search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.13k stars 1.42k forks source link

[feature request] xorwide #1925

Open tlansec opened 1 year ago

tlansec commented 1 year ago

Is your feature request related to a problem? Please describe. At the moment we have the xor modifier, which can interact with the wide modifier in a way where the xor modifier is applied last. There isn't currently a method to define a string where the wide modifier is applied first, and then the xor modifier is applied.

Describe the solution you'd like There should be a xorwide modifier which performs the xor operation and then the wide operation so that you can have a rule like this:

rule myrule
{
strings:
    $s = "http" xorwide(1-255)
condition:
    $s
}

Which matches a file with contents:

{00 6c 00 70 00 70 00 74 00} -> (http xor'ed with 0x04)

Describe alternatives you've considered I could write a rule with 255 strings instead.

Additional context N/A