[pull] main from VirusTotal:main#251
Merged
Merged
Conversation
…ming modifiers (#689) The header constraints optimization introduced in #676 prunes a pattern at scan time when the file header can't satisfy the bytes the pattern requires at offset 0 (e.g. `$a at 0`). The bytes were taken from the pattern's literal text, ignoring its modifiers. For patterns with the `xor`, `nocase`, `wide`, `base64` or `base64wide` modifiers, the bytes that actually appear in the scanned data differ from the literal text (they are XORed with a key, case-folded, interleaved with zeroes or base64-encoded). Deriving a header constraint from the literal text in those cases is incorrect: it requires the file to start with the plaintext bytes, so a legitimate match at offset 0 gets pruned and the rule fails to match. For example, this rule did not match a file starting with "Hello" XORed with key 0x01, even though the match is exactly at offset 0: ``` rule t { strings: $a = "Hello" xor condition: $a at 0 } ``` --------- Co-authored-by: Victor M. Alvarez <vmalvarez@virustotal.com>
Add the machine types from the current Microsoft PE format spec that were missing from the `Machine` enum: ALPHA, ALPHA64/AXP64, ARM64EC, ARM64X, LOONGARCH32/64, R3000(BE), R10000, RISCV32/64/128. Enable allow_alias since AXP64 shares value 0x0284 with ALPHA64. Values taken from the Microsoft PE format documentation: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#machine-types * tests: fix test case. --------- Co-authored-by: Victor M. Alvarez <vmalvarez@virustotal.com>
Add a debug assertion to ensure that all `PatternFlags` are explicitly accounted for when determining if a pattern can be used to derive a header constraint. This helps prevent future regressions if new flags are added without considering their impact on this logic.
Single-byte patterns, such as `$a = "a"` or `{ 01 }`, can be very inefficient to scan as they match every occurrence of that byte. Previously, only repetitions of 0x00, 0x90, or 0xff were flagged as slow.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )