VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.26k stars 1.44k forks source link

console module mixing output when scanning with multiple threads #1888

Open ruppde opened 1 year ago

ruppde commented 1 year ago

Describe the bug If scanning with multiple threads, rules with console.log() in the conditions don't print their output next to the matching rule name but mix it up. Example condition:

        math.deviation(500, filesize-500, 89.0) > 70 and
        console.log("high deviation") and
        console.log(math.deviation(500, filesize-500, 89.0))

Scanning with one process works properly:

$ yara -p 1 -rN gen_webshells.yar .
high deviation
77.029977
webshell_php_dynamic_big ./4057005718bb18b51b02d8b807265f8df821157ac47f78ace77f21b21fc77232.php
high deviation
70.883113
webshell_php_dynamic_big ./87c89be13135df949fe97886e644ccf45087c70f41d3a9f38b4a76b8ce07e1bc.php

Scanning with multiple processes mixes the output, not always but sometimes:

$ yara -p 4 -rN gen_webshells.yar .
high deviation
77.029977
high deviation
70.883113
webshell_php_dynamic_big ./4057005718bb18b51b02d8b807265f8df821157ac47f78ace77f21b21fc77232.php
webshell_php_dynamic_big ./87c89be13135df949fe97886e644ccf45087c70f41d3a9f38b4a76b8ce07e1bc.php

I assume there is some way to lock the output because matching variables printed with yara -s don't get mixed up, so the fix might just be to keep that lock until the conditions are finished.

To Reproduce see above

Expected behavior Always have the same output as with -p 1

Please complete the following information:

Additional context Add any other context about the problem here.