Allignment modifier for strings

[GoogleCodeExporter]

I'm writing a rule which needs to check for the presence of a block of NULL 
bytes at a specific offset. The problem, is that the offset is usually 
immediately preceded by some more NULLs. And so Yara will match on the first 
substring it finds... which is not at the offset I want to check. As Yara 
doesn't overlap the substring matches, after the first unaligned match, every 
match after in that group will be offset. Er, here's an example below. So, this 
problem can be solved with a regular expression, but I want to avoid using 
those because they're really really slow.

What would be nice is to be able to put something like "align 4" as a modifier 
after the string. For my specific use case, 512 byte alignment would be best.

Steps to Reproduce (I want a rule to match on both files):

$ echo ABCDEFGHIJKLMNOPQRSTUVWXYZ88888888 > file1
$ echo ABCDEFGHIJKLMNOPQRSTUVW88888888888 > file2

$ cat example.yara 
rule alignment_problem {
   strings:
     $a = "8888"
   condition:
     $a at 26
}

$ ./yara example.yara file1
alignment_problem file1

$ ./yara example.yara file2
[no output]

$ ./yara -s example.yara file1
alignment_problem file1
0x1a:$a: 8888
0x1e:$a: 8888

$ ./yara -sn example.yara file2
alignment_problem file2
0x17:$a: 8888
0x1b:$a: 8888

Original issue reported on code.google.com by juliavi...@gmail.com on 25 Apr 2012 at 6:40

[GoogleCodeExporter]

Fixed in r158. The solution was simply to allow detection of overlapping 
strings. I avoided overlapping strings before just for performance reasons, but 
didn't take into account this side-effect.

Original comment by plus...@gmail.com on 15 Aug 2012 at 3:36

• Changed state: Fixed