Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mistake with terms parsing in condition. #112

Open
rakovskij-stanislav opened this issue Feb 3, 2021 · 1 comment
Open

Mistake with terms parsing in condition. #112

rakovskij-stanislav opened this issue Feb 3, 2021 · 1 comment
Assignees
@utkonos
Labels
bug Something isn't working

Comments

@rakovskij-stanislav
Copy link

Ruleset:

rule minus_bad{
	meta:
        author = "Rakovskij Stanislav / disasm.me"
        date = "22.08.2020"
        description = "test rule in which we have bad parsing of minus sign"
	strings:
	$str_after = "END_TAG"
        $str_before = "START_TAG"
	condition:
		 $str_before in (@str_after-512 .. @str_after)
}


rule minus_good{
	meta:
        author = "Rakovskij Stanislav / disasm.me"
        date = "22.08.2020"
        description = "test rule in which we have good parsing of minus sign"
	strings:
	$str_after = "END_TAG"
        $str_before = "START_TAG"
	condition:
		 $str_before in (@str_after - 512 .. @str_after)
}

Test file

START_TAG HELLO WORLD END_TAG

Test:

> yara64.exe bug_parsing.yar bug_parsing.txt
minus_bad bug_parsing.txt
minus_good bug_parsing.txt


>python
Python 3.7.8 (tags/v3.7.8:4b47a5b6ba, Jun 28 2020, 08:53:46) [MSC v.1916 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import plyara
>>> parser = plyara.Plyara()
>>> rules = parser.parse_string(open("bug_parsing.yar").read())
>>> rules[0]["condition_terms"]
['$str_before', 'in', '(', '@str_after-512', '..', '@str_after', ')'] #WRONG!
>>> rules[1]["condition_terms"]
['$str_before', 'in', '(', '@str_after', '-', '512', '..', '@str_after', ')'] #right

There is no problem with pluses:
Ruleset:

rule plus_pre_bad{
	meta:
        author = "Rakovskij Stanislav / disasm.me"
        date = "22.08.2020"
        description = "test rule in which we previously had bad parsing of minus sign"
	strings:
	$str_after = "END_TAG"
        $str_before = "START_TAG"
	condition:
		 $str_before in (@str_after+512 .. @str_after)
}


rule plus_pre_good{
	meta:
        author = "Rakovskij Stanislav / disasm.me"
        date = "22.08.2020"
        description = "test rule in which we have good parsing"
	strings:
	$str_after = "END_TAG"
        $str_before = "START_TAG"
	condition:
		 $str_before in (@str_after + 512 .. @str_after)
}

Test

>>> parser = plyara.Plyara()
>>> rules = parser.parse_string(open("bug_parsing_2.yar").read())
>>> rules[0]["condition_terms"]
['$str_before', 'in', '(', '@str_after', '+', '512', '..', '@str_after', ')']
>>> rules[1]["condition_terms"]
['$str_before', 'in', '(', '@str_after', '+', '512', '..', '@str_after', ')']
>>>
@utkonos utkonos self-assigned this Feb 4, 2021
@utkonos utkonos added the bug Something isn't working label Feb 4, 2021
@utkonos
Copy link
Member

utkonos commented Feb 4, 2021

Thanks for the report. I'll get this fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@utkonos utkonos

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@utkonos @rakovskij-stanislav