yaralyzer 0.9.3__tar.gz → 0.9.5__tar.gz

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/.yaralyzer.example

@@ -9,10 +9,11 @@
 # YARALYZER_MAXIMIZE_WIDTH=True
 
 
+
 # Expand the width of the output to the fit the display window (same as the --maximize-width options)
 #    YARALYZER_MAXIMIZE_WIDTH=True
 
-# Passed through to yara.set_config as the stack_size and
+# yara-python internal options passed through to yara.set_config() as the stack_size and max_match_data arguments
 #    YARALYZER_STACK_SIZE=10485760
 #    YARALYZER_MAX_MATCH_LENGTH=10737418240
 
@@ -27,7 +28,7 @@
 #    YARALYZER_MIN_CHARDET_CONFIDENCE=2.0
 
 # Configure how many bytes before and after any binary data should be included in scans and visualizations
-#    PDFAlYZER_SURROUNDING_BYTES=64
+#    YARALYZER_SURROUNDING_BYTES=64
 
 # Size thresholds (in bytes) under/over which yaralyzer will NOT make attempts to decode a match.
 # Longer byte sequences are for obvious reasons slower to decode by force.
@@ -35,8 +36,8 @@
 # (in my experience) less likely to be maningful. Consider it - two frontslash characters 20,000 lines apart
 # are more likely to be random than those same frontslashes when placed nearer to each other and
 # in the vicinity of lot of computerized sigils of internet power like `.', `+bacd*?`,. and other regexes.*
-# Keeping the max value number low will do more to affect the speed of the app than ay anything else you
-# can easily configure..
+# Keeping the max value number low will do more to affect the speed of the app than anything else you
+# can easily configure.
 #
 #    YARALYZER_MIN_DECODE_LENGTH=1
 #    YARALYZER_MAX_DECODE_LENGTH=256
@@ -58,6 +59,3 @@
 
 # Log level
 #    YARALYZER_LOG_LEVEL='WARN'
-
-# Path to directory containing Didier Stevens's pdf-parser.py. Only required for extracting binary streams to files.
-#    YARALYZER_PDF_PARSER_PY_PATH=/path/to/pdfparserdotpy/

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/CHANGELOG.md

@@ -1,5 +1,12 @@
 # NEXT RELEASE
 
+### 0.9.5
+* Use all files in a directory specified by `--rule-dir` instead of just those with the extension `.yara`
+* Fix bug where `--rule-dir` is prefixed by `./`
+
+### 0.9.4
+* Bump `yara-python` to 4.3.0+ and deal with backwards incompatibility
+
 ### 0.9.3
 * Lock `yara-python` at 4.2.3 bc 4.3.x causes problems
 

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: yaralyzer
-Version: 0.9.3
+Version: 0.9.5
 Summary: Visualize and force decode YARA and regex matches found in a file or byte stream. With colors. Lots of colors.
 Home-page: https://github.com/michelcrypt4d4mus/yaralyzer
 License: GPL-3.0-or-later
@@ -19,14 +19,14 @@ Requires-Dist: chardet (>=5.0.0,<6.0.0)
 Requires-Dist: python-dotenv (>=0.21.0,<0.22.0)
 Requires-Dist: rich (>=12.5.1,<13.0.0)
 Requires-Dist: rich-argparse-plus (>=0.3.1,<0.4.0)
-Requires-Dist: yara-python (>=4.2.3,<4.3.0)
+Requires-Dist: yara-python (>=4.3.0,<5.0.0)
 Project-URL: Documentation, https://github.com/michelcrypt4d4mus/yaralyzer
 Project-URL: Repository, https://github.com/michelcrypt4d4mus/yaralyzer
 Description-Content-Type: text/markdown
 
 <!-- ![Tests](https://img.shields.io/github/workflow/status/michelcrypt4d4mus/yaralyzer/tests?label=tests) -->
 ![Python Version](https://img.shields.io/pypi/pyversions/yaralyzer)
-![Release](https://img.shields.io/github/v/release/michelcrypt4d4mus/yaralyzer?sort=semver)
+![Release](https://img.shields.io/pypi/v/yaralyzer)
 ![Downloads](https://img.shields.io/pypi/dm/yaralyzer)
 
 # THE YARALYZER
@@ -52,8 +52,8 @@ yaralyze --hex-pattern 'd0 93 d0 a3 d0 [-] 9b d0 90 d0 93' one_day_in_the_life_o
 #### What It Do
 1. **See the actual bytes your YARA rules are matching.** No more digging around copy/pasting the start positions reported by YARA into your favorite hex editor. Displays both the bytes matched by YARA as well as a configurable number of bytes before and after each match in hexadecimal and "raw" python string representation.
 1. **Do the same for byte patterns and regular expressions without writing a YARA file.** If you're too lazy to write a YARA file but are trying to determine, say, whether there's a regular expression hidden somewhere in the file you could scan for the pattern `'/.+/'` and immediately get a window into all the bytes in the file that live between front slashes. Same story for quotes, BOMs, etc. Any regex YARA can handle is supported so the sky is the limit.
-1. **Detect the possible encodings of each set of matched bytes.** [The `chardet` library](https://github.com/chardet/chardet) is a sophisticated library for guessing character encodings and it is leveraged here.
-1. **Display the result of forcing various character encodings upon the matched areas.** Several default character encodings will be _forcibly_ attempted in the region around the match. [`chardet`](https://github.com/chardet/chardet) will also be leveraged to see if the bytes fit the pattern of _any_ known encoding. If `chardet` is confident enough (configurable), an attempt at decoding the bytes using that encoding will be displayed.
+1. **Detect the possible encodings of each set of matched bytes.** [`chardet`](https://github.com/chardet/chardet) is a sophisticated library for guessing character encodings and it is leveraged here.
+1. **Display the result of forcing various character encodings upon the matched areas.** Several default character encodings will be _forcibly_ attempted in the region around the match. [`chardet`](https://github.com/chardet/chardet) will also be leveraged to see if the bytes fit the pattern of _any_ known encoding. If `chardet` is confident enough (configurable) an attempt at decoding the bytes using that encoding will be displayed.
 1. **Export the matched regions/decodings to SVG, HTML, and colored text files.** Show off your ASCII art.
 
