Allow hexstring not operator to be used with wild-cards (VirusTotal#1680

)
seonar22 · Apr 15, 2022 · 2f96c5a · 2f96c5a
1 parent af773eb
commit 2f96c5a
Show file tree

Hide file tree

Showing 10 changed files with 634 additions and 696 deletions.
diff --git a/docs/writingrules.rst b/docs/writingrules.rst
@@ -175,14 +175,16 @@ that you can use the not operator with a byte value:
     {
         strings:
             $hex_string = { F4 23 ~00 62 B4 }
-
+            $hex_string2 = { F4 23 ~?0 62 B4 }
         condition:
-            $hex_string
+            $hex_string and $hex_string2
     }
 
 In the example above we have a byte prefixed with a tilda (~), which is the not operator.
 This defines that the byte in that location can take any value except the value specified.
-In this case the string will only match if the byte is not 00.
+In this case the first string will only match if the byte is not 00. The not operator can
+also be used with nibble-wise wild-cards, so the second string will only match if the
+second nibble is not zero. It doe 
 
 Wild-cards and not operators are useful when defining strings whose content can vary but you know
 the length of the variable chunks, however, this is not always the case. In some

diff --git a/libyara/atoms.c b/libyara/atoms.c
@@ -1143,6 +1143,7 @@ static int _yr_atoms_extract_from_re(
       case RE_NODE_WORD_BOUNDARY:
       case RE_NODE_NON_WORD_BOUNDARY:
       case RE_NODE_NOT_LITERAL:
+      case RE_NODE_MASKED_NOT_LITERAL:
 
         si.new_appending_node = current_appending_node;
         si.re_node = NULL;