yara-x icon indicating copy to clipboard operation
yara-x copied to clipboard
verified publisher icon VirusTotal

Implement bitwise masking in hex patterns.

Open plusvic opened this issue 2 years ago • 2 comments

Example: { E0 F:0?1?: :0110 1001: AB }

Everything in between pairs of : is interpreted as a sequence of bits where ? is a wildcard for a single bit. The number of bits in each sequence must be multiple of 4. You can express one nibble in its hex form and the other one in binary, like in F:0?1?:

plusvic avatar Apr 05 '23 20:04 plusvic

Another syntax might be to have masks in hex, where your prior example would be written as something like the following.

{ E0 F2&FA 69 AB }

Whatever the syntax, I'll gladly use any sort of bit masking feature if it were available. Nybble granularity isn't always the best scale in hex strings.

travisgoodspeed avatar Feb 08 '25 16:02 travisgoodspeed

I started working on this here: https://github.com/dengelt/yara-x/tree/bit-pattern

I implemented a similar format as in the original comment, but currently the binary patterns have to be whole bytes (8 bit) to make parsing easier. Branch is WIP and might get rebased later.

dengelt avatar Jun 22 '25 14:06 dengelt