plusvic
commented
3 months ago @vthib do you have some .NET files that trigger these issues. I want to have some reference files and check that this is correctly done on YARA-X as well.
Closed vthib closed 2 months ago
plusvic
commented
3 months ago @vthib do you have some .NET files that trigger these issues. I want to have some reference files and check that this is correctly done on YARA-X as well.
vthib
commented
3 months ago Yes, I crafted some files for testing in boreal, one of which test array sizes: types2.dll
lo bound values on arrays cannot be used in C# files afaik, but they can easily be tested with MSIL files. The aforementioned file was generated from this source code: types2.cil
This makes it easy to compare the syntax used in the MSIL file with the type strings generated in the yara module.
vthib
commented
2 months ago I fixed an unnecessary change, should be ok now
Several bugs were present in the parsing and generation of a string to represent an array type, notably when the "lo_bound" value is set.
The "read_blob_signed" was buggy for values outside the
[-2**6, 2**6-1], the sign edition did not use the right bitmask, and the type used was unsigned.The display when lo_bound != 0 was buggy:
5, this was ok1...5, this was buggy and displayed1...6. The "range format" is inclusive.0 should still be displayed if size is 0. Only when size is unset should it be left out. So an array declared as
[5,0,3]should be displayed the same way, and not as[5,,3].