-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to Yara 4.3 #6
Conversation
@vthib, by following a link in YARA's repository I landed here and discovered this project. I don't know if you have seen https://github.com/VirusTotal/yara-x, but the goals are very similar: a complete implementation of YARA in Rust, that solves some of the pain points experienced by YARA users (like slow rules that should be actually fast) and developers (like the parser tightly coupled with YARA itself that disallows its reuse). The approach however is different. YARA-X converts rule conditions into WebAssembly code, that in turns gets translated into native code. This makes conditions that rely heavily on loops much faster. The goal is that condition evaluation is 10x faster than the existing YARA on average. I see that you seem to have experience in Rust (more than myself, I'm gradually learning Rust with the YARA-X project), so if you would like to contribute to YARA-X in some way you are really welcomed. The project is still immature and unstable, but I've made a lot of progress already, and have implemented most of the condition evaluation logic. |
8ada5b4
to
ba6794e
Compare
decde38
to
a5bd867
Compare
So this is failing only on linux32, and it took me longer than expected to understand why. Running boreal-cli has no issues, running the tests on linux32 does give invalid values for not_before and not_after fields in the authenticode certificates.
So the linker can pick any of those two and we can't control it.
Best solutions is probably to rename all of the functions in the authenticode-parser crate to avoid conflicting with yara symbols... Fun. |
75ad1da
to
a473687
Compare
a9e20d2
to
c899d72
Compare
Update boreal-object fork to handle this case. Import binaries for the yara PR and add coverage tests on them.
Do not return undefined in the "#var in (from..to)" expression when the range bounds are weird. Instead, act as if the values are valid.
This avoids the use of the const version of Mutex::new, which is not available in rust 1.62.
The particularity is that this option acts as its own mode: if given, it will print the names and exit, so the required arguments (rules & input) are not required if this option is specified. This was not trivial to find how to express this with clap, but the required_unless_present seems to work.
This is a work in progress, as Yara 4.3 is not out yet.
Most of the small work has been done, what's left is:
Add new warnings (Add warnings for edge cases. VirusTotal/yara#1806)will not dope_rva_to_offset
VirusTotal/yara#1561