YARA-X’s 1.11.0<\/a> release brings a new feature: hash function warnings.<\/p>\n When you write a YARA rule to match a cryptographic hash (either the full file content or a part of it), what’s actually going on are string comparisons:<\/p>\n Function hash.sha256 returns a string (the hexadecimal SHA256 hash it calculated) and that is compared to a literal string that is the hash you want to find.<\/p>\n If you make a mistake in your literal string hash (for example: unintentionally add an extra space), then the match will fail.<\/p>\n But YARA-X will now show a warning like this:<\/p>\n Another example is where you mixup hashes: you provide a SHA1 literal string hash, and it should be a SHA256.<\/p>\n \u00a0<\/p>\n Didier Stevens (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260111-120140.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260111-120202.png?ssl=1\")
<\/p>\n
\nSenior handler
\nblog.DidierStevens.com<\/a><\/p>\n
\n
<\/BR><\/p>\n