Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Support for Scanning Windows 64-bit process from 32-bit Processes in YARA #2072

Open
25077667 opened this issue Apr 30, 2024 · 3 comments

Comments

@25077667
Copy link

25077667 commented Apr 30, 2024

Body

Description:
I am currently working with YARA for scanning memory blocks in processes, and I came across a limitation when attempting to use a 32-bit version of YARA (WoW64) to scan 64-bit processes. Specifically, I am concerned with how yr_process_get_next_memory_block handles memory queries and manipulations across different architecture boundaries.

// mbi.RegionSize can overflow address while scanning a 64-bit process

Request:
Is there a plan to add support for scanning 64-bit processes using a 32-bit version of YARA? This feature would be very useful for environments where deploying a 64-bit version is not feasible.
Or I could contribute this part of code.

Possible Issues Noted:

  • Handling of memory addresses and size calculations might cause overflows or improper memory block handling when a 32-bit version of YARA scans a 64-bit process.

Environment:

  • Windows 10 64-bit
  • YARA 32-bit version

Expected Outcome:
Support for scanning 64-bit with 32-bit YARA (WoW64), which would allow more flexible deployments and potentially improve performance in mixed-architecture environments.

Attachments:
None

@25077667
Copy link
Author

It appears that there is a similar issue reported previously which can be found here: Issue #1372.
However, there hasn't been any visible progress on that thread. Could we possibly get an update on any developments related to that issue? Understanding the progress there might provide some insights or solutions relevant to this current discussion as well. Thank you!

@plusvic
Copy link
Member

plusvic commented Apr 30, 2024

There's no plan to support WoW64 processes with 32-bit YARA. The whole process scanning feature is a bit unmaintained and there's very few testing for it.

I'm very curious about this use case, because it looks like a very uncommon one. Why are you able to use a 32-bit YARA, but not a 64-bit YARA in Windows 10 64-bit environment?

@25077667
Copy link
Author

There's no plan to support WoW64 processes with 32-bit YARA. The whole process scanning feature is a bit unmaintained and there's very few testing for it.

I'm very curious about this use case, because it looks like a very uncommon one. Why are you able to use a 32-bit YARA, but not a 64-bit YARA in Windows 10 64-bit environment?

Our product employs a 32-bit anti-malware engine specifically to support legacy systems. We use this configuration to ensure compatibility and provide malware detection capabilities even in older environments. The 32-bit process is also utilized in 64-bit Windows environments to maintain consistency across our deployments and to simplify our support structure for various system configurations. If there is interest in adding support for this feature in YARA, I am willing to assist in developing and implementing this enhancements.

@25077667 25077667 changed the title Add Support for Scanning WoW64 from 32-bit Processes in YARA Add Support for Scanning Windows 64-bit process from 32-bit Processes in YARA Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants