Diving in this deeper, per " String offsets or virtual addresses" the options for relative matches are the "at" and the "in" condition operators.
These could potentially work, but only limited expressions are allowed for the right hand argument. As it shows on page #21 of the Yara manual, one can do: "$a in (entrypoint..entrypoint + 10)" But then "$first and $v2 in ($first+4..$first+3000)" won't compile because Yara doesn't understand the right expression. Apparently it can parse special builtin values like " entrypoint", just not any general expression. Having familiarity with lexers, parsers, et al, it appears that at least one parser rule is missing. On Saturday, March 12, 2022 at 1:21:11 AM UTC-5 Joe Neighbor wrote: > Similar to the question asked below. I have a set of say four 32bit or > 64bit values and it should be a positive match if they are all within 3000 > bytes of each other. > > In the YARA pdf manual under "Iterating over string occurrences" it looks > like this can be done but having trouble working this out, and so far have > found no example of it's usage outside of the manual. > > If anyone has worked this out rule condition and/or can point me to a URL > with examples, please reply. -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/ea5578d3-806d-4277-a817-c48182e11412n%40googlegroups.com.
