@litko/yara-x 0.1.0

package/README.md

@@ -0,0 +1,426 @@
+# @litko/yara-x
+
+**v0.1.0**
+
+## Features
+
+- High Performance: Built with [napi-rs](https://napi-rs.com) and [VirusTotal/yara-x](https://github.com/VirusTotal/yara-x)
+- Async Support: First-class support for asynchronous scanning
+- WASM Compilation: Compile rules to WebAssembly for portable execution
+- Zero Dependencies: No external runtime dependencies
+
+## Usage
+
+### Installation
+
+```bash
+npm install @litko/yara-x
+```
+
+### Basic Example
+
+```javascript
+import { compile } from "yara-x";
+
+// Compile yara rules
+const rules = compile(`
+  rule test_rule {
+    strings:
+      $a = "hello world"
+    condition:
+      $a
+  }
+`);
+
+// Scan a buffer
+const buffer = Buffer.from("This is a test with hello world in it");
+const matches = rules.scan(buffer);
+
+// Process matches
+if (matches.length > 0) {
+  console.log(`Found ${matches.length} matching rules:`);
+  matches.forEach((match) => {
+    console.log(`- Rule: ${match.ruleIdentifier}`);
+    match.matches.forEach((stringMatch) => {
+      console.log(
+        `  * Match at offset ${stringMatch.offset}: ${stringMatch.data}`,
+      );
+    });
+  });
+} else {
+  console.log("No matches found");
+}
+```
+
+## Scanning Files
+
+```javascript
+import { fromFile, compile } from "yara-x";
+import { readFileSync } from "fs";
+
+// Load rules from a file
+const rules = fromFile("./rules/malware_rules.yar");
+
+try {
+  // Scan a file directly
+  const matches = rules.scanFile("./samples/suspicious_file.exe");
+
+  console.log(`Found ${matches.length} matching rules`);
+} catch (error) {
+  console.error(`Scanning error: ${error.message}`);
+}
+```
+
+## Asynchronous Scanning
+
+```javascript
+import { compile } from "yara-x";
+
+async function scanLargeFile() {
+  const rules = compile(`rule large_file_rule {
+      strings:
+        $a = "sensitive data"
+      condition:
+        $a
+    }
+  `);
+
+  try {
+    // Scan a file asynchronously
+    const matches = await rules.scanFileAsync("./samples/large_file.bin");
+    console.log(`Found ${matches.length} matching rules`);
+  } catch (error) {
+    console.error(`Async scanning error: ${error.message}`);
+  }
+}
+
+scanLargeFile();
+```
+
+## Variables
+
+```javascript
+import { compile } from "yara-x";
+
+// Create a scanner with variables
+const rules = compile(
+  `
+  rule variable_rule {
+    condition:
+      string_var contains "secret" and int_var > 10
+  }
+`,
+  {
+    defineVariables: {
+      string_var: "this is a secret message",
+      int_var: "20",
+    },
+  },
+);
+
+// Scan with default variables
+let matches = rules.scan(Buffer.from("test data"));
+console.log(`Matches with default variables: ${matches.length}`);
+
+// Override variables at scan time
+matches = rules.scan(Buffer.from("test data"), {
+  string_var: "no secrets here",
+  int_var: 5, // Note: variables at scan time can be numbers as well
+});
+console.log(`Matches with overridden variables: ${matches.length}`);
+```
+
+## WASM Compilation
+
+```javascript
+import { compile, compileToWasm } from "yara-x";
+
+// Compile rules to WASM
+const rule = `
+  rule wasm_test {
+    strings:
+      $a = "compile to wasm"
+    condition:
+      $a
+  }
+`;
+
+// Static compilation
+compileToWasm(rule, "./output/rules.wasm");
+
+// Or from a compiled rules instance
+const compiledRules = compile(rule);
+compiledRules.emitWasmFile("./output/instance_rules.wasm");
+
+// Async compilation
+await compiledRules.emitWasmFileAsync("./output/async_rules.wasm");
+```
+
+## Incremental Rule Building
+
+```javascript
+import { create } from "yara-x";
+
+// Create an empty scanner
+const scanner = create();
+
+// Add rules incrementally
+scanner.addRuleSource(`
+  wrule first_rule {
+    strings:
+      $a = "first pattern"
+    condition:
+      $a
+  }
+`);
+
+// Add rules from a file
+scanner.addRuleFile("./rules/more_rules.yar");
+
+// Add another rule
