Skip to content

Instantly share code, notes, and snippets.

Wesley Shields wxsBSD

Block or report user

Report or block wxsBSD

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View gist:2936585412fd57f039fd7ecd7b24cd1b
/*
* fmtid + 24 == number of property identifiers and offsets
* fmtid + 28 == start of property identifier and offsets (4 bytes each)
*/
rule test {
strings:
//$fmtid = { 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae }
$fmtid = { e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 }
$redacted_author = "REDACTED AUTHOR"
condition:
View yara-loop-optimization.md

I've been working on optimizing the YARA compiler to generate better bytecode for loops. The goal is to skip as much of loops as possible by not iterating further once the loop condition is met. Here's the rule I'm using. Completely contrived and excessive, but it's to show the performance improvement:

wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  condition:
    for any i in (0..100000000): (i == 1)
}
wxs@wxs-mbp yara %
View yara-loop-optimization-details.md

YARA Loop Optimization Details

Let's look at the bytecode without my optimizations. Before we do that let's set some terminology, because I find it easier to use names compared YARA VM memory locations. These are the names I've mostly borrowed from the comments in the grammar:

  • memory 0: lower bound
  • memory 1: boolean_expression accumulator
  • memory 2: iteration counter
  • memory 3: upper bound

We'll be using this rule for the first example:

View keybase.md

Keybase proof

I hereby claim:

  • I am wxsbsd on github.
  • I am wxs (https://keybase.io/wxs) on keybase.
  • I have a public key whose fingerprint is 96D1 2E6B F61C 2F3D 83EF 8F0B BE54 310C 17F0 AA37

To claim this, I am signing this object:

You can’t perform that action at this time.