Fix range length calculations and add more regex tests

mandiant · Aug 19, 2024 · 534ca84 · 534ca84
1 parent 784db2d
commit 534ca84
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 2 deletions.
diff --git a/objfile/patterns.go b/objfile/patterns.go
@@ -113,7 +113,7 @@ func RegexpPatternFromYaraPattern(pattern string) (*RegexAndNeedle, error) {
 				return nil, errors.New("[] didn't contain a dash")
 			}
 
-			lowInt, err := strconv.Atoi(low)
+			_, err := strconv.Atoi(low)
 			if err != nil {
 				return nil, errors.New("invalid number")
 			}
@@ -139,7 +139,7 @@ func RegexpPatternFromYaraPattern(pattern string) (*RegexAndNeedle, error) {
 
 			i += end + 1
 			resetNeedle()
-			sequenceLen = highInt - lowInt + 1
+			sequenceLen = highInt // pessimistic length
 			continue
 		}
 

diff --git a/objfile/patterns_test.go b/objfile/patterns_test.go
@@ -150,6 +150,14 @@ func TestRegexpPatternFromYaraPattern(t *testing.T) {
 			t.Errorf("incorrect pattern")
 		}
 
+		if reg.len != 72 {
+			t.Errorf("incorrect pattern length")
+		}
+
+		if reg.needleOffset != 61 {
+			t.Errorf("incorrect needle offset")
+		}
+
 		if !bytes.Equal(reg.needle, []byte{0x01, 0x00, 0x00, 0x8B}) {
 			t.Errorf("incorrect needle")
 		}
@@ -167,9 +175,17 @@ func TestRegexpPatternFromYaraPattern(t *testing.T) {
 			t.Errorf("incorrect pattern")
 		}
 
+		if reg.len != 20 {
+			t.Errorf("incorrect reg length")
+		}
+
 		if !bytes.Equal(reg.needle, []byte{0x41, 0xF9}) {
 			t.Errorf("incorrect needle")
 		}
+
+		if reg.needleOffset != 14 {
+			t.Errorf("incorrect needle offset")
+		}
 	})
 
 	t.Run("AllSubMatches", func(t *testing.T) {
@@ -182,6 +198,16 @@ func TestRegexpPatternFromYaraPattern(t *testing.T) {
 			t.Errorf("incorrect needle")
 		}
 
+		if reg.needleOffset != 2 {
+			// needle offset is pessimistic, AA ?? ?? == 3, we choose the range max
+			t.Errorf("incorrect needle offset")
+		}
+
+		if reg.len != 4 {
+			// length is also pessimistic
+			t.Errorf("incorrect pattern length")
+		}
+
 		matches := FindRegex([]byte{0xAA, 0xAA, 0xBB, 0xCC}, reg)
 		if len(matches) != 2 {
 			t.Errorf("Wrong sub match count")
@@ -210,9 +236,33 @@ func TestRegexpPatternFromYaraPattern(t *testing.T) {
 			t.Errorf("pattern errored")
 		}
 
+		if !bytes.Equal(reg.needle, []byte{0xAA, 0xBB, 0xCC}) {
+			t.Errorf("incorrect needle")
+		}
+
 		matches := FindRegex([]byte{0x0A, 0xAA, 0xBB, 0xCC, 0x0A, 0xAA, 0xBB, 0x00, 0xAA, 0xBB, 0xCC, 0x0A}, reg)
 		if len(matches) != 2 {
 			t.Errorf("Wrong match count")
 		}
 	})
+
+	t.Run("RangePatLength", func(t *testing.T) {
+		reg, err := RegexpPatternFromYaraPattern("{ ?? [0-50] 8B [8-12] AA (AA|CC|DD) }")
+
+		if err != nil {
+			t.Errorf("pattern errored")
+		}
+
+		if reg.len != 66 {
+			t.Errorf("incorrect pattern length")
+		}
+
+		if reg.needleOffset != 51 {
+			t.Errorf("incorrect needle offset")
+		}
+
+		if !bytes.Equal(reg.needle, []byte{0x8B}) {
+			t.Errorf("incorrect needle")
+		}
+	})
 }