Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OP_OF_FOUND_AT. #1790

Merged
merged 3 commits into from
Sep 26, 2022
Merged

Add OP_OF_FOUND_AT. #1790

merged 3 commits into from
Sep 26, 2022

Conversation

wxsBSD
Copy link
Collaborator

@wxsBSD wxsBSD commented Sep 17, 2022

Add support for "any of them at 0" constructs to the language. This allows users to avoid using long or chains like "$a at 0 or $b at 0" and also is a nicer way
to write "for any of them: ($ at 0)".

@wxsBSD
Add OP_OF_FOUND_AT.
f0ddbb0 
Add support for "any of them at 0" constructs to the language. This allows users
to avoid using long or chains like "$a at 0 or $b at 0" and also is a nicer way
to write "for any of them: ($ at 0)".
@wxsBSD
Copy link
Collaborator Author

wxsBSD commented Sep 17, 2022

This is mostly a syntactic sugar PR because someone at work asked if there was a nicer way than long or chains like $a at 0 or $b at 0....

If this is a good idea I'll update the docs before merging.

@plusvic
Copy link
Member

plusvic commented Sep 23, 2022

I think this is good idea, also for completeness and coherency, because we have $a in (0..100), $a at 0 and any of them in (0..100), the missing piece is any of them at 0.

@plusvic plusvic merged commit c0a2b5a into VirusTotal:master Sep 26, 2022
@wxsBSD wxsBSD deleted the for_at branch September 26, 2022 11:01
@djlukic
Copy link

djlukic commented Oct 3, 2022

I was looking for this.
So, if I understood correctly we'll be able to do this

$a1 = "MZ"
$a2 = "PE"

condition would be

any of ($a*) at 0x80

Thanks!

@djlukic
Copy link

djlukic commented Dec 28, 2022

I wanted to ask one more question about this.

$a1 = "MZ" $a2 = "PE"

this condition doesn't work

($a1 or $a2) at 0x80

this does work
$a1 at 0x80 or $a2 at 0x80

Apologies if this was covered in some other topic.

@wxsBSD
Copy link
Collaborator Author

wxsBSD commented Dec 28, 2022
edited
Loading

You want to use any of ($a1, $a2) at 0x80 or the shorter form any of ($a*) at 0x80 which will be true if at least one of the $a* strings are found at that offset.

The reason ($a1 or $a2) at 0x80 doesn't work is the parser sees ($a1 or $a2) and evaluates that to a boolean, and then does not understand what to do with true at 0x80 or false at 0x80.

The idea of string sets is covered here: https://yara.readthedocs.io/en/stable/writingrules.html#sets-of-strings-1 (though the at portion of it is not in a released version yet).

@djlukic
Copy link

djlukic commented Dec 29, 2022

Thank you @wxsBSD. Yes, I went through the documentation many times.
If I understand correctly this is a correct way but that is not released yet?

You want to use any of ($a1, $a2) at 0x80 or the shorter form any of ($a*) at 0x80 which will be true if at least one of the $a* strings are found at that offset.

@wxsBSD
Copy link
Collaborator Author

wxsBSD commented Dec 29, 2022

Thank you @wxsBSD. Yes, I went through the documentation many times. If I understand correctly this is a correct way but that is not released yet?

Correct. any of ($a*) at 0x80 is coming in 4.3.0. For now, you can use $a1 at 0x80 or $a2 at 0x80.

If you have a lot of strings you want to check at a specific offset you can do it with a loop: for any of ($a*): ($ at 0x80)

4.3.0 adds the shorter syntax version than the loop.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@plusvic plusvic plusvic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wxsBSD @plusvic @djlukic