-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Support for Scanning Windows 64-bit process from 32-bit Processes in YARA #2072
Comments
It appears that there is a similar issue reported previously which can be found here: Issue #1372. |
There's no plan to support WoW64 processes with 32-bit YARA. The whole process scanning feature is a bit unmaintained and there's very few testing for it. I'm very curious about this use case, because it looks like a very uncommon one. Why are you able to use a 32-bit YARA, but not a 64-bit YARA in Windows 10 64-bit environment? |
Our product employs a 32-bit anti-malware engine specifically to support legacy systems. We use this configuration to ensure compatibility and provide malware detection capabilities even in older environments. The 32-bit process is also utilized in 64-bit Windows environments to maintain consistency across our deployments and to simplify our support structure for various system configurations. If there is interest in adding support for this feature in YARA, I am willing to assist in developing and implementing this enhancements. |
Body
Description:
I am currently working with YARA for scanning memory blocks in processes, and I came across a limitation when attempting to use a 32-bit version of YARA (WoW64) to scan 64-bit processes. Specifically, I am concerned with how
yr_process_get_next_memory_block
handles memory queries and manipulations across different architecture boundaries.yara/libyara/proc/windows.c
Line 151 in adf3dde
Request:
Is there a plan to add support for scanning 64-bit processes using a 32-bit version of YARA? This feature would be very useful for environments where deploying a 64-bit version is not feasible.
Or I could contribute this part of code.
Possible Issues Noted:
Environment:
Expected Outcome:
Support for scanning 64-bit with 32-bit YARA (WoW64), which would allow more flexible deployments and potentially improve performance in mixed-architecture environments.
Attachments:
None
The text was updated successfully, but these errors were encountered: