yara-x icon indicating copy to clipboard operation
yara-x copied to clipboard
verified publisher icon VirusTotal

Expanding support for global variable objects.

Open msuiche opened this issue 1 year ago • 2 comments

This is something which was lacking in the C version, according to the current documentation yara-x only supports "global external variable" but not "external object" which would include arrays and structures for richer data enrichment.

This could be really great for modules that would want to keep the same name convention of VirusTotal live hunting to make rules interoperable for example variables like vt.behaviour.command_executions or vt.behaviour.modules_loaded which are only accessible as an array via the for loop keyword. But also variables under specific structures such as vt.behaviour.

More information about existing issues which were not addressable in the current C version of yara: Support for EXTERNAL OBJECT_TYPE_ARRAY and OBJECT_TYPE_STRUCTURE Exporting yr_object_create() to enable custom structures?

msuiche avatar May 21 '24 08:05 msuiche

This is something that I have in mind for future releases. I'm currently focused in releasing a version that has feature parity with yara, but more advanced features like this are in the plan.

plusvic avatar May 21 '24 10:05 plusvic

Excellent! Amazing job as usual @plusvic !

msuiche avatar May 21 '24 13:05 msuiche

Seems like the rust api for Yara-x already supports global hashmap vars (actually for any type implementing try_into, unfortunately vectors do not implement it, so adding support for arrays will require much more, potentially breaking, code refactoring). I’ve added support for the python API as well in #433 More work for the the rest of the APIs is needed, might try to tackle it myself after the PR is merged

nmbarel avatar Aug 27 '25 19:08 nmbarel

@nmbarel just to confirm, does that mean you can have nested variable names with this update? like x.y.z.variable name?

msuiche avatar Sep 03 '25 14:09 msuiche

@msuiche Yep :) any dict should work, (example: global var dict={x: {y: 1}} should match with the rule condition: dict.x.y == 1 )

As I’ve said, I’m currently working on the rest of the apis and I think I might’ve been wrong about my list comment, looks like a valid serde json value can also be just a list so I’ll try getting on that after finishing the rest

nmbarel avatar Sep 03 '25 14:09 nmbarel

Amazing! This is pretty cool, at the time I was looking for this I realized it could really unlock a lot of possibilities for third party even beyond security.

msuiche avatar Sep 04 '25 14:09 msuiche

I think this adds a lot of potential to integrate yara-x into more data pipelines that do more complex (and not exactly binary only) stuff with their files (that was certainly my use case, it was either this or writing a whole new module that will perform the http request to get the data i wanted to write rules on which is super bad). hopefully I'll finish the rest soon and it'll open the door for more stuff like this that can preserve yara's core concepts while opening it up a bit for wider systems integration

nmbarel avatar Sep 04 '25 14:09 nmbarel

I think this can be closed now :) @plusvic @msuiche

nmbarel avatar Sep 30 '25 11:09 nmbarel

Fixed in #449

plusvic avatar Sep 30 '25 11:09 plusvic