+scanner.addRuleSource(`
+  rule another_rule {
+    strings:
+      $a = "another pattern"
+    condition:
+      $a
+  }
+`);
+
+// Now scan with all the rules
+const matches = scanner.scan(Buffer.from("test data with first pattern"));
+```
+
+## Rule Validation
+
+```javascript
+import { validate } from "yara-x";
+
+// Validate rules without executing them
+const result = validate(`
+  rule valid_rule {
+    strings:
+      $a = "valid"
+    condition:
+      $a
+    }
+`);
+
+if (result.errors.length === 0) {
+  console.log("Rules are valid!");
+} else {
+  console.error("Rule validation failed:");
+  result.errors.forEach((error) => {
+    console.error(`- ${error.code}: ${error.message}`);
+  });
+}
+```
+
+## Advanced Options
+
+```javascript
+import { compile } from "yara-x";
+
+// Create a scanner with advanced options
+const rules = compile(
+  `
+  rule advanced_rule {
+    strings:
+      $a = /hello[[:space:]]world/ // Using POSIX character class
+    condition:
+      $a and test_var > 10
+  }
+`,
+  {
+    // Define variables
+    defineVariables: {
+      test_var: "20",
+    },
+
+    // Enable relaxed regular expression syntax
+    relaxedReSyntax: true,
+
+    // Enable condition optimization
+    conditionOptimization: true,
+
+    // Ignore specific modules
+    ignoreModules: ["pe"],
+
+  :  // Error on potentially slow patterns
+    errorOnSlowPattern: true,
+
+    // Error on potentially slow loops
+    errorOnSlowLoop: true,
+  },
+);
+```
+
+## Error Handling
+
+### Compilation Errors
+
+```javascript
+import { compile } from "yara-x";
+
+try {
+  // This will throw an error due to invalid syntax
+  const rules = compile(`
+    rule invalid_rule {
+      strings:
+        $a = "unclosed string
+      condition:
+        $a
+    }
+  `);
+} catch (error) {
+  console.error(`Compilation error: ${error.message}`);
+  // Output: Compilation error: error[E001]: syntax error
+  //  --> line:3:28
+  //   |
+  // 3 |         $a = "unclosed string
+  //   |                            ^ expecting `"`, found end of file
+  // 278:  }
+}
+```
+
+### Scanning errors
+
+```javascript
+import { compile } from "yara-x";
+
+const rules = compile(`
+  rule test_rule {
+    condition:
+      true
+  }
+`);
+
+try {
+  // This will throw if the file doesn't exist
+  rules.scanFile("/path/to/nonexistent/file.bin");
+} catch (error) {
+  console.error(`Scanning error: ${error.message}`);
+  // Output: Scanning error: Error reading file: No such file or directory (os error 2)
+}
+```
+
+### Async Errors
+
+```javascript
+import { compile, compileToWasm } from "yara-x";
+
+async function handleAsyncErrors() {
+  const rules = compile(`
+    rule test_rule {
+      condition:
+        true
+    }
+  `);
+
+  try {
+    await rules.scanFileAsync("/path/to/nonexistent/file.bin");
+  } catch (error) {
+    console.error(`Async scanning error: ${error.message}`);
+  }
+
+  try {
+    await compileToWasm(
+      "rule test { condition: true }",
+      "/invalid/path/rules.wasm",
+    );
+  } catch (error) {
+    console.error(`WASM compilation error: ${error.message}`);
+  }
+}
+
+handleAsyncErrors();
+```
+
+## Compiler Warnings
+
+```javascript
+import { compile } from "yara-x";
+
+// Create a scanner with a rule that generates warnings
+const rules = compile(`
+  rule warning_rule {
+    strings:
+      $a = "unused string"
+    condition:
+      true  // Warning: invariant expression
+    }
+`);
+
+// Get and display warnings
+const warnings = rules.getWarnings();
+if (warnings.length > 0) {
+  console.log("Compiler warnings:");
+  warnings.forEach((warning) => {
+    console.log(`- ${warning.code}: ${warning.message}`);
+  });
+}
+```
+
+## Performance Benchmarks
+
+**Test Setup:**
+
+- **Hardware:** MacBook Pro (M3 Max, 36GB RAM)
+- **Test Data:** Generated data of varying sizes (small: 64 bytes, medium: 100KB, large: 10MB). See `__test__/benchmark.mjs` for data generation and benchmarking code.
