[Question+Feature request] Anonymous string comparison or iteratable set of identifier

[dmknght]

Is your feature request related to a problem? Please describe. I want to make a rule that finds some specific functions in a binary. Here are my 2 versions

• Version 1:

  rule C_buffer_overflow {
  meta:
  author = "Nong Hoang Tu"
  description = "Find import functions that doesnt' check for buffer's length when writes data to a dest buffer"
  version = "11 / 09 (Sep) / 2024"
  strings:
  $1 = "strcpy" fullword
  $2 = "gets" fullword
  condition:
  for any dyn_entry in elf.dynsym:
  (
    for any of them:
    (
      dyn_entry.name == $
    )
  )
  }

  I got syntax error, unexpected string identifier. I suppose it's required to have something like dyn_entry.name == $a where $a is a string identifier. So I came up with

• Version 2:

    for any f_name in them:
    (
      dyn_entry.name == f_name
    )

(I also changed them to ($*)) and I got error unexpected <them>, expecting identifier or '(' (or unexpected string identifier with wildcard). As I read in documentation, them is not a iterable, so does ($*)

Describe the solution you'd like Either supports comparison with anonymous string or make keyword them be used as iterable.

Alternative solution

Any other syntax that can be used (which i suppose undocumented)

[dmknght]

An other alternative solution is to make in syntax allows ($1, $2) or ($*)

[dmknght]

An other problem relates to this issue is console.log doesn't support identifier for some reason (yara 4.5.1). I got error wrong arguments for function "log"

[plusvic]

You don't need to include those strings in the "strings" section of the rule, you simply do this:

rule C_buffer_overflow {
  meta:
    author = "Nong Hoang Tu"
    description = "Find import functions that doesnt' check for buffer's length when writes data to a dest buffer"
    version = "11 / 09 (Sep) / 2024"
  condition:
    for any dyn_entry in elf.dynsym:
    (
        dyn_entry.name == "strcpy" or
        dyn_entry.name == "gets"
    )
}

[dmknght]

You don't need to include those strings in the "strings" section of the rule, you simply do this:

rule C_buffer_overflow {
  meta:
    author = "Nong Hoang Tu"
    description = "Find import functions that doesnt' check for buffer's length when writes data to a dest buffer"
    version = "11 / 09 (Sep) / 2024"
  condition:
    for any dyn_entry in elf.dynsym:
    (
        dyn_entry.name == "strcpy" or
        dyn_entry.name == "gets"
    )
}

HI! Thank you for the answer but I'm expecting something more flexible than this. My current solution is

rule C_dangerous_memory_handling {
  meta:
    author = "Nong Hoang Tu"
    description = "Find import functions that doesn't check for buffer's length when writes data to a dest buffer"
    version = "11 / 09 (Sep) / 2024"
  condition:
    is_elf_file and for any dyn_entry in elf.dynsym: // YARA > 4.0 supports this syntax
    (
      for any f_name in ("strcpy", "gets", "scanf", "strcpy", "strcat"):
      (
        dyn_entry.type == elf.STT_FUNC and
        dyn_entry.name == f_name and
        console.log(" [*] Found dangerous function ", f_name)
      )
    )
}

which allows me to show simple "info log" as well. I was thinking it would be better (imo) to allow wildcard with for ... in so it looks better with declaring strings, and gets some benefit of string's modifiers Either way, I think this syntax is good enough.

[plusvic]

Ok, I'll close the issue then.