Currently, in Yara v1.6 it is possible to read a [un]signed byte, word, or
dword from an offset using int8(), uint8(), int16(), etc. etc.
The value returned is interpreted in little-endian byte order (or at least it
is on my x86 systems where I run Yara). Which is ok if you're only testing it
against a constant (you can just byte-swap the constant). But if you are using
this value as an offset for a second lookup, you need to do something like this:
uint32(
(
(uint8(0x10)<<24) +
(uint8(0x11)<<16) +
(uint8(0x12)<< 8) +
(uint8(0x13) )
)
)
For contrast, the little-endian case is just: unit32(uint32(0x10))
A Yara built-in function which handles big-endian would make these rules much
easier to read and write for humans.
Original issue reported on code.google.com by juliavi...@gmail.com on 25 Apr 2012 at 6:11
Original issue reported on code.google.com by
juliavi...@gmail.comon 25 Apr 2012 at 6:11