Softpedia >Windows >Authoring Tools >Yara >  Changelog

Yara Changelog

What's new in Yara 4.5.0

Feb 13, 2024
  • Unreferenced strings are allowed if their identifier start with _ (#1941)
  • New command-line option --disable-console-logs for disabling the output of the console module (#1915)
  • New command-line option --strict-escape that raises warnings on unknown escape sequences (#1880).
  • Improve performance by avoiding the execution of rule conditions that can't match (#1927)
  • Add callback message CALLBACK_MSG_TOO_SLOW_SCANNING for notifying about slow rules (#1921).
  • Expose function RVA in pe.export_details(#1882).
  • BUGFIX: Fix issues in the computation of imphash in pe module (#1944). Credits to the NSHC ThreatRecon team!
  • BUGFIX: Fix multiple out-of-bound memory reads in dex module (#1949, #1951).
  • BUGFIX: Fix memory alignment issues (#1930).
  • BUGFIX: Some strings with the wide and ascii modifiers not matching as they should (#1933).
  • BUGFIX: Some rules not matching when --fast-scan is used (4de3d57)
  • BUGFIX: Properly list memory regions while scanning processes in Mac OS. (#2033)
  • BUGFIX: RFC5652 countersignatures are now correctly parsed in pe module (#2034)
  • BUGFIX: Fix potential DoS due to crashes in authenticode parser with malformed files (#2034). Credits to Bahaa Naamneh!
  • BUGFIX: Fix SIGSEGV in magic module when libmagic returns null pointer (3342aa0)
  • BUGFIX: Prevent infinite recursion while following symlinks (923368e)

New in Yara 4.4.0 (Feb 13, 2024)

  • Unreferenced strings are allowed if their identifier start with _ (#1941)
  • New command-line option --disable-console-logs for disabling the output of the console module (#1915)
  • New command-line option --strict-escape that raises warnings on unknown escape sequences (#1880).
  • Improve performance by avoiding the execution of rule conditions that can't match (#1927)
  • Add callback message CALLBACK_MSG_TOO_SLOW_SCANNING for notifying about slow rules (#1921).
  • Expose function RVA in pe.export_details(#1882).
  • BUGFIX: Fix issues in the computation of imphash in pe module (#1944). Credits to the NSHC ThreatRecon team!
  • BUGFIX: Fix multiple out-of-bound memory reads in dex module (#1949, #1951).
  • BUGFIX: Fix memory alignment issues (#1930).
  • BUGFIX: Some strings with the wide and ascii modifiers not matching as they should (#1933).
  • BUGFIX: Some rules not matching when --fast-scan is used (4de3d57)
  • BUGFIX: Properly list memory regions while scanning processes in Mac OS. (#2033)
  • BUGFIX: RFC5652 countersignatures are now correctly parsed in pe module (#2034)
  • BUGFIX: Fix potential DoS due to crashes in authenticode parser with malformed files (#2034). Credits to Bahaa Naamneh!
  • BUGFIX: Fix SIGSEGV in magic module when libmagic returns null pointer (3342aa0)
  • BUGFIX: Prevent infinite recursion while following symlinks (923368e)

New in Yara 4.4.0 RC 1 (Sep 19, 2023)

  • New lnk module (#1732).
  • Unreferenced strings are allowed if their identifier start with _ (#1941)
  • New command-line option --disable-console-logs for disabling the output of the console module (#1915)
  • Improve performance by avoiding the execution of rule conditions that can't match (#1927)
  • Add callback message CALLBACK_MSG_TOO_SLOW_SCANNING for notifying about slow rules (#1921).
  • BUGFIX: Fix issues in the computation of imphash in pe module (#1944). Credits to the NSHC ThreatRecon team!
  • BUGFIX: Fix multiple out-of-bound memory reads in dex module (#1949, #1951).
  • BUGFIX: Fix memory alignment issues (#1930).
  • BUGFIX: Some strings with the wide and ascii modifiers not matching as they should (#1933).
  • BUGFIX: Some rules not matching when --fast-scan is used (4de3d57)

New in Yara 4.3.2 (Jun 12, 2023)

  • BUGFIX: assertion triggered with certain hex patterns when scanning arbitrary files (bcc6312). Reported by Huawei Central Software Institute Security Team.

