VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.26k stars 1.44k forks source link

New yara module for lnk files #1858

Closed camptatopenmars closed 1 year ago

camptatopenmars commented 1 year ago

Lnk files are astonishingly complicated things and are nearly an executable type on their own. I've started creating a 'lnk' yara module for parsing these files. I have a series of TODO items in the prologue to lnk.c, but you can at least work out the general target of a lnk file with it as it stands. Submitting a PR for review before doing more work on this.

I've modified the vs2017 project files to build (this is all desperately out of date... but figured it would be best to add vs2022 in an entirely different PR), but have entirely avoided the autoconfig stuff because... I've no idea what I'm doing there. I have compiled this on Unbuntu using a makefile I use to build a private fork of libyara that I use.

camptatopenmars commented 1 year ago

Seems there is another lnk module awaiting review from awhile back https://github.com/VirusTotal/yara/pull/1732... that I'm just now noticing of course. Anyways yara needs a lnk module.

BitsOfBinary commented 1 year ago

Nice one @camptatopenmars! Completely agree that YARA would benefit from a module to parse LNK files. Let me know if you have any feedback for the PR I've put together. I've also done a rough conversion of the docs for the module so far on my blog, which I'm currently doing some posts about the LNK module on: https://bitsofbinary.github.io/yara/2023/01/05/lnk_module_documentation.html