feat: Add support for rule metadata to be output in scan mode #170
Commits on Aug 1, 2024
-
This adds support for the -m flag (print metadata) so that rule metadata is printed when a scan matches. Currently only outputs in text form, json will be next.
-
-
Commits on Aug 2, 2024
-
-
Implement xor output in scan command.
If a string is using the xor modifier we now display the xor information (key and plaintext) in both text and json output modes. ``` wxs@mbp yara-x % ./target/debug/yr scan -o ndjson -s rules/a.yara ~/src/yara/tests/data/xor.out | jq . { "path": "/Users/wxs/src/yara/tests/data/xor.out", "rules": [ { "identifier": "freebsd", "strings": [ { "identifier": "$a", "start": 28, "length": 19, "data": "Uihr!qsnfs`l!b`oonu", "xor_key": 1, "plaintext": "This program cannot" }, { "identifier": "$a", "start": 52, "length": 19, "data": "Vjkq\\\"rpmepco\\\"acllmv", "xor_key": 2, "plaintext": "This program cannot" }, { "identifier": "$b", "start": 4, "length": 19, "data": "This program cannot" } ] } ] } wxs@mbp yara-x % ./target/debug/yr scan -s rules/a.yara ~/src/yara/tests/data/xor.out freebsd /Users/wxs/src/yara/tests/data/xor.out 0x1c:19:$a xor(0x1,This program cannot): Uihr!qsnfs`l!b`oonu 0x34:19:$a xor(0x2,This program cannot): Vjkq\"rpmepco\"acllmv 0x4:19:$b: This program cannot ──────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 file(s) scanned in 0.0s. 1 file(s) matched. wxs@mbp yara-x % ``` When using --print-strings-limit it looks like this in text mode: ``` wxs@mbp yara-x % ./target/debug/yr scan -s --print-strings-limit 5 rules/a.yara ~/src/yara/tests/data/xor.out freebsd /Users/wxs/src/yara/tests/data/xor.out 0x1c:19:$a xor(0x1,This ): Uihr! ... 14 more bytes 0x34:19:$a xor(0x2,This ): Vjkq\" ... 14 more bytes 0x4:19:$b: This ... 14 more bytes ──────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 file(s) scanned in 0.0s. 1 file(s) matched. wxs@mbp yara-x % ``` Not sure if we want to print the "... X more bytes" part in the plaintext or just leave it implied. I've also included a bug fix here where we were only printing the last matching pattern. -
-
-
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.