What's new in Yara 4.5.0
Feb 13, 2024
- Unreferenced strings are allowed if their identifier start with _ (#1941)
- New command-line option --disable-console-logs for disabling the output of the console module (#1915)
- New command-line option --strict-escape that raises warnings on unknown escape sequences (#1880).
- Improve performance by avoiding the execution of rule conditions that can't match (#1927)
- Add callback message CALLBACK_MSG_TOO_SLOW_SCANNING for notifying about slow rules (#1921).
- Expose function RVA in pe.export_details(#1882).
- BUGFIX: Fix issues in the computation of imphash in pe module (#1944). Credits to the NSHC ThreatRecon team!
- BUGFIX: Fix multiple out-of-bound memory reads in dex module (#1949, #1951).
- BUGFIX: Fix memory alignment issues (#1930).
- BUGFIX: Some strings with the wide and ascii modifiers not matching as they should (#1933).
- BUGFIX: Some rules not matching when --fast-scan is used (4de3d57)
- BUGFIX: Properly list memory regions while scanning processes in Mac OS. (#2033)
- BUGFIX: RFC5652 countersignatures are now correctly parsed in pe module (#2034)
- BUGFIX: Fix potential DoS due to crashes in authenticode parser with malformed files (#2034). Credits to Bahaa Naamneh!
- BUGFIX: Fix SIGSEGV in magic module when libmagic returns null pointer (3342aa0)
- BUGFIX: Prevent infinite recursion while following symlinks (923368e)
New in Yara 4.4.0 (Feb 13, 2024)
- Unreferenced strings are allowed if their identifier start with _ (#1941)
- New command-line option --disable-console-logs for disabling the output of the console module (#1915)
- New command-line option --strict-escape that raises warnings on unknown escape sequences (#1880).
- Improve performance by avoiding the execution of rule conditions that can't match (#1927)
- Add callback message CALLBACK_MSG_TOO_SLOW_SCANNING for notifying about slow rules (#1921).
- Expose function RVA in pe.export_details(#1882).
- BUGFIX: Fix issues in the computation of imphash in pe module (#1944). Credits to the NSHC ThreatRecon team!
- BUGFIX: Fix multiple out-of-bound memory reads in dex module (#1949, #1951).
- BUGFIX: Fix memory alignment issues (#1930).
- BUGFIX: Some strings with the wide and ascii modifiers not matching as they should (#1933).
- BUGFIX: Some rules not matching when --fast-scan is used (4de3d57)
- BUGFIX: Properly list memory regions while scanning processes in Mac OS. (#2033)
- BUGFIX: RFC5652 countersignatures are now correctly parsed in pe module (#2034)
- BUGFIX: Fix potential DoS due to crashes in authenticode parser with malformed files (#2034). Credits to Bahaa Naamneh!
- BUGFIX: Fix SIGSEGV in magic module when libmagic returns null pointer (3342aa0)
- BUGFIX: Prevent infinite recursion while following symlinks (923368e)
New in Yara 4.4.0 RC 1 (Sep 19, 2023)
- New lnk module (#1732).
- Unreferenced strings are allowed if their identifier start with _ (#1941)
- New command-line option --disable-console-logs for disabling the output of the console module (#1915)
- Improve performance by avoiding the execution of rule conditions that can't match (#1927)
- Add callback message CALLBACK_MSG_TOO_SLOW_SCANNING for notifying about slow rules (#1921).
- BUGFIX: Fix issues in the computation of imphash in pe module (#1944). Credits to the NSHC ThreatRecon team!
- BUGFIX: Fix multiple out-of-bound memory reads in dex module (#1949, #1951).
- BUGFIX: Fix memory alignment issues (#1930).
- BUGFIX: Some strings with the wide and ascii modifiers not matching as they should (#1933).
- BUGFIX: Some rules not matching when --fast-scan is used (4de3d57)
New in Yara 4.3.2 (Jun 12, 2023)
- BUGFIX: assertion triggered with certain hex patterns when scanning arbitrary files (bcc6312). Reported by Huawei Central Software Institute Security Team.
New in Yara 4.3.1 (Apr 21, 2023)
- BUGFIX: Functions import_rva and import_delayed_rva are now case-insensitive (#1904)
- BUGFIX: Fix heap-related issue in dotnet module on Windows (#1902)
- BUGFIX: Fix heap corruption with certain rules that have very long string sets (67cccf0)
New in Yara 4.3.0 (Apr 3, 2023)
- Added a not operator for bytes in hex strings. Example: {01 ~02 03} (#1676).
- for statement can iterate over sets of literal strings (e.g. for any s in ("a", "b"): (pe.imphash() == s)) (#1787).
- of statement can be used with at (e.g. any of them at 0) (#1790).
- Added the --print-xor-key (-X in short form) command-line option that prints the XOR key for xored strings (#1745).
- Implement the --skip-larger command-line option in Windows (#1678).
- Add parsing of .NET user types from .NET metadata stream in "dotnet" module (#1605).
- Improve certificate parsing and validation in "pe" module (#1623).
- Add telfhash() function to "elf" module (#1624).
- Add to_int() and to_string() functions to "math" module (#1767).
- Improve error reporting on certain edge cases (#1709, #1722).
- BUGFIX: Fix multiple memory alignment issues causing crashes in non-x86 platforms (#1724).
- BUGFIX: Fix implementation of math.serial_correlation(#1771).
- BUGFIX: Fix infinite recursion in dotnet module (#1794).
- BUGFIX: Fix SIGFPE when dividing INT64_MIN by -1 (c2557fc).
- BUGFIX: Fix several endianess issues (#1884, #1874, #1855).
