VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.26k stars 1.44k forks source link

Check for impossible conditions when using uint() operators. #1918

Open tlansec opened 1 year ago

tlansec commented 1 year ago

Is your feature request related to a problem? Please describe. Sometimes when writing rules I'll use the wrong value of x for uintx type rules meaning the condition will never match. For example

condition:
    uint32(0) == 0xABCD

Describe the solution you'd like Troubleshooting a condition like this is relatively easy once you figure out what is going on but it can be easy to gloss over. It would be useful if when compiling rules the compiler checked that the right handside contained a number of bytes that could plausibly match the left hand side,

Describe alternatives you've considered I could just write better rules I guess :(

wxsBSD commented 1 year ago

I'm not sure I like this. So just because I want to check that a 32bit value is zero I have to specify it as 0x00000000? Seems excessive and not how other languages work.

plusvic commented 1 year ago

I think @wxsBSD is right.

Why uint32(0) == 0xABCD should be incorrect? This is not really an impossible condition. 0xABCD is the same as 0x0000ABCD, and most people will expect both to be equivalent.

uint8(0) == 0xABCDE is a different matter. This case is actually imposible, and a warning could be useful here.

wxsBSD commented 1 year ago

I can see the warning you describe here as being useful. I'll add that soon.

plusvic commented 1 year ago

Related: https://github.com/VirusTotal/yara-x/issues/23

tlansec commented 1 year ago

I hadn't realised that uint32(x) = 0x00 checked all four bytes were null (it makes sense now that you say it , I just hadn't realised it).