Compile YARA rules to test against files or strings
Project description
A powerful python wrapper for libyara.
Why:
ctypes releases the GIL on system function calls… Run your PC to its true potential.
No more building the PyC extension…
I found a few bugs and memory leaks and wanted to make my life simple.
For tips / tricks with this wrapper feel free to post a question here.
[mjdorma+yara-ctypes@gmail.com]
What is included
yara folder:
scan.py - Command line interface tool for yara scanning files and processes
rules.py - Context manager and interface to libyara.py. Also includes a main to demonstrate how simple it is to build a rules object than scan.
./rules/ - default yar rules path… Demonstrates how to store yar files with the opened ‘example’ yars and ‘hbgary’ yars…
test folder:
libyara_wrapper.py - Wraps the libyara library file
test_libyara.py / test_yara.py
libs folder: contains precompiled libyara files (make shipping easier)
Install and test
Simply run the following:
> python setup.py install > python setup.py test > python -m yara.scan -h
If the package does not contain a pre-compiled libyara library for your platform you need to build and install it. (see libyara build notes)
libyara build notes
A rough build guide - my notes
Ubuntu pre-requisites:
> sudo apt-get install flex libpcre3-dev pcre bison > cd $ROOTDIR/yara-1.6/ > aclocal > automake -ac > autoheader > autoconf > ./configure make install
Windows pre-requisites:
> install mingw32 > pcre-8.20 builds fine... ./configure && make install > autoreconf -fiv # force an autoreconf (or update/replace libtools m4) > install build auto tools (including autoconf autogen) > find the latest pcre and bison - build them! :P > cd $ROOTDIR/yara-1.6/ > ./configure > make install
Note:
1. Make sure the libyara.so or libyara-0.dll can be found!
Windows:
<python install dir>\DLLs (or sys.prefix + 'DLLs')
Linux:
<python env usr root>/lib (or sys.prefix + 'lib'
2. Make sure the libraries were built for the target platform (64 vs 32)
import platform
print platform.architecture()
Mod to yara-1.6
See: http://yara-project.googlecode.com/svn/tags/yara-1.6.0
Modification of libyara (yara-1.6) to allow cleanup of search results:
>>>yara.h<<<
+ void yr_free_matches(YARA_CONTEXT* context);
>>>libyara.c<<<
+ void yr_free_matches(YARA_CONTEXT* context)
+ {
+ RULE* rule;
+ STRING* string;
+ MATCH* match;
+ MATCH* next_match;
+ rule = context->rule_list.head;
+ while (rule != NULL)
+ {
+ string = rule->string_list_head;
+
+ while (string != NULL)
+ {
+ match = string->matches_head;
+ while (match != NULL)
+ {
+ next_match = match->next;
+ yr_free(match->data);
+ yr_free(match);
+ match = next_match;
+ }
+ string->matches_head = NULL;
+ string->matches_tail = NULL;
+ string = string->next;
+ }
+ rule = rule->next;
+ }
+ }
Rules Folder
Example rules folder:
./rules/hbgary/libs.yar ./rules/hbgary/compression.yar ./rules/hbgary/fingerprint.yar ./rules/hbgary/microsoft.yar ./rules/hbgary/sockets.yar ./rules/hbgary/integerparsing.yar ./rules/hbgary/compiler.yar ./rules/hbgary/antidebug.yar ./rules/example/packer_rules.yar Building a Rules object using yara.load_rules() will load all of the above yar files into the following namespaces:: hbgary.libs hbgary.compression hbgary.fingerprint hbgary.microsoft hbgary.sockets hbgary.integerparsing hbgary.compiler hbgary.antidebug example.packer_rules
Performing a scan
Simply kick off the scan module as main with -h to see how to run a scan:
> python -m yara.scan -h
List available modules:
> python -m yara.scan --list
Rules + hbgary.compiler
+ example.packer_rules
+ hbgary.sockets
+ hbgary.libs
+ hbgary.compression
+ hbgary.fingerprint
+ hbgary.integerparsing
+ hbgary.antidebug
+ hbgary.microsoft
> python -m yara.scan --list --whitelist=hbgary
Rules + hbgary.compiler
+ hbgary.sockets
+ hbgary.libs
+ hbgary.compression
+ hbgary.fingerprint
+ hbgary.integerparsing
+ hbgary.antidebug
+ hbgary.microsoft
Scan a process:
> ps
PID TTY TIME CMD
6975 pts/7 00:00:05 bash
13479 pts/7 00:00:00 ps
> sudo python -m yara.scan --proc 6975 > result.out
Rules + hbgary.compiler
+ example.packer_rules
+ hbgary.sockets
+ hbgary.libs
+ hbgary.compression
+ hbgary.fingerprint
+ hbgary.integerparsing
+ hbgary.antidebug
+ hbgary.microsoft
scan queue: 0 result queue: 0
scanned 1 items... done.
> ls -lah result.out
-rw-rw-r-- 1 mick mick 222K Sep 1 17:36 result.out
Scan files:
> sudo python -m yara.scan /usr/bin/ > result.out
Rules + hbgary.compiler
+ example.packer_rules
+ hbgary.sockets
+ hbgary.libs
+ hbgary.compression
+ hbgary.fingerprint
+ hbgary.integerparsing
+ hbgary.antidebug
+ hbgary.microsoft
scan queue: 0 result queue: 0
scanned 1518 items... done.
> ls -lah result.out
-rw-rw-r-- 1 mick mick 17M Sep 1 17:37 result.out
Compatability
yara-ctypes is implemented to be compatible with Python 2.6+ and Python 3.x. It has been tested against the following Python implementations:
Ubuntu 12.04:
CPython 2.7 (32bit, 64bit)
CPython 3.2 (64bit)
Ubuntu 11.10 
CPython 2.6 (32bit)
CPython 2.7 (32bit)
CPython 3.2 (32bit)
PyPy 1.9.0 (32bit)
Windows 7:
CPython 2.6 (32bit)
CPython 3.2 (32bit)
Continuous integration testing is provided by Travis CI.
Issues
Source code for yara-ctypes is hosted on GitHub. Please file bug reports with GitHub’s issues system.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file yara-1.6.0.zip.
File metadata
- Download URL: yara-1.6.0.zip
- Upload date:
- Size: 345.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b3de0bda5694baea7c561226b15c5bf09b8a620cabefc24297bb635f0ce5a302 |
|
| MD5 | 3325f920d1501124fd1a0dd86e7cd154 |
|
| BLAKE2b-256 | 572c73b14598936c683cea0f9f492e3a05df6ea541e6e877f86f34eae963a999 |
