|
YARA searches for strings inside files. Strings to search for are defined with YARA rules. With the release of YARA 3.8.0, support for searching for XOR encoded strings was introduced. By adding the modifier xor to the definition of a string, YARA 3.8.0 would search for strings that were XOR encoded, with a single-byte key, ranging from 1 to 255. Here is an example of a string with xor modifier.
This YARA version's xor modifier would not match unencoded strings. Apparently, that was not the purpose, and this was fixed with version 3.10.0. The same rule would now also match unencoded strings. With the latest version of YARA, 3.11.0, a YARA rule developer has now control over which XOR key range is used by modifier xor. This is done by specifing an optional minimum-key - maximum-key range after the xor modifier, like this: xor(min-max). The following rule has an xor modifier with key range 0x01-0xFF (minimum/maximum keys can be specified with decimal or hexadecimal values).
This rule will not match unencoded strings.
Didier Stevens |
DidierStevens 647 Posts ISC Handler Oct 14th 2019 |
| Thread locked Subscribe |
Oct 14th 2019 2 years ago |
|
Thank you for sharing!
|
Anonymous |
| Quote |
Oct 15th 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
