Hi Victor, Yep, I wanted backreferences. Oh well.
Thanks, Dan N On Wed, Jun 23, 2021 at 1:24 PM Víctor Manuel Álvarez García < [email protected]> wrote: > Bear in mind that capture groups are one thing and backreferences are > another thing. For example: > > ([a-c])x\1x\1 > > This regular expression matches strings like axaxa, bxbxb and cxcxc, the > backreference \1 indicates that it should match the same string as the > capture group number 1, which is the [a-c] inside the parenthesis. > Backreferences require capture groups, as they are the way in which you > indicate which portion of the regular expression should be matched again, > but you can have capture groups without using backreferences. In > programming languages capture groups are useful for extracting certain > parts from larger regular expressions. > > In the case of YARA I don't see how capture groups could be useful, unless > they are used together with backreferences. But here goes the problem... > backreferences can't be implemented in regular expression engines that are > not based in recursive backtracking. PCRE is a regexp engine based in > backtracking, RE2 is not based in backtracking, that's why PCRE supports > backreferences and RE2 does not. Not using backtracking allows implementing > faster engines, without pathologically bad regular expressions. The price > to pay is that it will lack some features that backtracking-based engines > can provide. YARA's regular expression engine is not based on backtracking > and therefore has this same limitation, it was designed with performance in > mind. > > So, what you are asking for is backreferences, it won't be supported and > there's nothing to do about. If you are asking for capture groups alone, > some examples of how you would use them in YARA would be nice for > understanding your use-case better. > > Related reading: > https://swtch.com/~rsc/regexp/regexp1.html > > https://stackoverflow.com/questions/23968992/how-to-match-a-regex-with-backreference-in-go > > > Regards, > Víctor > > On Wed, Jun 23, 2021 at 5:39 PM Dan Nelson <[email protected]> wrote: > >> Hi All, >> >> I don't have any samples on me at the moment, but I've seen a bunch of >> code obfuscation that capture groups would help with. >> I'll let you know the next time I find an example where it would be useful >> >> Thanks, >> Dan N >> >> >> On Wednesday, June 23, 2021 at 6:25:26 AM UTC-4 [email protected] wrote: >> >>> I would also like to know which is the desired use of capture groups. >>> >>> On Tue, Jun 22, 2021 at 11:58 PM [email protected] <[email protected]> >>> wrote: >>> >>>> Without details on the desired use of capture groups, this question is >>>> difficult to answer. I recommend adding a detailed feature request that >>>> includes one or more examples that fail to match the target file without a >>>> capture group. >>>> >>>> YARA moved away from PCRE/RE2 in YARA 2.0, which also had a significant >>>> performance increase. >>>> https://github.com/VirusTotal/yara/tree/v2.0.0 >>>> https://www.youtube.com/watch?v=ApAFU5ROo10 >>>> >>>> If you just want remove parts of the matched string, that can be done >>>> in yara-python. If you want to include the regexp with the capture group >>>> in the rule itself, I'd recommend looking at how stoQ identifies the XOR >>>> key with yarascan. >>>> >>>> On Tuesday, June 22, 2021 at 9:14:03 PM UTC+2 [email protected] wrote: >>>> >>>>> Hi, >>>>> >>>>> Is there a chance that capture groups will ever be implemented in yara? >>>>> >>>>> Thanks, >>>>> Dan N >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "YARA" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/yara-project/302fabc6-74f2-4a13-8733-d86b075405een%40googlegroups.com >>>> <https://groups.google.com/d/msgid/yara-project/302fabc6-74f2-4a13-8733-d86b075405een%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "YARA" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/yara-project/2455547b-059e-44ad-b40f-0772413b6b13n%40googlegroups.com >> <https://groups.google.com/d/msgid/yara-project/2455547b-059e-44ad-b40f-0772413b6b13n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "YARA" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/yara-project/ASjgIvdkpp8/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/CAD7Y4L5Fhm_HB_oYKjmt%2BJkAN_9kyJeGbLw-KSO3GOS1KoJB9w%40mail.gmail.com > <https://groups.google.com/d/msgid/yara-project/CAD7Y4L5Fhm_HB_oYKjmt%2BJkAN_9kyJeGbLw-KSO3GOS1KoJB9w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CACc5gQYdh9K81ed-7g9RKiv6BzD5o0aPz%3DzD1tAM1CqMxC9W%2Bw%40mail.gmail.com.