+- The Large test file (10MB) is auto-generated, to prevent bloating the size of the repository.
+
+**Key Metrics (Averages):**
+
+| Operation                                       | Average Time | Iterations |      p50 |      p95 |      p99 |
+| :---------------------------------------------- | -----------: | ---------: | -------: | -------: | -------: |
+| Scanner Creation (Simple Rule)                  |     1.675 ms |        100 | 1.547 ms | 2.318 ms | 2.657 ms |
+| Scanner Creation (Complex Rule)                 |     1.878 ms |        100 | 1.848 ms | 2.005 ms | 2.865 ms |
+| Scanner Creation (Regex Rule)                   |     2.447 ms |        100 | 2.444 ms | 2.473 ms | 2.569 ms |
+| Scanner Creation (Multiple Rules)               |     1.497 ms |        100 | 1.488 ms | 1.547 ms | 1.819 ms |
+| Scanning Small Data (64 bytes, Simple Rule)     |     0.145 ms |       1000 | 0.143 ms | 0.156 ms | 0.169 ms |
+| Scanning Medium Data (100KB, Simple Rule)       |     0.151 ms |        100 | 0.146 ms | 0.179 ms | 0.205 ms |
+| Scanning Large Data (10MB, Simple Rule)         |     0.347 ms |         10 | 0.340 ms | 0.394 ms | 0.394 ms |
+| Scanning Medium Data (100KB, Complex Rule)      |     0.219 ms |        100 | 0.215 ms | 0.254 ms | 0.269 ms |
+| Scanning Medium Data (100KB, Regex Rule)        |     0.156 ms |        100 | 0.152 ms | 0.182 ms | 0.210 ms |
+| Scanning Medium Data (100KB, Multiple Rules)    |     0.218 ms |        100 | 0.212 ms | 0.261 ms | 0.353 ms |
+| Async Scanning Medium Data (100KB, Simple Rule) |     0.012 ms |        100 | 0.011 ms | 0.016 ms |  0.027ms |
+| Scanning with Variables                         |     0.143 ms |       1000 | 0.140 ms | 0.155 ms | 0.166 ms |
+| Scanning with Variables (Override at Scan Time) |     0.144 ms |       1000 | 0.142 ms | 0.158 ms | 0.175 ms |
+
+# API Reference
+
+### Functions
+
+- `compile(ruleSource: string, options?: CompilerOptions)` - Compiles yara rules from a string.
+- `compileToWasm(ruleSource: string, outputPath: string, options?: CompilerOptions)` - Compiles yara rules from a string to WASM file.
+- `compileFileToWasm(rulesPath: string, outputPath: string, options?: CompilerOptions)` - Compiles yara rules from a file to WASM file.
+- `validate(ruleSource: string, options?: CompilerOptions)` - Validates yara rules without executing them.
+- `create(options?: CompilerOptions)` - Creates an empty rules scanner to add rules incrementally.
+- `fromFile(rulePath: string, options?: CompilerOptions)` - Compiles yara rules from a file.
+
+### yarax Methods
+
+- `getWarnings()` - Get compiler warnings.
+- `scan(data: Buffer, variables?: Record<string, string | number>)` - Scan a buffer.
+- `scanFile(filePath: string, variables?: Record<string, string | number>)` - Scan a file.
+- `scanAsync(data: Buffer, variables?: Record<string, object | undefined | null>)` - Scan a buffer asynchronously.
+- `scanFileAsync(filePath: string, variables?: Record<string, object | undefined | null>)` - Scan a file asynchronously.
+- `emitWasmFile(filePath: string)` - Emit compiled rules to WASM file synchronously.
+- `emitWasmFileAsync(filePath: string)` - Emit compiled rules to WASM file asynchronously.
+- `addRuleSource(rules: string)` - Add rules from a string to an existing scanner.
+- `addRuleFile(filePath: string)` - Add rules from a file to an existing scanner.
+
+### Rule Validation
+
+- `validate(rules: string, options?: CompilerOptions)` - Validate yara rules without executing them.
+
+## Licenses
+
+This project incorporates code under two distinct licenses:
+
+- **MIT License:**
+  - The node.js bindings and other code specific to this module are licensed under the MIT license.
+  - See `LICENSE-MIT` for the full text.
+- **BSD-3-Clause License:**
+  - The included yara-x library is licensed under the BSD-3-Clause license.
+  - See `LICENSE-BSD-3-Clause` for the full text.

package/index.d.ts

@@ -0,0 +1,268 @@
+/* tslint:disable */
+/* eslint-disable */
+
+/* auto-generated by NAPI-RS */
+
+/** MatchData struct represents a match found by a YARA rule. */
+export interface MatchData {
+  /** The offset of the match in the scanned data. */
+  offset: number
+  /** The length of the matched data. */
+  length: number
+  /** The matched data as a string. */
+  data: string
+  /** The identifier of the pattern that matched. */
+  identifier: string
+}
+/**
+ * RuleMatch struct represents a matching rule found during scanning.
+ *
+ * See [yara_::Match](https://docs.rs/yara-x/latest/yara_x/struct.Match.html) for more details.
+ */
+export interface RuleMatch {
+  /** The identifier of the rule that matched. */
+  ruleIdentifier: string
+  /** The namespace of the rule that matched. */
+  namespace: string
+  /** The metadata associated with the rule that matched. */
+  meta: object
+  /** The tags associated with the rule that matched. */
+  tags: Array<string>
+  /** The matches found by the rule. */
+  matches: Array<MatchData>
+}
+/**
+ * CompilerOptions struct represents the options for the YARA compiler.
+ *
+ * See [yara_x::Compiler](https://docs.rs/yara-x/latest/yara_x/struct.Compiler.html) for more
+ * details.
+ */
+export interface CompilerOptions {
+  /** Defines global variables for the YARA rules. */
+  defineVariables?: object
+  /** A list of module names to ignore during compilation. */
+  ignoreModules?: Array<string>
+  /** A list of banned modules that cannot be used in the YARA rules. */
+  bannedModules?: Array<BannedModule>
+  /** A list of features to enable for the YARA rules. */
+  features?: Array<string>
+  /** Whether to use relaxed regular expression syntax. */
+  relaxedReSyntax?: boolean
+  /** Whether to optimize conditions in the YARA rules. */
+  conditionOptimization?: boolean
+  /** Whether to raise an error on slow patterns. */
+  errorOnSlowPattern?: boolean
+  /** Whether to raise an error on slow loops. */
+  errorOnSlowLoop?: boolean
+}
+/** BannedModule struct represents a module that is banned from being used in YARA rules. */
+export interface BannedModule {
+  /** The name of the banned module. */
+  name: string
+  /** The title of the error message if the module is used. */
+  errorTitle: string
+  /** The error message if the module is used. */
+  errorMessage: string
+}
+/**
+ * CompilerWarning struct represents a warning generated by the YARA compiler.
+ *
+ * See [yara_x::CompilerWarning](https://docs.rs/yara-x/latest/yara_x/warnings/enum.Warning.html)
+ * for more details.
+ */
+export interface CompilerWarning {
+  /** The code of the warning. */
+  code: string
+  /** The message of the warning. */
+  message: string
+  /** The source of the warning, if available. */
+  source?: string
+  /** The line number where the warning occurred, if available. */
+  line?: number
+  /** The column number where the warning occurred, if available. */
+  column?: number
+}
+/**
+ * CompilerError struct represents an error generated by the YARA compiler.
+ *
+ * See
+ * [yara_x::CompileError](https://docs.rs/yara-x/latest/yara_x/errors/enum.CompileError.html)
+ * for more details.
+ */
+export interface CompilerError {
+  /** The code of the error. */
+  code: string
+  /** The message of the error. */
+  message: string
+  /** The source of the error, if available. */
+  source?: string
+  /** The line number where the error occurred, if available. */
+  line?: number
+  /** The column number where the error occurred, if available. */
+  column?: number
+}
+/**
+ * CompileResult struct represents the result of compiling YARA rules.
+ * It contains any warnings or errors generated during the compilation process.
+ */
+export interface CompileResult {
+  /** Any warnings generated during the compilation process. */
+  warnings: Array<CompilerWarning>
+  /** Any errors generated during the compilation process. */
+  errors: Array<CompilerError>
+}
+/**
+ * Compiles a YARA rule source string and returns any warnings or errors generated during the
+ * compilation process.
+ *
+ * Exported as `validate` in the NAPI interface.
+ *
+ * Example
+ *
+ * ```javascript
+ * const { validate } = require('your_yara_module');
+ * const result = validate('rule example { strings: $a = "example" condition: $a }');
+ * ```
+ */
+export declare function validate(ruleSource: string, options?: CompilerOptions | undefined | null): CompileResult
+/**
+ * Compiles a YARA rule source string and returns a YaraX instance with the compiled rules.
+ *
+ * Exported as `compile` in the NAPI interface.
+ *
+ * Example
+ *
+ * ```javascript
+ * const { compile } = require('your_yara_module');
+ * const yarax = compile('rule example { strings: $a = "example" condition: $a }');
+ * ```
+ */
+export declare function compile(ruleSource: string, options?: CompilerOptions | undefined | null): YaraX
+/**
+ * Creates a new YaraX instance with empty rules and no source code.
+ *
+ * Exported as `create` in the NAPI interface.
+ *
+ * Example
+ *
+ * ```javascript
+ * const { create } = require('your_yara_module');
+ * const yarax = create();
+ *
+ * // Now you can add rules or compile them later
+ *
+ * yarax.addRuleSource('rule example { strings: $a = "example" condition: $a }');
+ * yarax.addRuleFile('path/to/rule_file.yar');
+ * yarax.defineVariable('myVar', 'myValue');
+ * ```
+ */
+export declare function create(): YaraX
+/**
+ * Creates a new YaraX instance from a file containing YARA rules.
+ *
+ * Exported as `fromFile` in the NAPI interface.
+ *
+ * Example
+ *
+ * ```javascript
+ * const { fromFile } = require('your_yara_module');
+ * const yarax = fromFile('path/to/rule_file.yar');
+ * ```
+ */
+export declare function fromFile(rulePath: string, options?: CompilerOptions | undefined | null): YaraX
+/**
+ * Compiles a YARA rule source string to a WASM file.
+ *
+ * Exported as `compileToWasm` in the NAPI interface.
+ *
+ * Example
+ *
+ * ```javascript
+ * const { compileToWasm } = require('your_yara_module');
+ * compileToWasm('rule example { strings: $a = "example" condition: $a }', 'output.wasm');
+ * ```
+ */
+export declare function compileToWasm(ruleSource: string, outputPath: string, options?: CompilerOptions | undefined | null): void
+/**
+ * Compiles a YARA rule file to a WASM file.
+ *
+ * Exported as `compileFileToWasm` in the NAPI interface.
+ *
+ * Example
+ *
+ * ```javascript
+ * const { compileFileToWasm } = require('your_yara_module');
+ * compileFileToWasm('path/to/rule_file.yar', 'output.wasm');
+ * ```
+ */
+export declare function compileFileToWasm(rulePath: string, outputPath: string, options?: CompilerOptions | undefined | null): void
+/**
+ * YaraX struct represents the YARA rules and their associated data.
+ * It contains the compiled rules, source code, warnings, and variables.
+ *
+ * See [yara_x::Rules](https://docs.rs/yara-x/latest/yara_x/struct.Rules.html) for more details.
+ */
+export declare class YaraX {
+  getWarnings(): Array<CompilerWarning>
+  /**
+   * Scans the provided data using the compiled YARA rules.
+   * This function takes the scanned data and an optional object of variables,
+   * and returns a vector of RuleMatch representing the matching rules found during the scan.
+   */
+  scan(data: Buffer, variables?: Record<string, string | number>): Array<RuleMatch>
+  /**
+   * Scans a file using the compiled YARA rules.
+   * This function takes the file path and an optional object of variables,
+   * and returns a vector of RuleMatch representing the matching rules found during the scan.
+   */
+  scanFile(filePath: string, variables?: Record<string, string | number>): Array<RuleMatch>
+  /**
+   * Emits a WASM file from the compiled YARA rules.
+   * This function takes the output path and writes the compiled rules to a WASM file.
+   */
+  emitWasmFile(outputPath: string): void
+  /**
+   * Scans the provided data asynchronously using the compiled YARA rules.
+   * This function takes the scanned data and an optional object of variables,
+   * and returns an AsyncTask that will resolve to a vector of RuleMatch representing the matching
+   * rules found during the scan.
+   *
+   * This allows for non-blocking scanning of data, which can be useful for large datasets or
+   * performance-critical applications.
+   */
+  scanAsync(data: Buffer, variables?: object | undefined | null): Promise<unknown>
+  /**
+   * Scans a file asynchronously using the compiled YARA rules.
