YARA-X 1.10.1 Release: Hash Function Warnings, (Sun, Jan 11th)
YARA-X 1.11.0引入了哈希函数警告功能,在使用加密哈希(如SHA256)进行匹配时会进行字符串比较。若出现错误(如混淆哈希类型或添加额外空格),将触发警告提示。 2026-1-11 11:8:41 Author: isc.sans.edu(查看原文) 阅读量:5 收藏
YARA-X 1.11.0引入了哈希函数警告功能,在使用加密哈希(如SHA256)进行匹配时会进行字符串比较。若出现错误(如混淆哈希类型或添加额外空格),将触发警告提示。 2026-1-11 11:8:41 Author: isc.sans.edu(查看原文) 阅读量:5 收藏
YARA-X's 1.11.0 release brings a new feature: hash function warnings.
When you write a YARA rule to match a cryptographic hash (either the full file content or a part of it), what's actually going on are string comparisons:
Function hash.sha256 returns a string (the hexadecimal SHA256 hash it calculated) and that is compared to a literal string that is the hash you want to find.
If you make a mistake in your literal string hash (for example: unintentionally add an extra space), then the match will fail.
But YARA-X will now show a warning like this:
Another example is where you mixup hashes: you provide a SHA1 literal string hash, and it should be a SHA256.
Didier Stevens
Senior handler
blog.DidierStevens.com
文章来源: https://isc.sans.edu/diary/rss/32616
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh