To answer my own question (I try not to make a habit of). For anyone trying to do this or similar, I ended up adding a custom "module" to libyara. See "Writing your own modules" in the Yara manual. On Sunday, March 13, 2022 at 1:26:57 AM UTC-5 Joe Neighbor wrote:
> Diving in this deeper, per " String offsets or virtual addresses" the > options for relative matches are the "at" and the "in" condition operators. > > These could potentially work, but only limited expressions are allowed for > the right hand argument. > As it shows on page #21 of the Yara manual, one can do: "$a in > (entrypoint..entrypoint + 10)" > But then "$first and $v2 in ($first+4..$first+3000)" won't compile > because Yara doesn't understand the right expression. > Apparently it can parse special builtin values like " entrypoint", just > not any general expression. > > Having familiarity with lexers, parsers, et al, it appears that at least > one parser rule is missing. > > On Saturday, March 12, 2022 at 1:21:11 AM UTC-5 Joe Neighbor wrote: > >> Similar to the question asked below. I have a set of say four 32bit or >> 64bit values and it should be a positive match if they are all within 3000 >> bytes of each other. >> >> In the YARA pdf manual under "Iterating over string occurrences" it looks >> like this can be done but having trouble working this out, and so far have >> found no example of it's usage outside of the manual. >> >> If anyone has worked this out rule condition and/or can point me to a URL >> with examples, please reply. > > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/34c760d7-b387-42f9-8627-9629c6c7fc52n%40googlegroups.com.
