VirusTotal / yara-python

The Python interface for YARA
Apache License 2.0
650 stars 179 forks source link

StringMatchInstance XOR key property value is always 0 #221

Closed melomac closed 1 year ago

melomac commented 1 year ago

I am very excited by StringMatch and StringMatchInstance objects in yara-python version 4.3 release candidate and also the XOR key property.

I needed to support the new objects and also wanted to implement the XOR property in some of my code.

Out of curiosity, I created this Mach-O test file using CodeRunner for example:

#import <Foundation/Foundation.h>

int main(int argc, char *argv[]) {
    @autoreleasepool {
        NSString *a = @"123";
        NSString *b = @"abc";

and this YARA test rule:

rule oneTwoThree {
        $ = "123" xor
        any of them

The string 123 should match the NSString a C string with XOR key 0 and the NSString b C string with XOR key P:

>>> from Crypto.Cipher import XOR

On compiling the rule file and looking for matches in the compiled Mach-O file, I am getting the two instances as expected:

>>> matches[0]
>>> matches[0].strings[0]
>>> matches[0].strings[0].is_xor()
>>> matches[0].strings[0].instances
[123, abc]

But the XOR key value is 0 in both cases:

>>> matches[0].strings[0].instances[0].xor_key
0 / 0x0  # expected
>>> matches[0].strings[0].instances[1].xor_key
0 / 0x0  # not expected: this should be the ordinal value of P i.e. 80 / 0x50

Would you please be so kind to consider this as a problem to fix for version 4.3 final candidate?

Many thanks for this new feature that will be very interesting to work with in a near future!

EDIT: This actually is a YARA problem as the CLI won't print the XOR key either:

yara -X rule.yara $TMPDIR/CodeRunner/Untitled 
oneTwoThree /var/folders/4n/4cnph2ps2t77b9xms19fsqrc0000gn/T//CodeRunner/Untitled
melomac commented 1 year ago

Closing as it actually is a YARA problem:

Sorry as I didn't realize earlier.