Story

I'm integrating the Yara-x rules engine into my C# hex editor. I'm working to maximize the performance and efficiency of the integration. I'd like to ask your opinion about this. I personally made this decision to expand the functionality of my hex editor by adding Yara-x support. This allows me to search for signatures in binary files in more detail. I think viewing the entire byte grid can help in malware research.

I implemented this using memory mapping files. I also divided the scanning methods into modes: small files are mapped completely, while large files are scanned in 16MB chunks with a small 64KB overlay to prevent a situation where half the signature is in one chunk and half is in another. I also used smarter memory management for performance with large files. Documentation is in the readme. But in short, this is an implementation that doesn't overload the garbage collector in C# and handles unsafe pointers and raw memory addresses. What's important is that I now have protection against bad rules that, for example, search for any byte, overloading the scanner. Such rules won't work, and the scanner will stop scanning so that the scanner doesn't crash with an error.

I can't say right now that this tool could be better than the others, because it's currently in development and I still have room for improvement, but it would be cool to hear people's opinions or accept other people's ideas for improving the tool.

(The native version with Yarax is not yet available in current releases, but the source code is available and you can compile or read it yourself.)