Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: YARA XOR Strings: an Update - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
YARA XOR Strings: an Update

Almost a year ago, I reported on a new feature in YARA version 3.8.0: YARA XOR Strings. The new YARA xor keyword allows for the search of strings that are XOR-encoded with a one-byte key.

In that diary entry, I pointed out that using the xor modifier would result in not matching strings that are not xor-encoded (or encoded with key 0x00). Assuming this was the intended behavior, I did not report this as a bug.

But for Victor, it was a bug. I missed this with the release of YARA 3.10.0 in may, but a bugfix was included for the xor modifier.

With version 3.8.0, XOR key 0x00 is not detected:

And with version 3.10.0, it is:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

393 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!