New in Yara 4.3.1 (Apr 21, 2023)

  • BUGFIX: Functions import_rva and import_delayed_rva are now case-insensitive (#1904)
  • BUGFIX: Fix heap-related issue in dotnet module on Windows (#1902)
  • BUGFIX: Fix heap corruption with certain rules that have very long string sets (67cccf0)

New in Yara 4.3.0 (Apr 3, 2023)

  • Added a not operator for bytes in hex strings. Example: {01 ~02 03} (#1676).
  • for statement can iterate over sets of literal strings (e.g. for any s in ("a", "b"): (pe.imphash() == s)) (#1787).
  • of statement can be used with at (e.g. any of them at 0) (#1790).
  • Added the --print-xor-key (-X in short form) command-line option that prints the XOR key for xored strings (#1745).
  • Implement the --skip-larger command-line option in Windows (#1678).
  • Add parsing of .NET user types from .NET metadata stream in "dotnet" module (#1605).
  • Improve certificate parsing and validation in "pe" module (#1623).
  • Add telfhash() function to "elf" module (#1624).
  • Add to_int() and to_string() functions to "math" module (#1767).
  • Improve error reporting on certain edge cases (#1709, #1722).
  • BUGFIX: Fix multiple memory alignment issues causing crashes in non-x86 platforms (#1724).
  • BUGFIX: Fix implementation of math.serial_correlation(#1771).
  • BUGFIX: Fix infinite recursion in dotnet module (#1794).
  • BUGFIX: Fix SIGFPE when dividing INT64_MIN by -1 (c2557fc).
  • BUGFIX: Fix several endianess issues (#1884, #1874, #1855).

New in Yara 4.3.0 RC 1 (Dec 30, 2022)

  • Added a not operator for bytes in hex strings. Example: {01 ~02 03} (#1676).
  • for statement can iterate over sets of literal strings (e.g. for any s in ("a", "b"): (pe.imphash() == s)) (#1787).
  • of statement can be used with at (e.g. any of them at 0) (#1790).
  • Added the --print-xor-key (-X in short form) command-line option that prints the XOR key for xored strings (#1745).
  • Implement the --skip-larger command-line option in Windows (#1678).
  • Add parsing of .NET user types from .NET metadata stream in "dotnet" module (#1605).
  • Improve certificate parsing and validation in "pe" module (#1623).
  • Add telfhash() function to "elf" module (#1624).
  • Add to_int() and to_string() functions to "math" module (#1767).
  • Improve error reporting on certain edge cases (#1709, #1722).
  • BUGFIX: Fix multiple memory alignment issues causing crashes in non-x86 platforms (#1724).
  • BUGFIX: Fix implementation of math.serial_correlation(#1771).
  • BUGFIX: Fix infinite recursion in dotnet module (#1794).
  • BUGFIX: Fix SIGFPE when dividing INT64_MIN by -1.

New in Yara 4.2.3 (Aug 9, 2022)

  • BUGFIX: Fix security issue that can lead to arbitrary code execution.
  • BUGFIX: Fix incorrect logic in expressions like <quantifier> of <string_set>.

New in Yara 4.2.2 (Jun 30, 2022)

  • BUGFIX: Fix buffer overrun in "dex" module (#1728).
  • BUGFIX: Wrong offset used when checking Version string of .net metadata (#1708).
  • BUGFIX: YARA doesn't compile if --with-debug-verbose flag is enabled (#1719).
  • BUGFIX: Null-pointer dereferences while loading corrupted compiled rules (#1727).

