yara 1.5.0 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/History.txt +6 -1
- data/VERSION +1 -1
- data/ext/yara_native/Match.c +3 -0
- data/ext/yara_native/Match.h +1 -1
- data/samples/flashfinder +70 -0
- metadata +11 -19
data/History.txt
CHANGED
@@ -1,7 +1,12 @@
|
|
1
|
+
== 1.6.0 /2011-08-26
|
2
|
+
* Version 1.6.0 supports yara 1.6 - (backward compatible with yara v1.5)
|
3
|
+
* Note: Nothing actually changed in the API for yara 1.6, we are just keeping
|
4
|
+
step with yara's version numbers.
|
5
|
+
|
1
6
|
== 1.5.0 /2011-04-18
|
2
7
|
* Version 1.5.0 supports yara 1.5 - it is not backward compatible
|
3
8
|
|
4
|
-
== 1.4.
|
9
|
+
== 1.4.4 / 2011-04-11
|
5
10
|
* Support optional namespaces when calling compile_file or compile_string
|
6
11
|
* Better yardoc tags
|
7
12
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.
|
1
|
+
1.6.0
|
data/ext/yara_native/Match.c
CHANGED
data/ext/yara_native/Match.h
CHANGED
data/samples/flashfinder
ADDED
@@ -0,0 +1,70 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
# Simple yara-ruby script to extract SWF files from raw blobs
|
3
|
+
#
|
4
|
+
# yara-ruby - Ruby bindings for the yara malware analysis library.
|
5
|
+
# Eric Monti
|
6
|
+
# Copyright (C) 2011 Trustwave Holdings
|
7
|
+
#
|
8
|
+
# This program is free software: you can redistribute it and/or modify it
|
9
|
+
# under the terms of the GNU General Public License as published by the
|
10
|
+
# Free Software Foundation, either version 3 of the License, or (at your
|
11
|
+
# option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful, but
|
14
|
+
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
15
|
+
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
16
|
+
# for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License along
|
19
|
+
# with this program. If not, see <http://www.gnu.org/licenses/>.
|
20
|
+
#
|
21
|
+
$: << File.join(File.dirname(__FILE__), '..', 'lib')
|
22
|
+
require 'yara'
|
23
|
+
require 'pp'
|
24
|
+
|
25
|
+
ctx = Yara::Rules.new
|
26
|
+
ctx.compile_string <<_EOF_
|
27
|
+
rule fws
|
28
|
+
{
|
29
|
+
meta:
|
30
|
+
desc = "SWF file"
|
31
|
+
ext = "swf"
|
32
|
+
strings: $a = { 46 57 53 }
|
33
|
+
condition: $a
|
34
|
+
}
|
35
|
+
|
36
|
+
rule cws
|
37
|
+
{
|
38
|
+
meta:
|
39
|
+
desc = "Compressed SWF file"
|
40
|
+
ext = "swf"
|
41
|
+
strings: $a = { 43 57 53 }
|
42
|
+
condition: $a
|
43
|
+
}
|
44
|
+
|
45
|
+
_EOF_
|
46
|
+
|
47
|
+
|
48
|
+
ARGV.each do |fname|
|
49
|
+
begin
|
50
|
+
file = File.new(fname, 'rb')
|
51
|
+
ctx.scan_file(fname).each do |match|
|
52
|
+
match.strings.each do |string|
|
53
|
+
file.pos = string.offset
|
54
|
+
hdr = file.read(8)
|
55
|
+
|
56
|
+
magic, vers, len = hdr.unpack("A3CV")
|
57
|
+
|
58
|
+
outf = "#{fname}_%0.8x.#{match.meta['ext']}" % string.offset
|
59
|
+
STDERR.puts "Found #{match.meta['desc']} version #{vers} in #{fname.inspect} @0x#{string.offset.to_s(16)} - writing to #{outf.inspect}"
|
60
|
+
|
61
|
+
File.open(outf, 'wb') do |out|
|
62
|
+
out.write hdr
|
63
|
+
out.write file.read(len-8)
|
64
|
+
end
|
65
|
+
end
|
66
|
+
end
|
67
|
+
ensure
|
68
|
+
file.close if file
|
69
|
+
end
|
70
|
+
end
|
metadata
CHANGED
@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
|
|
4
4
|
prerelease: false
|
5
5
|
segments:
|
6
6
|
- 1
|
7
|
-
-
|
7
|
+
- 6
|
8
8
|
- 0
|
9
|
-
version: 1.
