects disappeared or any another disadvantages?
    Victor M. Alvarez
    @plusvic
    @HostageBrain the flag is not turned on by default because it prevents you from getting information about the offsets within the file where the strings where found. That information was offered since the first version, and the flag was added later on, so it's disabled by default for backward compatibility.
    HostageBrain
    @HostageBrain
    so if I have system which interested only if file matched or not_matched - then when I turn on flag - I lose nothing but get performance improvement?
    Victor M. Alvarez
    @plusvic
    yes, that's correct, if you are just interested in knowing if the file matches or not you can safely use the flag
    HostageBrain
    @HostageBrain
    thanx, great!
    Victor M. Alvarez
    @plusvic
    Enjoy YARA! :)
    Mike
    @mfhorka
    Hey guys, where is the version set in the arena that will later throw an UNSUPPORTED_FILE_VERSION error?
    Victor M. Alvarez
    @plusvic
    @mfhorka do you mean where in the code? https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/arena.h#L50
    Tarek
    @tee2015
    Hi Guys, I am glad I am here as I just start recently learning Yara :smile:
    :fire:
    caili1981
    @caili1981
    @plusvic , nice to meet you. I'm a freshman in YARA. I'm focusing on develop a flow stream based scan engine by YARA. Is there existing, related, open sourced project that I can refer? Thanks a lot in advance.
    Victor M. Alvarez
    @plusvic
    Hi @caili1981 , no that I know. At some point I've thought about implementing a stream scanning API in YARA, but because of the way YARA works it's not trivial. YARA was designed with blocks of data in mind, that's noticeable when you try to adapt it to scan a stream, at the end the only possible solution is viewing the stream as a sequence of overlapping blocks.
    caili1981
    @caili1981
    @plusvic , thanks a lot for quick response. As far as I know that we can not find the virus-characters that is cross stream boundary by the existing YARA code. Do you mean by 1. Saving all the streams in memory. 2. And then using BLOCK and ITERATORs, and then modify the 'scan_mem_block' related algorithm to get the stream/fragment scanned?
    joonho
    @jhyeom26
    Hi guys, Is it possible to iterate over a dictionary in YARA rule?
    ripmalware
    @ripmalware
    What do you mean? Like a dictionary of words?
    Also, does anyone have a problem running dotnet modules with yara-python (v3.8.1 and 3.9.0)? I get errors for invalid field names (tried with number_of_guids and typelib). Used 3.8.1 install from pip3 and compiled from source for v3.9.
    Rule works when running yara, just not yara-python. Saw the issues someone had with imphash, but rebuilding it still didn't seem to work... VirusTotal/yara-python#97
    ripmalware
    @ripmalware
    Ok, got it. Needed to use the flag --enable-dotnet when building from python source. Didn't see those options until looking at setup.py. https://github.com/VirusTotal/yara-python/blob/master/setup.py
    Tom
    @nyx0
    hi guys, do you have any timeframe to merge the following PR #1092 ? cc @plusvic @wxsBSD
    Victor M. Alvarez
    @plusvic
    Hi @nyx0, I just reviewed the PR and added some comments.
    Tom
    @nyx0
    awesome thanks!