Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to yara 4.5.0 #72

Merged
merged 16 commits into from
Feb 16, 2024
Merged

Update to yara 4.5.0 #72

merged 16 commits into from
Feb 16, 2024

Conversation

vthib
Copy link
Owner

@vthib vthib commented Sep 10, 2023
edited
Loading

This is a WIP PR for update to yara 4.5.0

Two blockers for this:

  • the authenticode-parser dependency must be updated
  • waiting for a yara-rust release would be better than using a fork

@vthib vthib force-pushed the update-yara-4.4 branch 2 times, most recently from da2fcfd to 2e41baa Compare September 10, 2023 22:24
@vthib vthib changed the title Update to yara 4.4 Update to yara 4.5.0 Feb 13, 2024
@vthib vthib force-pushed the update-yara-4.4 branch 3 times, most recently from c48a2c4 to 06ec266 Compare February 16, 2024 00:38
@vthib
feat: update yara to 4.5.0
4641ea3
@vthib
feat: filter imported functions with invalid name in pe module
3299f94 
This changes how imported functions are filtered in the PE module,
with the goal of aligning with the pefile python library, and thus
getting the same impash values. See Yara PR #1944
@vthib
feat: do not report strings starting with _ as unused
25de09e 
This mirrors the changes done in YARA's PR #1941.
@vthib
feat: add pe.export_details[*].rva value
0dccf58 
This mirrors the changes done in YARA's PR #1882.
@vthib
test: enable pe coverage test on tiny 5200 file
a9314e4 
Now that the imported functions filtering has been modified, we actually
align with YARA for this file, so we can finally enable this test.
@vthib
test: add new compatibility tests from YARA 4.4
18355e0
@vthib
test: add yara compatibility about unknown escape warnings
d0a8539
@vthib
feat: bump MAX_PE_EXPORTS limit to 16384
a97b58b 
This mirrors the changes done in YARA's PR #1679.
@vthib
feat: return undefined for math.count/percentage when out of range
461233e
@vthib
feat: validate pe dll names, add size limit
bf25f2a 
Reflect what is done in yara, where dll names are validated otherwise
ignored. A new limit was added in YARA 4.4 as well.
@vthib
fix: keep proper magic value in macho module
85857fc 
This matches the VirusTotal/yara#2041 fix
done in yara 4.5.0
@vthib
feat: always expose pe.is_signed
4e94853 
This matches the VirusTotal/yara#2040 fix
done in yara 4.5.0
@vthib
test: update tests on yara matching of empty strings
fab9f4c 
Update tests now that yara has fixed this edge case in Yara 4.5.0
(see VirusTotal/yara@79794c4053df3).
@vthib
test: update tests on {0} and {0,0} quantifiers
cc693a1 
Yara 4.5.0 now supports those, so update the tests accordingly.
See VirusTotal/yara#2037
@vthib
feat: update authenticode-parser dependency
0423a0a
@vthib
doc: update changelog and readme on yara 4.5 update
49a6580
@vthib vthib merged commit 89224d8 into master Feb 16, 2024
12 checks passed
@vthib vthib deleted the update-yara-4.4 branch February 16, 2024 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@vthib