AutoIt Grammar

[coreng]

Hello everyone.

As many of you already know, AutoIt comes with somewhat of a downside, as mentioned here. I am currently working for an antivirus company and trust me when I say that we really go the extra mile to avoid false positives.

There is however one thing that's been slowing down our progress considerably -- we're missing the official grammar for AutoIt (i.e. we are trying to reconstruct the grammar from the documentation but the documentation is not sufficient to determinately define the language). This has the considerable impact that parsing AutoIt scripts for malware is not as reliable as it could and should be. It's not unlikely that there will be a wave of new false-positives in AutoIt scripts if there are errors in the grammar definition file.

I was wondering whether or not we could get a copy of AutoIt's grammar definition. Lex, YACC, Bison, whatever AutoIt uses will work.

Best regards

P.S. I tried emailing avsupport as suggested in compiled AutoIt binary files, but I have yet to receive a response.

[jpm]

Perhaps Jon can give you a copy of what is used in Au3Check as AutoIt is not based of stuff as Lex, YACC, bison ...

Edited June 25, 2014 by jpm

[coreng]

Perhaps Jon can give you a copy of what is used in Au3Check as AutoIt is not based of stuff as Lex, YACC, bison ...

 

That would be fantastic. As I mentioned earlier right now we're trying to base the grammar entirely on the documentation, so any official definition will allow us to create a 'proper' grammar file.

Edit/side question: Is Au3check capable of detecting syntax errors within EXECUTE? i.e. Execute(binarytostring("0x" & hex("In valid assignment = bla bla bla")))

Edited June 25, 2014 by coreng

[jpm]

Just try for execute(...) but I don't think so if it is a valid expression

Use the Scite editor to exercise the Au3check if you watto visualize easily the output

[jchd]

For Au3Check to determine validity of executed strings in the general case, it would require nothing less than executing the script since the argument can be any dynamically built expression, including function calls or return from external programs.

Validity check on only literal strings is probably beyond Au3Check goal and not worth the pain since:

1) fixed strings could be simple AutoIt expressions on their own: $a = Execute("$i+1") is equivalent to $a = $i+1

2) it could be circumvented very easily.

Edited June 25, 2014 by jchd

[coreng]

Hey guys, any chance for an update on this? Is there an easy way to get in touch with Jon regarding the grammar files?

[JohnOne]

You could leave your official company email address here.

[czardas]

I thank you for taking this initiative and hope that something positive comes from it. If you don't mind me asking, which AV company do you work for?

[coreng]

You could leave your official company email address here.

Throestur.Thorarensen (x) CYREN.com -- please be in touch.

(This should also address czardas' question).

Edited June 26, 2014 by coreng

[Richard Robertson]

Jon's usually pretty busy so give him a few business days.

It's nice to see an AV willing to process scripts instead of blindly locking all of them though.

[JohnOne]

Agreed.

[jpm]

Hey guys, any chance for an update on this? Is there an easy way to get in touch with Jon regarding the grammar files?

email him to support@autoitscript.com

[coreng]

Does he ever check any of his emails?

[Melba23]

coreng,

It can often take a while to contact him - and I know he is very busy at the moment. Please be patient - I will try and see if I can do anything.

M23

[Jon]

Emailed.