About yara matching software component version

[gaohang]

The FACT version you are using

No response

Your question

how does ghidra extract version format string? Could you give some guidence? thank you.

[jstucke]

FACT uses mostly YARA to directly match the version. Some programs store the version in a separate string and use string formatting for their version output (e.g. "xxx version %s" or "yyy version %d.%d.%d"). Matching the version directly is usually not robust enough because of too many false positives. We use Ghidra in these cases to try to find the string (or number) that is formatted into the string.

The key_strings are the format strings from the signature (only the signatures where format_string = true is set in the meta data). The idea is to find the basic block where these strings are used and look for the version strings from there.

[gaohang]

why version strings are in xref basic block?

FACT uses mostly YARA to directly match the version. Some programs store the version in a separate string and use string formatting for their version output (e.g. "xxx version %s" or "yyy version %d.%d.%d"). Matching the version directly is usually not robust enough because of too many false positives. We use Ghidra in these cases to try to find the string (or number) that is formatted into the string.

The key_strings are the format strings from the signature (only the signatures where format_string = true is set in the meta data). The idea is to find the basic block where these strings are used and look for the version strings from there.

[Enkelmann]

To be more precise we look for the call that prints the version string (and not only the basic block where it happens). And then we follow the other parameters to that call (which correspond to the version numbers in e.g. "yyy version %d.%d.%d") back to their sources using the xrefs of Ghidra.