New in Yara 4.3.0 RC 1 (Dec 30, 2022)
- Added a not operator for bytes in hex strings. Example: {01 ~02 03} (#1676).
- for statement can iterate over sets of literal strings (e.g. for any s in ("a", "b"): (pe.imphash() == s)) (#1787).
- of statement can be used with at (e.g. any of them at 0) (#1790).
- Added the --print-xor-key (-X in short form) command-line option that prints the XOR key for xored strings (#1745).
- Implement the --skip-larger command-line option in Windows (#1678).
- Add parsing of .NET user types from .NET metadata stream in "dotnet" module (#1605).
- Improve certificate parsing and validation in "pe" module (#1623).
- Add telfhash() function to "elf" module (#1624).
- Add to_int() and to_string() functions to "math" module (#1767).
- Improve error reporting on certain edge cases (#1709, #1722).
- BUGFIX: Fix multiple memory alignment issues causing crashes in non-x86 platforms (#1724).
- BUGFIX: Fix implementation of math.serial_correlation(#1771).
- BUGFIX: Fix infinite recursion in dotnet module (#1794).
- BUGFIX: Fix SIGFPE when dividing INT64_MIN by -1.
New in Yara 4.2.3 (Aug 9, 2022)
- BUGFIX: Fix security issue that can lead to arbitrary code execution.
- BUGFIX: Fix incorrect logic in expressions like <quantifier> of <string_set>.
New in Yara 4.2.2 (Jun 30, 2022)
- BUGFIX: Fix buffer overrun in "dex" module (#1728).
- BUGFIX: Wrong offset used when checking Version string of .net metadata (#1708).
- BUGFIX: YARA doesn't compile if --with-debug-verbose flag is enabled (#1719).
- BUGFIX: Null-pointer dereferences while loading corrupted compiled rules (#1727).
New in Yara 4.2.1 (Apr 26, 2022)
- Implement the --skip-larger command-line option in Windows.
- BUGFIX: Error while scanning process memory in Linux (#1662). Thanks to @hillu.
- BUGFIX: Issue in "magic" module leading to wrong matches (#1663).
- BUGFIX: Multiple issues triggered in low-memory conditions (#1671, #1673, #1674, #1675). Reported by @1ndahous3.
- BUGFIX: Incorrect parsing of character classes in some regular expressions (#1690). Reported by @Sevaarcen.
- BUGFIX: Heap overflow in ARM. Reported by @briangreenery.
New in Yara 4.2.0 (Mar 28, 2022)
- New syntax for counting string occurrences within a range of offsets. Example: #a in (0..100) (#1565).
- New syntax for checking if a set of strings are found within a range of offsets all of them in (0..100) (#1554).
- of operator now accepts sets of rules, Examples: 2 of (rule1, rule2, rule3), 2 of (rule*) (##1597)
- New syntactic sugar allows writing 0 of ($a) as none of ($a*) (#1559).
- New operator % for string sets. Example: 20% of them (#1434).
- New operator defined (#1529).
- New operator iequals (#1536).
- Added functions abs, count, percentage and mode to math module (#1483).
- The dotnet module is now built into YARA by default.
- Added the is_dotnet field to dotnet module (#1568).
- Added new console module (#1594).
- Added support of delayed imports to pe module (#1523).
- Reduce memory pressure when scanning process memory in Linux (#1470).
- Improve performance while matching certain hex strings (#1526, #1552).
- Implement support for unicode file names in Windows (#1491).
- Add new API functions yr_get_configuration_uintXX and yr_set_configuration_uintXX (#1621).
- Add --max-process-memory-chunk option for controlling the size of the chunks while scanning a process memory (#1393).
- Add --skip-larger option for skipping files larger than a certain size while scanning directories.
- Improve scanning performance with better atom extraction (#1656).
- BUGFIX: fullword modifier not working properly under all locales (#1544).
- BUGFIX: Fix edge case when files have a numeric name that was interpreted as a PID number (#1541).
- BUGFIX: Fix memory leaks in magic module.
- BUGFIX: Fix integer overflow while scanning files larger than 2GB (#1615).
New in Yara 4.2.0 RC 1 (Feb 9, 2022)
- New syntax for counting string occurrences within a range of offsets. Example: #a in (0..100) (#1565).
- New syntax for checking if a set of strings are found within a range of offsets all of them in (0..100) (#1554).
- of operator now accepts sets of rules, Examples: 2 of (rule1, rule2, rule3), 2 of (rule*) (##1597)
- New syntactic sugar allows writing 0 of ($a) as none of ($a*) (#1559).
- New operator % for string sets. Example: 20% of them (#1434).
- New operator defined (#1529).
- New operator iequals (#1536).
- Added functions abs, count, percentage and mode to math module (#1483).
- Added new console module (#1594).
- Added support of delayed imports to pe module (#1523).
- Reduce memory pressure when scanning process memory in Linux (#1470).
- Improve performance while matching certain hex strings (#1526, #1552).
- Implement support for unicode file names in Windows (#1491).
- Add new API functions yr_get_configuration_uintXX and yr_set_configuration_uintXX (#1621).
- Add --max-process-memory-chunk option for controlling the size of the chunks while scanning a process memory (#1393).
- Add --skip-larger option for skipping files larger than a certain size while scanning directories.
- BUGFIX: fullword modifier not working properly under all locales (#1544).
- BUGFIX: Fix edge case when files have a numeric name that was interpreted as a PID number (#1541).
- BUGFIX: Fix memory leaks in magic module.
New in Yara 4.1.3 (Feb 9, 2022)
- BUGFIX: Fix issue where ERROR_TOO_MANY_MATCHES was incorrectly returned (6085d3f).
- BUGFIX: Fix potential buffer overrun due to incorrect macro (d5c83c6).