YARA-X’s 1.11.0 release brings a new feature: hash function warnings.
When you write a YARA rule to match a cryptographic hash (either the full file content or a part of it), what’s actually going on are string comparisons:
Function hash.sha256 returns a string (the hexadecimal SHA256 hash it calculated) and that is compared to a literal string that is the hash you want to find.
If you make a mistake in your literal string hash (for example: unintentionally add an extra space), then the match will fail.
But YARA-X will now show a warning like this:
Another example is where you mixup hashes: you provide a SHA1 literal string hash, and it should be a SHA256.
Â
Didier Stevens
Senior handler
blog.DidierStevens.com