+   * This function takes the file path and an optional object of variables,
+   * and returns an AsyncTask that will resolve to a vector of RuleMatch representing the matching
+   * rules found during the scan.
+   *
+   * This allows for non-blocking scanning of files, which can be useful for large files or
+   * performance-critical applications.
+   */
+  scanFileAsync(filePath: string, variables?: object | undefined | null): Promise<unknown>
+  /**
+   * Emits a WASM file asynchronously from the compiled YARA rules.
+   * This function takes the output path
+   * and returns an AsyncTask that will resolve when the WASM file is successfully emitted.
+   */
+  emitWasmFileAsync(outputPath: string): Promise<unknown>
+  /**
+   * Adds a rule source to the YARA compiler.
+   * This function takes a rule source string,
+   * compiles it, and updates the YaraX instance with the new rules.
+   */
+  addRuleSource(ruleSource: string): void
+  /**
+   * Adds a rule file to the YARA compiler.
+   * This function takes a file path,
+   * reads the file content, and adds it to the YaraX instance.
+   */
+  addRuleFile(filePath: string): void
+  /**
+   * Defines a variable for the YARA compiler.
+   * This function takes a variable name and value,
+   * and adds it to the YaraX instance.
+   */
+  defineVariable(name: string, value: string): void
+}

package/index.js

@@ -0,0 +1,321 @@
+/* tslint:disable */
+/* eslint-disable */
+/* prettier-ignore */
+
+/* auto-generated by NAPI-RS */
+
+const { existsSync, readFileSync } = require('fs')
+const { join } = require('path')
+
+const { platform, arch } = process
+
+let nativeBinding = null
+let localFileExisted = false
+let loadError = null
+
+function isMusl() {
+  // For Node 10
+  if (!process.report || typeof process.report.getReport !== 'function') {
+    try {
+      const lddPath = require('child_process').execSync('which ldd').toString().trim()
+      return readFileSync(lddPath, 'utf8').includes('musl')
+    } catch (e) {
+      return true
+    }
+  } else {
+    const { glibcVersionRuntime } = process.report.getReport().header
+    return !glibcVersionRuntime
+  }
+}
+
+switch (platform) {
+  case 'android':
+    switch (arch) {
+      case 'arm64':
+        localFileExisted = existsSync(join(__dirname, 'yara-x.android-arm64.node'))
+        try {
+          if (localFileExisted) {
+            nativeBinding = require('./yara-x.android-arm64.node')
+          } else {
+            nativeBinding = require('@litko/yara-x-android-arm64')
+          }
+        } catch (e) {
+          loadError = e
+        }
+        break
+      case 'arm':
+        localFileExisted = existsSync(join(__dirname, 'yara-x.android-arm-eabi.node'))
+        try {
+          if (localFileExisted) {
+            nativeBinding = require('./yara-x.android-arm-eabi.node')
+          } else {
+            nativeBinding = require('@litko/yara-x-android-arm-eabi')
+          }
+        } catch (e) {
+          loadError = e
+        }
+        break
+      default:
+        throw new Error(`Unsupported architecture on Android ${arch}`)
+    }
+    break
+  case 'win32':
+    switch (arch) {
+      case 'x64':
+        localFileExisted = existsSync(
+          join(__dirname, 'yara-x.win32-x64-msvc.node')
+        )
+        try {
+          if (localFileExisted) {
+            nativeBinding = require('./yara-x.win32-x64-msvc.node')
+          } else {
+            nativeBinding = require('@litko/yara-x-win32-x64-msvc')
+          }
+        } catch (e) {
+          loadError = e
+        }
+        break
+      case 'ia32':
+        localFileExisted = existsSync(
+          join(__dirname, 'yara-x.win32-ia32-msvc.node')
+        )
+        try {
+          if (localFileExisted) {
+            nativeBinding = require('./yara-x.win32-ia32-msvc.node')
+          } else {
+            nativeBinding = require('@litko/yara-x-win32-ia32-msvc')
+          }
+        } catch (e) {
+          loadError = e
+        }
+        break
+      case 'arm64':
+        localFileExisted = existsSync(
+          join(__dirname, 'yara-x.win32-arm64-msvc.node')
+        )
+        try {
+          if (localFileExisted) {
+            nativeBinding = require('./yara-x.win32-arm64-msvc.node')
+          } else {
+            nativeBinding = require('@litko/yara-x-win32-arm64-msvc')
+          }
+        } catch (e) {
+          loadError = e
+        }
+        break
+      default:
+        throw new Error(`Unsupported architecture on Windows: ${arch}`)
+    }
+    break
+  case 'darwin':
+    localFileExisted = existsSync(join(__dirname, 'yara-x.darwin-universal.node'))
+    try {
+      if (localFileExisted) {
+        nativeBinding = require('./yara-x.darwin-universal.node')
+      } else {
+        nativeBinding = require('@litko/yara-x-darwin-universal')
+      }
+      break
+    } catch {}
+    switch (arch) {
+      case 'x64':
+        localFileExisted = existsSync(join(__dirname, 'yara-x.darwin-x64.node'))
+        try {
+          if (localFileExisted) {
+            nativeBinding = require('./yara-x.darwin-x64.node')
+          } else {
+            nativeBinding = require('@litko/yara-x-darwin-x64')
+          }
+        } catch (e) {
+          loadError = e
+        }
+        break
+      case 'arm64':
+        localFileExisted = existsSync(
+          join(__dirname, 'yara-x.darwin-arm64.node')
+        )
+        try {
+          if (localFileExisted) {
+            nativeBinding = require('./yara-x.darwin-arm64.node')
+          } else {
+            nativeBinding = require('@litko/yara-x-darwin-arm64')
+          }
+        } catch (e) {
+          loadError = e
+        }
+        break
+      default:
+        throw new Error(`Unsupported architecture on macOS: ${arch}`)
+    }
+    break
+  case 'freebsd':
+    if (arch !== 'x64') {
+      throw new Error(`Unsupported architecture on FreeBSD: ${arch}`)
+    }
+    localFileExisted = existsSync(join(__dirname, 'yara-x.freebsd-x64.node'))
+    try {
+      if (localFileExisted) {
+        nativeBinding = require('./yara-x.freebsd-x64.node')
+      } else {
+        nativeBinding = require('@litko/yara-x-freebsd-x64')
+      }
+    } catch (e) {
+      loadError = e
+    }
+    break
+  case 'linux':
+    switch (arch) {
+      case 'x64':
+        if (isMusl()) {
+          localFileExisted = existsSync(
+            join(__dirname, 'yara-x.linux-x64-musl.node')
+          )
+          try {
+            if (localFileExisted) {
+              nativeBinding = require('./yara-x.linux-x64-musl.node')
+            } else {
+              nativeBinding = require('@litko/yara-x-linux-x64-musl')
+            }
+          } catch (e) {
+            loadError = e
+          }
+        } else {
+          localFileExisted = existsSync(
+            join(__dirname, 'yara-x.linux-x64-gnu.node')
+          )
+          try {
+            if (localFileExisted) {
+              nativeBinding = require('./yara-x.linux-x64-gnu.node')
+            } else {
+              nativeBinding = require('@litko/yara-x-linux-x64-gnu')
+            }
+          } catch (e) {
+            loadError = e
+          }
+        }
+        break
+      case 'arm64':
+        if (isMusl()) {
+          localFileExisted = existsSync(
+            join(__dirname, 'yara-x.linux-arm64-musl.node')
+          )
+          try {
+            if (localFileExisted) {
+              nativeBinding = require('./yara-x.linux-arm64-musl.node')
+            } else {
+              nativeBinding = require('@litko/yara-x-linux-arm64-musl')
+            }
+          } catch (e) {
+            loadError = e
+          }
+        } else {
+          localFileExisted = existsSync(
+            join(__dirname, 'yara-x.linux-arm64-gnu.node')
+          )
+          try {
+            if (localFileExisted) {
+              nativeBinding = require('./yara-x.linux-arm64-gnu.node')
+            } else {
+              nativeBinding = require('@litko/yara-x-linux-arm64-gnu')
+            }
+          } catch (e) {
+            loadError = e
+          }
+        }
+        break
+      case 'arm':
+        if (isMusl()) {
+          localFileExisted = existsSync(
+            join(__dirname, 'yara-x.linux-arm-musleabihf.node')
+          )
+          try {
+            if (localFileExisted) {
