Open
Description
Description
With 58e94a3 the regexes returned by get_value_str() are escaped which breaks e.g.
Line 262 in 3f449f3
Steps to Reproduce
Run
python ./scripts/capa2yara.py rules/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml 2>&1 |grep x5D
The 2nd line shows the regex escaped, which is of no use in yara:
...
INFO:capa2yara:doing kids: [regex(string =~ /^(\\\\\?\\)?([\w]\:|\\)(\\((?![\<\>\"\/\|\*\?\:\\])[\x20-\x5B\x5D-\x7E])+)+\:\$?[a-zA-Z0-9_]+/)] - len: 1
INFO:capa2yara:doing regex: '/^(\\\\\\\\\\\\\\\\\\\\?\\\\\\\\)?([\\\\w]\\\\:|\\\\\\\\)(\\\\\\\\((?![\\\\<\\\\>\\\\\\"\\\\/\\\\|\\\\*\\\\?\\\\:\\\\\\\\])[\\\\x20-\\\\x5B\\\\x5D-\\\\x7E])+)+\\\\:\\\\$?[a-zA-Z0-9_]+/'
...
Expected behavior:
No escaping
Actual behavior:
See above
Versions
Most recent github version
Additional Information
How should we fix this? Introduce another function which returns the regex unescaped?
(capa2yara.py is the only script in scripts/ which uses the function, so shouldn't have broken more)