search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.08k stars 1.43k forks source link

Support for EXTERNAL OBJECT_TYPE_ARRAY and OBJECT_TYPE_STRUCTURE #1960

Open msuiche opened 11 months ago

msuiche commented 11 months ago

Currently, there are yr_compiler_define_*_variable functions to define EXTERNAL_VARIABLE_TYPE_* variables, but none of the EXTERNAL_ or `yr_compilerdefine` functions allow the user to create OBJECT_TYPE_ARRAY or OBJECT_TYPE_STRUCTURE for more elaborated scanner features.

This would be a nice add for enhanced global variables. I've tried going through without the official functions but I end up clashing with asserts & double free malloc: https://github.com/Hugal31/yara-rust/issues/127

msuiche commented 11 months ago

Moreover, arrays are interesting but may be unnecessary complexity that's why yr_compiler_define_*_variable was designed this way?

For instance in YARA Live Hunting we see the usage of loops for behaviour butgiven the straightforwardness comparison generally seen, loops would probably be better handled by the engine itself rather than the rule such as:

for any cmd in vt.behaviour.command_executions : (
  cmd contains "cmd.exe /Q /c"
)

vs

vt.behaviour.command_execution contains "cmd.exe /Q /c"

And things like:

for any lib in vt.behaviour.modules_loaded : (
  lib == "zlib.dll"
)

vs

vt.behaviour.module_loaded == "zlib.dll"