+              nativeBinding = require('./yara-x.linux-arm-musleabihf.node')
+            } else {
+              nativeBinding = require('@litko/yara-x-linux-arm-musleabihf')
+            }
+          } catch (e) {
+            loadError = e
+          }
+        } else {
+          localFileExisted = existsSync(
+            join(__dirname, 'yara-x.linux-arm-gnueabihf.node')
+          )
+          try {
+            if (localFileExisted) {
+              nativeBinding = require('./yara-x.linux-arm-gnueabihf.node')
+            } else {
+              nativeBinding = require('@litko/yara-x-linux-arm-gnueabihf')
+            }
+          } catch (e) {
+            loadError = e
+          }
+        }
+        break
+      case 'riscv64':
+        if (isMusl()) {
+          localFileExisted = existsSync(
+            join(__dirname, 'yara-x.linux-riscv64-musl.node')
+          )
+          try {
+            if (localFileExisted) {
+              nativeBinding = require('./yara-x.linux-riscv64-musl.node')
+            } else {
+              nativeBinding = require('@litko/yara-x-linux-riscv64-musl')
+            }
+          } catch (e) {
+            loadError = e
+          }
+        } else {
+          localFileExisted = existsSync(
+            join(__dirname, 'yara-x.linux-riscv64-gnu.node')
+          )
+          try {
+            if (localFileExisted) {
+              nativeBinding = require('./yara-x.linux-riscv64-gnu.node')
+            } else {
+              nativeBinding = require('@litko/yara-x-linux-riscv64-gnu')
+            }
+          } catch (e) {
+            loadError = e
+          }
+        }
+        break
+      case 's390x':
+        localFileExisted = existsSync(
+          join(__dirname, 'yara-x.linux-s390x-gnu.node')
+        )
+        try {
+          if (localFileExisted) {
+            nativeBinding = require('./yara-x.linux-s390x-gnu.node')
+          } else {
+            nativeBinding = require('@litko/yara-x-linux-s390x-gnu')
+          }
+        } catch (e) {
+          loadError = e
+        }
+        break
+      default:
+        throw new Error(`Unsupported architecture on Linux: ${arch}`)
+    }
+    break
+  default:
+    throw new Error(`Unsupported OS: ${platform}, architecture: ${arch}`)
+}
+
+if (!nativeBinding) {
+  if (loadError) {
+    throw loadError
+  }
+  throw new Error(`Failed to load native binding`)
+}
+
+const { YaraX, validate, compile, create, fromFile, compileToWasm, compileFileToWasm } = nativeBinding
+
+module.exports.YaraX = YaraX
+module.exports.validate = validate
+module.exports.compile = compile
+module.exports.create = create
+module.exports.fromFile = fromFile
+module.exports.compileToWasm = compileToWasm
+module.exports.compileFileToWasm = compileFileToWasm

package/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "@litko/yara-x",
+  "version": "0.1.0",
+  "main": "index.js",
+  "types": "index.d.ts",
+  "napi": {
+    "name": "yara-x",
+    "triples": {
+      "additional": [
+        "x86_64-apple-darwin",
+        "aarch64-apple-darwin",
+        "x86_64-unknown-linux-gnu",
+        "aarch64-unknown-linux-gnu"
+      ]
+    }
+  },
+  "license": "MIT",
+  "devDependencies": {
+    "@napi-rs/cli": "^2.18.4",
+    "@napi-rs/package-template": "^1.0.0",
+    "@types/node": "^22.13.10"
+  },
+  "engines": {
+    "node": ">= 20"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  },
+  "scripts": {
+    "artifacts": "napi artifacts",
+    "build": "napi build --platform --release",
+    "build:debug": "napi build --platform",
+    "universal": "napi universal",
+    "version": "napi version",
+    "test": "node --test __test__/index.spec.mjs",
+    "benchmark": "node __test__/benchmark.mjs"
+  },
+  "files": [
+    "index.js",
+    "index.d.ts"
+  ],
+  "keywords": [
+    "yara",
+    "yara-x",
+    "malware",
+    "detection",
+    "napi-rs",
+    "rust"
+  ],
+  "optionalDependencies": {
+    "@litko/yara-x-win32-x64-msvc": "0.1.0",
+    "@litko/yara-x-darwin-x64": "0.1.0",
+    "@litko/yara-x-linux-x64-gnu": "0.1.0",
+    "@litko/yara-x-darwin-arm64": "0.1.0",
+    "@litko/yara-x-linux-arm64-gnu": "0.1.0"
+  }
+}