There is some sleeper work going on lately. The full warm build being one of them, for sure. ;)

Release v1.15.0 · VirusTotal/yara-x Add full support for WASM. The whole yara-x create now can be built for WASM (#583, #588, #598). New playground at https://virustotal.github.io/yara-x/playground/ (#601). The yr check command now n...

github.com/VirusTotal/y... - congrats to all involved! These new features are really great!

Imphash implementation does not follow convention · Issue #141 · erocarrera/pefile https://www.mandiant.com/blog/tracking-malware-import-hashing/ Mandiant's imphash convention requires the following: Resolving ordinals to function names when they appear Converting both DLL names ...

Not so fun fact: The imphash implementation in pefile has diverged from the implementation in YARA and YARA-X... and any other one in the last 15 years. This has existed for 2 years and I'm pushing to get it reverted and a new pefile release made.

github.com/erocarrera/p...

I took this picture shortly after I started working there, in that exact building. I always guessed this sticker was from the Sun Microsystems days but can’t prove it.

fix: Properly handle multiple errors with the tag linter. by wxsBSD · Pull Request #614 · VirusTotal/yara-x When the tag linter comes across multiple errors only the first one is returned. This is due to an oversight in the API where we can only return a single error, not a vector of errors. I realize th...

It really annoyed me that we could not return multiple tag linter errors, but returned multiple errors for other linters. The root cause is kind of interesting. More importantly, I put up a fix for it: github.com/VirusTotal/y...

two men are standing next to each other and one of them is wearing a shirt that says nuts ALT: two men are standing next to each other and one of them is wearing a shirt that says nuts

Two for one today! Added support for console.log(offset, length) to the console module in YARA-X, per the suggestion of a user. Makes it nicer to work with arbitrary sequences of bytes. Hopefully it makes it in the next release!

I've been struggling to find time to write code during the week, and I know I need to get better at that as I still very much enjoy contributing to this project. Anyways, here's the PR that adds the linter functionality the compiler has to the Python API:

github.com/VirusTotal/y...

I would not call them lower tier. Very prolific and effective at what they do, you just don’t hear about them because they tend to be very selective in targeting.

a man in a suit and tie sits at a desk with the words " i don 't even really work here " above him ALT: a man in a suit and tie sits at a desk with the words " i don 't even really work here " above him

One of those days. I have a bit of time to work on some code, so I start in on it. I quickly realize I want a feature that was added sometime after I started my branch. Fine, I pull it down into my repository BUT COMPLETELY FORGET TO REBASE MY WORK ON IT! Took me a solid 20 minutes of debugging.

So @tlansec.bsky.social asked about exposing the linter capabilities of `yr check` (sometimes called the "checker") in the python API. It is done modulo test cases and some minor tweaks to the API I'm considering to make it a bit nicer. PR up hopefully by the end of this weekend.

Next time I see you I’m going to refer to EVERY group as Lazarus. Even RU groups. You can hate me for it all you want but the trolling will be worth it.

Did some work to expose the functionality of the “yr check” command (what I call the linter) in the python bindings. The basic gist is done, just need to clean it up this weekend. Should have a PR up soon.

Victor just released v1.14.0 - improvements in macho module, tighter code generation in the compiler and the new “deps” command.

Congratulations to everyone involved!

github.com/VirusTotal/y...

Spent some time yesterday cleaning up my dependency graphing code for yara-x. No longer outputs graphviz. Instead it dumps an ascii tree. You can try it with “yr deps” in the next release.

Threats to the Defense Industrial Base | Google Cloud Blog The defense sector faces a relentless barrage of operations conducted by state-sponsored actors and criminal groups.

Some of the analysis I've done over the past few years is referenced in various places in this overview. I might be most happy that my sneaky reference to the time a half-dozen of us ate a Vermonster in a single attempt made it into the report. cloud.google.com/blog/topics/...

Haha! My son and I were just saying how this has been an insanely boring first half.

Release v1.13.0 · VirusTotal/yara-x Add crx and dex modules to Python invoke API (#534). Add Python API for specifying the metadata that should be passed to modules (6bebe34): Output filenames that needs reformatting when using yr fm...

github.com/VirusTotal/y... - Once again, new release with some good bug fixes and nice improvements.

Release v1.12.0 · VirusTotal/yara-x Improvements in the parser to produce better Concrete Syntax Trees (#531, c46b3bd). BUGFIX: avoid panic when parsing some regular expressions (136ab9f).

YARA-X 1.12.0 is out. Some small bug fixes but still worth upgrading! Once again, congrats to Victor and the contributors as the project keeps getting better.

github.com/VirusTotal/y...

Release v1.11.0 · VirusTotal/yara-x Make the parser stricter (#502). Implement dex module (#458). Implement C api console log (#515). Implement permhash for the crx module (#510). Implement the imports() method for the Rules object i...

github.com/VirusTotal/y... - 1.11.0 is out! Lots of new features, modules and bug fixes. Read the release notes and congrats to Victor and the contributors!

a man and a woman are standing next to each other and the woman is wearing a skeleton tank top . ALT: a man and a woman are standing next to each other and the woman is wearing a skeleton tank top .

I like that the rage amount is a constant 11 for a single laptop or a fleet of them.

Yeah, could be done.

To do what? Have the ability to write JS UDF?

One wheel Jesus was at the Christmas parade again. All praise be to one wheel Jesus and his crew.

I’m not judging (I am) but pantscon5 is the ideal situation.

Also, using this scale to describe level of formality for meetings at work (I already use it for non-work) is on my OKRs.

Please describe your requirement for the level of fancy using the pantscon scale: pantscon5.com

feat: More constraints on hashes by wxsBSD · Pull Request #509 · VirusTotal/yara-x The imphash implementation always returns a lowercase md5. This commit switches the type of the returned value so that it can be used to generate warnings. Warnings are now generated if you use an ...

Quality of life improvement for yara-x:

I realized the functions that output hash values do not have constraints on them like the hash module functions do. See virustotal.github.io/yara-x/blog/... for details on why this is useful to extend everywhere.

PR that fixes it: github.com/VirusTotal/y...

Release v1.10.0 · VirusTotal/yara-x New yr fix warnings command (#493). Generate more efficient WASM code for some expressions, reducing the size of compiled rules (5efc214, a865681). Improve the API for traversing the AST in DFS ord...

Yara-x 1.10.0 released today! It can now automatically fix some warnings, and some improvements in code generation. This is another great step forward for the project.

github.com/VirusTotal/y...

Yeah, same basic idea between us. Mine was the first thing that popped into my head with no actual optimizations to avoid “counting” - great minds think alike!