diff --git a/objfile/patterns.go b/objfile/patterns.go index 613ba53..53aeb51 100644 --- a/objfile/patterns.go +++ b/objfile/patterns.go @@ -207,6 +207,24 @@ func RegexpPatternFromYaraPattern(pattern string) (*RegexAndNeedle, error) { continue } + // input: ~AB + // output: [^\xAB] + if c == "~" { + if len(pattern) < i+3 { + return nil, errors.New("incomplete negated byte") + } + e := pattern[i+2 : i+3] + + regex_pattern += "[^" + regex_pattern += `\x` + strings.ToUpper(d+e) + regex_pattern += "]" + + i += 3 + resetNeedle() + sequenceLen = 1 + continue + } + return nil, errors.New("unexpected value") } @@ -229,15 +247,15 @@ func FindRegex(data []byte, regexInfo *RegexAndNeedle) []int { for _, needleMatch := range needleMatches { // adjust the window to the pattern start and end data_start := needleMatch - regexInfo.needleOffset - data_end := needleMatch + regexInfo.len - regexInfo.needleOffset + data_end := data_start + regexInfo.len if data_start >= data_len { continue - } else if data_start <= 0 { + } + if data_start < 0 { data_start = 0 } - - if data_end >= data_len { - data_end = data_len - 1 + if data_end > data_len { + data_end = data_len } // do the full regex scan on a very small chunk diff --git a/objfile/patterns_test.go b/objfile/patterns_test.go index 94a6bd4..7e736ab 100644 --- a/objfile/patterns_test.go +++ b/objfile/patterns_test.go @@ -146,7 +146,7 @@ func TestRegexpPatternFromYaraPattern(t *testing.T) { } // manually translated - if reg.rawre != `\x8D.....\xEB..{0,50}\x8B..\x01\x00\x00\x8B...\x85.\x75.` { + if reg.rawre != `\x8D.....\xEB..{0,50}?\x8B..\x01\x00\x00\x8B...\x85.\x75.` { t.Errorf("incorrect pattern") }