New in Yara 4.2.1 (Apr 26, 2022)

  • Implement the --skip-larger command-line option in Windows.
  • BUGFIX: Error while scanning process memory in Linux (#1662). Thanks to @hillu.
  • BUGFIX: Issue in "magic" module leading to wrong matches (#1663).
  • BUGFIX: Multiple issues triggered in low-memory conditions (#1671, #1673, #1674, #1675). Reported by @1ndahous3.
  • BUGFIX: Incorrect parsing of character classes in some regular expressions (#1690). Reported by @Sevaarcen.
  • BUGFIX: Heap overflow in ARM. Reported by @briangreenery.

New in Yara 4.2.0 (Mar 28, 2022)

  • New syntax for counting string occurrences within a range of offsets. Example: #a in (0..100) (#1565).
  • New syntax for checking if a set of strings are found within a range of offsets all of them in (0..100) (#1554).
  • of operator now accepts sets of rules, Examples: 2 of (rule1, rule2, rule3), 2 of (rule*) (##1597)
  • New syntactic sugar allows writing 0 of ($a) as none of ($a*) (#1559).
  • New operator % for string sets. Example: 20% of them (#1434).
  • New operator defined (#1529).
  • New operator iequals (#1536).
  • Added functions abs, count, percentage and mode to math module (#1483).
  • The dotnet module is now built into YARA by default.
  • Added the is_dotnet field to dotnet module (#1568).
  • Added new console module (#1594).
  • Added support of delayed imports to pe module (#1523).
  • Reduce memory pressure when scanning process memory in Linux (#1470).
  • Improve performance while matching certain hex strings (#1526, #1552).
  • Implement support for unicode file names in Windows (#1491).
  • Add new API functions yr_get_configuration_uintXX and yr_set_configuration_uintXX (#1621).
  • Add --max-process-memory-chunk option for controlling the size of the chunks while scanning a process memory (#1393).
  • Add --skip-larger option for skipping files larger than a certain size while scanning directories.
  • Improve scanning performance with better atom extraction (#1656).
  • BUGFIX: fullword modifier not working properly under all locales (#1544).
  • BUGFIX: Fix edge case when files have a numeric name that was interpreted as a PID number (#1541).
  • BUGFIX: Fix memory leaks in magic module.
  • BUGFIX: Fix integer overflow while scanning files larger than 2GB (#1615).

New in Yara 4.2.0 RC 1 (Feb 9, 2022)

  • New syntax for counting string occurrences within a range of offsets. Example: #a in (0..100) (#1565).
  • New syntax for checking if a set of strings are found within a range of offsets all of them in (0..100) (#1554).
  • of operator now accepts sets of rules, Examples: 2 of (rule1, rule2, rule3), 2 of (rule*) (##1597)
  • New syntactic sugar allows writing 0 of ($a) as none of ($a*) (#1559).
  • New operator % for string sets. Example: 20% of them (#1434).
  • New operator defined (#1529).
  • New operator iequals (#1536).
  • Added functions abs, count, percentage and mode to math module (#1483).
  • Added new console module (#1594).
  • Added support of delayed imports to pe module (#1523).
  • Reduce memory pressure when scanning process memory in Linux (#1470).
  • Improve performance while matching certain hex strings (#1526, #1552).
  • Implement support for unicode file names in Windows (#1491).
  • Add new API functions yr_get_configuration_uintXX and yr_set_configuration_uintXX (#1621).
  • Add --max-process-memory-chunk option for controlling the size of the chunks while scanning a process memory (#1393).
  • Add --skip-larger option for skipping files larger than a certain size while scanning directories.
  • BUGFIX: fullword modifier not working properly under all locales (#1544).
  • BUGFIX: Fix edge case when files have a numeric name that was interpreted as a PID number (#1541).
  • BUGFIX: Fix memory leaks in magic module.

New in Yara 4.1.3 (Feb 9, 2022)

  • BUGFIX: Fix issue where ERROR_TOO_MANY_MATCHES was incorrectly returned (6085d3f).
  • BUGFIX: Fix potential buffer overrun due to incorrect macro (d5c83c6).