Closed williballenthin closed 1 year ago
if you'd like me to open a PR with these changes I'd be happy to do so.
I completely agree with you here, I'd thought the cgo process would be more transparent. I originally introduced the dependency out of necessity for an efficient signature scanner. I had hand rolled my own and testing showed it was orders of magnitude slower than yara, hence the switch.
We have a few interesting constraints, such as nibble level byte signatures being used, and also I believe skip ranges (which could be converted as two or more sub regexes matching within a range). If these constraints can be obeyed I would be in complete support of this!
such as nibble level byte signatures being used
as shown above, i think we can do things like: [\x80-\x8F]
(regex) instead of 8?
(yara). It's a little more verbose, but the logic is equivalent.
, and also I believe skip ranges
i think we could do .{0, 50}
(regex) instead of [0-50]
(yara).
Sorry I didn't fully review your suggested alternative (it's late here). That logic seems perfectly sound to me 😁
If you'd like to open a PR I would review more carefully soon and be very appreciative!
yara is currently used as a pattern matching engine to find code sequences here: https://github.com/mandiant/GoReSym/blob/f2009bd92819df2f69d74c4a32f1300be284a4fa/objfile/scanner.go
however, yara is written in C and has to be linked to this Go project. the compilation, build, and distribution is tricky; see #23 #24 and #27 for issues influenced by this complexity.
the patterns that are passed to yara are pretty simple - they could be trivially converted to binary regular expressions since there's no use of yara's
condition
logic.the Go
regexp
module doesn't support binary regexes; however, the https://github.com/rsc/binaryregexp module does, and its easy to use. we should consider migrating from yara to binaryregexp to keep GoReSym pure-Go and therefore easier to build and distribute.here's an example test demonstrating the translation from a yara pattern to a binaryregexp: