Consolidate PRs into single branch#219
Merged
plusvic merged 10 commits intoVirusTotal:masterfrom Dec 12, 2022
Merged
Conversation
Extend the tuple that represents an instance of a match to include the xor key. This breaks all existing scripts that are unpacking the tuple, which I'm not very happy with. This also updates the submodule to use the latest master so that I can get the new xor key values. Also, adds a fix to get yara building here by defining BUCKETS_128 and CHECKSUM_1B as needed by the new tlsh stuff (discussed with @metthal).
Add a StringMatch object, which represents a matched string. It has an identifier member (this is the string identifier, eg: $a) and an instances member which contains a list of matched string instances. It also keeps track of the string flags internally but does not expose them directly as the string flags contain things that are internal to YARA (eg: STRING_FLAGS_FITS_IN_ATOM). The reason it keeps track of the string modifiers is so that it can be extended to allow users to take action based upon certain flags. For example, there is a "is_xor()" member on StringMatch which will return True if the string is using the xor modifier. This way users can call another method (discussed below) to get the plaintext string back. Add a StringMatchInstance object which represents an instance of a matched string. It contains the offset, matched data and the xor key used to match the string (this is ALWAYS set, even to 0 if the string is not an xor string). There is a "plaintext()" method on the StringMatchInstance objects which will return a new bytes object with the xor key applied. This allows users to do something like this: ``` print(instance.plaintext() if string.is_xor() else instance.matched_data) ``` Technically, the plaintext() method will return the matched_data if the xor_key is 0 so they don't need to do the conditional but this allows them a nice way to know if the xor_key is worth recording along with the plaintext. I decided not to implement richcompare for these new objects as it isn't entirely clear what I would want to do the comparison on.
Add a "matched_length" member to match instances. This is useful when the "matched_data" member is a subset of the actually matched data. Add a test for this that sets the max_match_data config to 2 and then checks to make sure the "matched_length" and "matched_data" members are correct.
Add support for getting the list of available modules. It is available just by
accessing the yara.modules attribute, which contains a list of available
modules.
>>> print('\n'.join(yara.modules))
tests
pe
elf
math
time
console
>>>
Note: This commit also brings in the necessary defines to build the authenticode
parser, which is also done in the xor_value branch. Also, this commit updates
the yara submodule which will likely overwrite the changes done in the xor_value
so I recommend updating the submodule after both are merged.
plusvic
approved these changes
Dec 8, 2022
plusvic
approved these changes
Dec 8, 2022
plusvic
reviewed
Dec 8, 2022
Member
There was a problem hiding this comment.
It's failing to pass the tests in Windows. The build fails with ...
c:\projects\yara-python\yara\libyara\tlshc\tlsh_impl.h(61): error C2065: 'TLSH_CHECKSUM_LEN': undeclared identifier
c:\projects\yara-python\yara\libyara\tlshc\tlsh_impl.h(61): error C2057: expected constant expression
c:\projects\yara-python\yara\libyara\tlshc\tlsh_impl.h(62): error C2229: struct '<unnamed-tag>' has an illegal zero-sized array
c:\projects\yara-python\yara\libyara\tlshc\tlsh_impl.h(72): error C2065: 'CODE_SIZE': undeclared identifier
c:\projects\yara-python\yara\libyara\tlshc\tlsh_impl.h(72): error C2057: expected constant expression
c:\projects\yara-python\yara\libyara\tlshc\tlsh_impl.h(81): error C2229: struct 'TlshImpl' has an illegal zero-sized array
The errors don't look related to this PR, it was failing with previous commits.
Contributor
Author
|
The compiler needs whatever the equivalent of |
plusvic
added a commit
that referenced
this pull request
Mar 31, 2023
The previous example was out of data due changes in the API implemented in version 4.3.0 (#219)
plusvic
added a commit
that referenced
this pull request
Mar 31, 2023
The previous example was out of data due changes in the API implemented in version 4.3.0 (#219)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR consolidates #217 (add a modules list to the yara object) and #210 (support xor_value in returned strings), to make merging them easier. The xor_value work is going to break a lot of existing scripts using yara-python as string matches are no longer returned as a tuple but instead have their own object. I think this is worth doing as it allows for better extensibility in the future.
It also updates the yara submodule to 65feb41d, which is the latest in master as of this writing.
I also fixed up a test that was broken after a change to non-ascii bytes in regex in yara.