Bear in mind that capture groups are one thing and backreferences are another thing. For example:
([a-c])x\1x\1 This regular expression matches strings like axaxa, bxbxb and cxcxc, the backreference \1 indicates that it should match the same string as the capture group number 1, which is the [a-c] inside the parenthesis. Backreferences require capture groups, as they are the way in which you indicate which portion of the regular expression should be matched again, but you can have capture groups without using backreferences. In programming languages capture groups are useful for extracting certain parts from larger regular expressions. In the case of YARA I don't see how capture groups could be useful, unless they are used together with backreferences. But here goes the problem... backreferences can't be implemented in regular expression engines that are not based in recursive backtracking. PCRE is a regexp engine based in backtracking, RE2 is not based in backtracking, that's why PCRE supports backreferences and RE2 does not. Not using backtracking allows implementing faster engines, without pathologically bad regular expressions. The price to pay is that it will lack some features that backtracking-based engines can provide. YARA's regular expression engine is not based on backtracking and therefore has this same limitation, it was designed with performance in mind. So, what you are asking for is backreferences, it won't be supported and there's nothing to do about. If you are asking for capture groups alone, some examples of how you would use them in YARA would be nice for understanding your use-case better. Related reading: https://swtch.com/~rsc/regexp/regexp1.html https://stackoverflow.com/questions/23968992/how-to-match-a-regex-with-backreference-in-go Regards, Víctor On Wed, Jun 23, 2021 at 5:39 PM Dan Nelson <[email protected]> wrote: > Hi All, > > I don't have any samples on me at the moment, but I've seen a bunch of > code obfuscation that capture groups would help with. > I'll let you know the next time I find an example where it would be useful > > Thanks, > Dan N > > > On Wednesday, June 23, 2021 at 6:25:26 AM UTC-4 [email protected] wrote: > >> I would also like to know which is the desired use of capture groups. >> >> On Tue, Jun 22, 2021 at 11:58 PM [email protected] <[email protected]> >> wrote: >> >>> Without details on the desired use of capture groups, this question is >>> difficult to answer. I recommend adding a detailed feature request that >>> includes one or more examples that fail to match the target file without a >>> capture group. >>> >>> YARA moved away from PCRE/RE2 in YARA 2.0, which also had a significant >>> performance increase. >>> https://github.com/VirusTotal/yara/tree/v2.0.0 >>> https://www.youtube.com/watch?v=ApAFU5ROo10 >>> >>> If you just want remove parts of the matched string, that can be done in >>> yara-python. If you want to include the regexp with the capture group in >>> the rule itself, I'd recommend looking at how stoQ identifies the XOR key >>> with yarascan. >>> >>> On Tuesday, June 22, 2021 at 9:14:03 PM UTC+2 [email protected] wrote: >>> >>>> Hi, >>>> >>>> Is there a chance that capture groups will ever be implemented in yara? >>>> >>>> Thanks, >>>> Dan N >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "YARA" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/yara-project/302fabc6-74f2-4a13-8733-d86b075405een%40googlegroups.com >>> <https://groups.google.com/d/msgid/yara-project/302fabc6-74f2-4a13-8733-d86b075405een%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/2455547b-059e-44ad-b40f-0772413b6b13n%40googlegroups.com > <https://groups.google.com/d/msgid/yara-project/2455547b-059e-44ad-b40f-0772413b6b13n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CAD7Y4L5Fhm_HB_oYKjmt%2BJkAN_9kyJeGbLw-KSO3GOS1KoJB9w%40mail.gmail.com.
