New Feature: `reverse` keyword for strings

[datorr2]

In cases where malware may be using reversing of character order for obfuscation, maybe add a reverse keyword to look for the strings forward and backward?

Example:

strings:
    $a1 = "This is a bad string" ascii wide reverse

would also look for:

gnirts dab a si sihT

[wxsBSD]

Adding more modifiers gets combinatorially more difficult, because you have to consider the implicit interaction between your new modifier and existing ones. For example, how would you want the interaction between wide and reverse to work? Do we do wide first and then reverse or the other way around?

The first would result in \x00g\x00n\x00i... while the latter would result in g\x00n\x00i\x00.

This is only one example of an implicit interaction that would need to be carefully thought out, and there are more modifiers to consider than just wide.

Every time I want to add another modifier I end up coming to this same conclusion. I think something along the lines of my Composable Modifers (https://gist.github.com/wxsBSD/44aa8b8133e3ea96e738b66ec1c600f2) idea needs to be implemented before we can really tackle adding more modifiers. There's a lot more to be thought through for Composable Modifiers but the idea is probably the best way forward IMO.

[datorr2]

@wxsBSD ooo, I just checked out the gist you linked and I like that idea a lot. I think it solves a lot of existing problems and helps to avoid others in the future.