|
9
|
+
version: 1.6.0
|
10
10
|
platform: ruby
|
11
11
|
authors:
|
12
12
|
- Eric Monti
|
@@ -14,13 +14,13 @@ autorequire:
|
|
14
14
|
bindir: bin
|
15
15
|
cert_chain: []
|
16
16
|
|
17
|
-
date: 2011-
|
17
|
+
date: 2011-08-26 00:00:00 -05:00
|
18
18
|
default_executable:
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
21
21
|
name: rspec
|
22
|
+
prerelease: false
|
22
23
|
requirement: &id001 !ruby/object:Gem::Requirement
|
23
|
-
none: false
|
24
24
|
requirements:
|
25
25
|
- - ~>
|
26
26
|
- !ruby/object:Gem::Version
|
@@ -30,12 +30,11 @@ dependencies:
|
|
30
30
|
- 0
|
31
31
|
version: 2.3.0
|
32
32
|
type: :development
|
33
|
-
prerelease: false
|
34
33
|
version_requirements: *id001
|
35
34
|
- !ruby/object:Gem::Dependency
|
36
35
|
name: yard
|
36
|
+
prerelease: false
|
37
37
|
requirement: &id002 !ruby/object:Gem::Requirement
|
38
|
-
none: false
|
39
38
|
requirements:
|
40
39
|
- - ~>
|
41
40
|
- !ruby/object:Gem::Version
|
@@ -45,12 +44,11 @@ dependencies:
|
|
45
44
|
- 0
|
46
45
|
version: 0.6.0
|
47
46
|
type: :development
|
48
|
-
prerelease: false
|
49
47
|
version_requirements: *id002
|
50
48
|
- !ruby/object:Gem::Dependency
|
51
49
|
name: bundler
|
50
|
+
prerelease: false
|
52
51
|
requirement: &id003 !ruby/object:Gem::Requirement
|
53
|
-
none: false
|
54
52
|
requirements:
|
55
53
|
- - ~>
|
56
54
|
- !ruby/object:Gem::Version
|
@@ -60,12 +58,11 @@ dependencies:
|
|
60
58
|
- 0
|
61
59
|
version: 1.0.0
|
62
60
|
type: :development
|
63
|
-
prerelease: false
|
64
61
|
version_requirements: *id003
|
65
62
|
- !ruby/object:Gem::Dependency
|
66
63
|
name: jeweler
|
64
|
+
prerelease: false
|
67
65
|
requirement: &id004 !ruby/object:Gem::Requirement
|
68
|
-
none: false
|
69
66
|
requirements:
|
70
67
|
- - ~>
|
71
68
|
- !ruby/object:Gem::Version
|
@@ -75,12 +72,11 @@ dependencies:
|
|
75
72
|
- 2
|
76
73
|
version: 1.5.2
|
77
74
|
type: :development
|
78
|
-
prerelease: false
|
79
75
|
version_requirements: *id004
|
80
76
|
- !ruby/object:Gem::Dependency
|
81
77
|
name: rcov
|
78
|
+
prerelease: false
|
82
79
|
requirement: &id005 !ruby/object:Gem::Requirement
|
83
|
-
none: false
|
84
80
|
requirements:
|
85
81
|
- - ">="
|
86
82
|
- !ruby/object:Gem::Version
|
@@ -88,12 +84,11 @@ dependencies:
|
|
88
84
|
- 0
|
89
85
|
version: "0"
|
90
86
|
type: :development
|
91
|
-
prerelease: false
|
92
87
|
version_requirements: *id005
|
93
88
|
- !ruby/object:Gem::Dependency
|
94
89
|
name: rake-compiler
|
90
|
+
prerelease: false
|
95
91
|
requirement: &id006 !ruby/object:Gem::Requirement
|
96
|
-
none: false
|
97
92
|
requirements:
|
98
93
|
- - ">="
|
99
94
|
- !ruby/object:Gem::Version
|
@@ -101,7 +96,6 @@ dependencies:
|
|
101
96
|
- 0
|
102
97
|
version: "0"
|
103
98
|
type: :development
|
104
|
-
prerelease: false
|
105
99
|
version_requirements: *id006
|
106
100
|
description: Ruby bindings for the yara malware analysis library
|
107
101
|
email: emonti@trustwave.com
|
@@ -132,6 +126,7 @@ files:
|
|
132
126
|
- ext/yara_native/Yara_native.h
|
133
127
|
- ext/yara_native/extconf.rb
|
134
128
|
- lib/yara.rb
|
129
|
+
- samples/flashfinder
|
135
130
|
- samples/ispe.rb
|
136
131
|
- samples/sslkeyfinder
|
137
132
|
- samples/upx.rb
|
@@ -151,16 +146,13 @@ rdoc_options: []
|
|
151
146
|
require_paths:
|
152
147
|
- lib
|
153
148
|
required_ruby_version: !ruby/object:Gem::Requirement
|
154
|
-
none: false
|
155
149
|
requirements:
|
156
150
|
- - ">="
|
157
151
|
- !ruby/object:Gem::Version
|
158
|
-
hash: -9224945978915744
|
159
152
|
segments:
|
160
153
|
- 0
|
161
154
|
version: "0"
|
162
155
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
163
|
-
none: false
|
164
156
|
requirements:
|
165
157
|
- - ">="
|
166
158
|
- !ruby/object:Gem::Version
|
@@ -170,7 +162,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
170
162
|
requirements: []
|
171
163
|
|
172
164
|
rubyforge_project:
|
173
|
-
rubygems_version: 1.3.
|
165
|
+
rubygems_version: 1.3.6
|
174
166
|
signing_key:
|
175
167
|
specification_version: 3
|
176
168
|
summary: Ruby bindings for libyara
|