Skip to content

YARA-1550: Yara42 new math attributes #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Feb 17, 2022
Merged

YARA-1550: Yara42 new math attributes #199

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
635ca35
Add math.to_number function
TadeasKucera Feb 10, 2022
fd19257
Add math.abs function
TadeasKucera Feb 10, 2022
412d50c
Add math.count, math.percentage and math.mode
TadeasKucera Feb 10, 2022
3d54706
Test all added math functions.
TadeasKucera Feb 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
122 changes: 122 additions & 0 deletions modules/module_math.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,128 @@
"documentation": "Returns the maximum of two unsigned integer values."
}
]
},
{
"kind": "function",
"name": "to_number",
"return_type": "i",
"overloads": [
{
"arguments": [
{
"type": "b",
"name": "boolean"
}
],
"documentation": "Returns 0 or 1, it's useful when writing a score based rule. Example: ```math.tonumber(SubRule1) * 60 + math.tonumber(SubRule2) * 20 + math.tonumber(SubRule3) * 70 > 80*```"
}
]
},
{
"kind": "function",
"name": "abs",
"return_type": "i",
"overloads": [
{
"arguments": [
{
"type": "i",
"name": "int"
}
],
"documentation": "Returns the absolute value of the signed integer. ```Example: math.abs(@a - @b) == 1```"
}
]
},
{
"kind": "function",
"name": "count",
"return_type": "i",
"overloads": [
{
"arguments": [
{
"type": "i",
"name": "byte"
},
{
"type": "i",
"name": "offset"
},
{
"type": "i",
"name": "size"
}
],
"documentation": "Returns how often a specific byte occurs, starting at *offset* and looking at the next *size* bytes. When scanning a running process the *offset* argument should be a virtual address within the process address space. *offset* and *size* are optional; if left empty, the complete file is searched. Example: ```math.count(0x4A, filesize-1024, filesize) >= 10```"
},
{
"arguments": [
{
"type": "i",
"name": "byte"
}
],
"documentation": "Returns how often a specific byte occurs, the complete file is searched. Example: ```math.count(0x4A) >= 10```"
}
]
},
{
"kind": "function",
"name": "percentage",
"return_type": "f",
"overloads": [
{
"arguments": [
{
"type": "i",
"name": "byte"
},
{
"type": "i",
"name": "offset"
},
{
"type": "i",
"name": "size"
}
],
"documentation": "Returns the occurrence rate of a specific byte, starting at *offset* and looking at the next *size* bytes. When scanning a running process the *offset* argument should be a virtual address within the process address space. The returned value is a float between 0 and 1. *offset* and *size* are optional; if left empty, the complete file is searched. Example: ```math.percentage(0xFF, filesize-1024, filesize) >= 0.9```"
},
{
"arguments": [
{
"type": "i",
"name": "byte"
}
],
"documentation": "Returns the occurrence rate of a specific byte, the complete file is searched. The returned value is a float between 0 and 1. Example: ```math.percentage(0x4A) >= 0.4```"
}
]
},
{
"kind": "function",
"name": "mode",
"return_type": "i",
"overloads": [
{
"arguments": [
{
"type": "i",
"name": "offset"
},
{
"type": "i",
"name": "size"
}
],
"documentation": "Returns the most common byte, starting at *offset* and looking at the next *size* bytes. When scanning a running process the *offset* argument should be a virtual address within the process address space. *offset* and *size* are optional; if left empty, the complete file is searched. Example: ```math.mode(0, filesize) == 0xFF```"
},
{
"arguments": [],
"documentation": "Returns the most common byte, the complete file is searched. The returned value is a float. Example: ```math.mode() == 0xFF```"
}
]
}
]
}
6 changes: 3 additions & 3 deletions tests/cpp/parser_tests.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3521,17 +3521,17 @@ import "math"
rule math_module
{
condition:
math.entropy("dummy") > 7
math.to_number(math.entropy("dummy") > 7) == 1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be a brand new test instead of rewriting existing one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not have a test for each module attribute, so I personally think there is no trouble with testing more functions within one test. But I can create a new test if you would prefer it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, just put there more attributes.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done 👍

}
)");

EXPECT_TRUE(driver.parse(input));
ASSERT_EQ(1u, driver.getParsedFile().getRules().size());

const auto& rule = driver.getParsedFile().getRules()[0];
EXPECT_EQ(R"(math.entropy("dummy") > 7)", rule->getCondition()->getText());
EXPECT_EQ(R"(math.to_number(math.entropy("dummy") > 7) == 1)", rule->getCondition()->getText());
EXPECT_EQ("math", rule->getCondition()->getFirstTokenIt()->getPureText());
EXPECT_EQ("7", rule->getCondition()->getLastTokenIt()->getPureText());
EXPECT_EQ("1", rule->getCondition()->getLastTokenIt()->getPureText());

EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
}
Expand Down
17 changes: 17 additions & 0 deletions tests/python/test_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1063,6 +1063,23 @@ def test_function_call_condition(self):
self.assertTrue(isinstance(rule.condition, yaramod.FunctionCallExpression))
self.assertEqual(rule.condition.text, 'pe.is_dll()')

def test_math_module(self):
yara_file = yaramod.Yaramod().parse_string('''
import "math"

rule math_module_condition {
strings:
$a = "string a"
$b = "string b"
condition:
math.abs(@a - @b) == 1
}''')

self.assertEqual(len(yara_file.rules), 1)

rule = yara_file.rules[0]
self.assertEqual(rule.condition.text, 'math.abs(@a - @b) == 1')

def test_structure_access_condition(self):
yara_file = yaramod.Yaramod().parse_string('''
import "pe"
Expand Down