Add Support for Scanning Windows 64-bit process from 32-bit Processes in YARA

[scc-tw]

Body

Description:
I am currently working with YARA for scanning memory blocks in processes, and I came across a limitation when attempting to use a 32-bit version of YARA (WoW64) to scan 64-bit processes. Specifically, I am concerned with how yr_process_get_next_memory_block handles memory queries and manipulations across different architecture boundaries.

yara/libyara/proc/windows.c

Line 151 in adf3dde

// mbi.RegionSize can overflow address while scanning a 64-bit process

Request:
Is there a plan to add support for scanning 64-bit processes using a 32-bit version of YARA? This feature would be very useful for environments where deploying a 64-bit version is not feasible.
Or I could contribute this part of code.

Possible Issues Noted:

• Handling of memory addresses and size calculations might cause overflows or improper memory block handling when a 32-bit version of YARA scans a 64-bit process.

Environment:

• Windows 10 64-bit
• YARA 32-bit version

Expected Outcome:
Support for scanning 64-bit with 32-bit YARA (WoW64), which would allow more flexible deployments and potentially improve performance in mixed-architecture environments.

Attachments:
None

[scc-tw]

It appears that there is a similar issue reported previously which can be found here: Issue #1372.
However, there hasn't been any visible progress on that thread. Could we possibly get an update on any developments related to that issue? Understanding the progress there might provide some insights or solutions relevant to this current discussion as well. Thank you!

[plusvic]

There's no plan to support WoW64 processes with 32-bit YARA. The whole process scanning feature is a bit unmaintained and there's very few testing for it.

I'm very curious about this use case, because it looks like a very uncommon one. Why are you able to use a 32-bit YARA, but not a 64-bit YARA in Windows 10 64-bit environment?

[scc-tw]

There's no plan to support WoW64 processes with 32-bit YARA. The whole process scanning feature is a bit unmaintained and there's very few testing for it.

I'm very curious about this use case, because it looks like a very uncommon one. Why are you able to use a 32-bit YARA, but not a 64-bit YARA in Windows 10 64-bit environment?

Our product employs a 32-bit anti-malware engine specifically to support legacy systems. We use this configuration to ensure compatibility and provide malware detection capabilities even in older environments. The 32-bit process is also utilized in 64-bit Windows environments to maintain consistency across our deployments and to simplify our support structure for various system configurations. If there is interest in adding support for this feature in YARA, I am willing to assist in developing and implementing this enhancements.