yari icon indicating copy to clipboard operation
yari copied to clipboard

Published 20 hours ago verified publisher icon avast

Feature request: Visually mark found strings without hovering

Open ruppde opened this issue 1 year ago • 2 comments

The logical next step after https://github.com/avast/yari/issues/63 would to visually mark found strings without hovering.

Could look like this: You open a .yar and immediately see by the blue numbers, in how many hashes these strings match:

{
	meta:
                ...
		hash = "0e9d92807d990144c637d8b081a6a90a74f15c7337522874cf6317092ea2d7c1"
		hash = "ebbc485e778f8e559ef9c66f55bb01dc4f5dcce9c31ccdd150e2c702c4b5d9e1"
		hash = "44b4068bfbbb8961e16bae238ad23d181ac9c8e4fcb4b09a66bbcd934d2d39ee"
		hash = "c5a4e188780b5513f34824904d56bf6e364979af6782417ccc5e5a8a70b4a95a"
	strings:
		2️⃣ $susasp1 = "/*-/*-*/"
		0️⃣ $susasp2 = "(\"%1"
		1️⃣ $susasp3 = /[Cc]hr\([Ss]tr\(/
		2️⃣ $susasp4 = "cmd.exe"
                ...

After clicking on the magnifying lens next to the hashes, you see which strings match for this hash by ✅ or ❌ next to the strings without need to hover.

I just don't have a clue how this could be done with LSP :)

ruppde avatar Oct 23 '23 15:10 ruppde

Good suggestion! I think we might be able to do something similar using inlay hints.

MatejKastak avatar Oct 24 '23 06:10 MatejKastak

Looks promising. If we get this working, there would be gazillion more things to mark with that:

  • hash not found, not found but on VT, found locally and rule matched, rule didn't match
  • rule changed but modified-header is not today
  • do quality check with e.g. https://github.com/Neo23x0/yaraQA

ruppde avatar Oct 24 '23 08:10 ruppde