yara regex scan, match some invisible characters

VirusTotal / yara

The pattern matching swiss knife

https://virustotal.github.io/yara/

BSD 3-Clause "New" or "Revised" License

8.08k stars 1.43k forks source link

yara regex scan, match some invisible characters #1974

Closed gaohang closed 6 months ago

gaohang commented 11 months ago

[ PROBLEM ] yara scan a binary executable file, rule as below: rule lua_23 { meta: componentId = "23" componentName = "lua"

strings:
    $re_b = /\blua\b/

condition:
    1 of them

} however, there are many invisible chars in match result, like 0x3e0f3e9:$re_f: j\x02\xBEluaL\xD1\x01\xE4 0x3e0f3eb:$re_f: \xBEluaL\xD1\x01\xE4 ......

these match results are not in strings of binary file.

[ PROBLEM ] Is the any way to make yara scan only the string section of a binary file other than whole file?

plusvic commented 11 months ago

Can you provide both the whole YARA rule and the file that matches? In your report the matches are like:

0x3e0f3e9:$re_f: j\x02\xBEluaL\xD1\x01\xE4

But there's not string named $re_f in the shown rule shown in the report.