[Forensics-changes] [yara] 67/407: Improve atom quality calculation

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:28:10 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit c80a56bbc467d65f891a35fc2521cd0e75f5850a
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date:   Thu Sep 25 19:51:08 2014 +0200

    Improve atom quality calculation
---
 libyara/atoms.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/libyara/atoms.c b/libyara/atoms.c
index e2f4702..3e5c185 100644
--- a/libyara/atoms.c
+++ b/libyara/atoms.c
@@ -89,10 +89,10 @@ will end up using the "Look" atom alone, but in /a(bcd|efg)h/ atoms "bcd" and
 //
 // Returns a numeric value indicating the quality of an atom. The quality
 // depends on some characteristics of the atom, including its length, number
-// of zeroes and number of unique distinct bytes. Atom 00 00 has a very low
-// quality, because it's only two bytes long and both bytes are zeroes. Atom
-// 01 01 01 01 is better but still not optimal, because the same byte is
-// repeated. Atom 01 02 03 04 is an optimal one.
+// of very common bytes like 00 and FF and number of unique distinct bytes.
+// Atom 00 00 has a very low quality, because it's only two bytes long and
+// both bytes are zeroes. Atom 01 01 01 01 is better but still not optimal,
+// because the same byte is repeated. Atom 01 02 03 04 is an optimal one.
 //
 // Args:
 //    uint8_t* atom   - Pointer to the atom's bytes.
@@ -106,15 +106,15 @@ int _yr_atoms_quality(
     uint8_t* atom,
     int atom_length)
 {
-  int null_bytes = 0;
+  int common_bytes = 0;
   int unique_bytes = 0;
   int is_unique;
   int i, j;
 
   for (i = 0; i < atom_length; i++)
   {
-    if (atom[i] == 0)
-      null_bytes++;
+    if (atom[i] == 0x00 || atom[i] == 0xFF)
+      common_bytes++;
 
     is_unique = TRUE;
 
@@ -129,7 +129,7 @@ int _yr_atoms_quality(
       unique_bytes += 1;
   }
 
-  return atom_length + unique_bytes - null_bytes;
+  return atom_length + unique_bytes - common_bytes;
 }
 
 //

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list