 #### Why It Do
@@ -87,7 +87,7 @@ Run `yaralyze -h` to see the command line options (screenshot below).
 For info on exporting SVG images, HTML, etc., see [Example Output](#example-output).
 
 ### Configuration
-If you place a filed called `.yaralyzer` in your home directory or the current working directory then environment variables specified in that `.yaralyzer` file will be added to the environment each time yaralyzer is invoked. This provides a mechanism for permanently configuring various command line options so you can avoid typing them over and over. See the example file [`.yaralyzer.example`](.yaralyzer.example) to see which options can be configured this way.
+If you place a file called `.yaralyzer` in your home directory or the current working directory then environment variables specified in that `.yaralyzer` file will be added to the environment each time yaralyzer is invoked. This provides a mechanism for permanently configuring various command line options so you can avoid typing them over and over. See the example file [`.yaralyzer.example`](.yaralyzer.example) to see which options can be configured this way.
 
 Only one `.yaralyzer` file will be loaded and the working directory's `.yaralyzer` takes precedence over the home directory's `.yaralyzer`.
 
@@ -131,6 +131,7 @@ The Yaralyzer can export visualizations to HTML, ANSI colored text, and SVG vect
 
 
 # TODO
+* For some reason when displaying matches the output to a file iterates over all matches in a different way than just running in the console. Presumably this is related to the `rich` rendering engine in some way. For now the console output is the "more correct" one so it's generally OK. See [`issue_with_output_to_console_correct`](doc/rendered_images/issue_with_output_to_console_correct.png) vs. [`issue_with_output_to_txt_file_incorrect.png`](doc/rendered_images/issue_with_output_to_txt_file_incorrect.png)
 * highlight decodes done at `chardet`s behest
 * deal with repetitive matches
 

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/README.md

@@ -1,6 +1,6 @@
 <!-- ![Tests](https://img.shields.io/github/workflow/status/michelcrypt4d4mus/yaralyzer/tests?label=tests) -->
 ![Python Version](https://img.shields.io/pypi/pyversions/yaralyzer)
-![Release](https://img.shields.io/github/v/release/michelcrypt4d4mus/yaralyzer?sort=semver)
+![Release](https://img.shields.io/pypi/v/yaralyzer)
 ![Downloads](https://img.shields.io/pypi/dm/yaralyzer)
 
 # THE YARALYZER
@@ -26,8 +26,8 @@ yaralyze --hex-pattern 'd0 93 d0 a3 d0 [-] 9b d0 90 d0 93' one_day_in_the_life_o
 #### What It Do
 1. **See the actual bytes your YARA rules are matching.** No more digging around copy/pasting the start positions reported by YARA into your favorite hex editor. Displays both the bytes matched by YARA as well as a configurable number of bytes before and after each match in hexadecimal and "raw" python string representation.
 1. **Do the same for byte patterns and regular expressions without writing a YARA file.** If you're too lazy to write a YARA file but are trying to determine, say, whether there's a regular expression hidden somewhere in the file you could scan for the pattern `'/.+/'` and immediately get a window into all the bytes in the file that live between front slashes. Same story for quotes, BOMs, etc. Any regex YARA can handle is supported so the sky is the limit.
-1. **Detect the possible encodings of each set of matched bytes.** [The `chardet` library](https://github.com/chardet/chardet) is a sophisticated library for guessing character encodings and it is leveraged here.
-1. **Display the result of forcing various character encodings upon the matched areas.** Several default character encodings will be _forcibly_ attempted in the region around the match. [`chardet`](https://github.com/chardet/chardet) will also be leveraged to see if the bytes fit the pattern of _any_ known encoding. If `chardet` is confident enough (configurable), an attempt at decoding the bytes using that encoding will be displayed.
+1. **Detect the possible encodings of each set of matched bytes.** [`chardet`](https://github.com/chardet/chardet) is a sophisticated library for guessing character encodings and it is leveraged here.
+1. **Display the result of forcing various character encodings upon the matched areas.** Several default character encodings will be _forcibly_ attempted in the region around the match. [`chardet`](https://github.com/chardet/chardet) will also be leveraged to see if the bytes fit the pattern of _any_ known encoding. If `chardet` is confident enough (configurable) an attempt at decoding the bytes using that encoding will be displayed.
 1. **Export the matched regions/decodings to SVG, HTML, and colored text files.** Show off your ASCII art.
 
 #### Why It Do
@@ -61,7 +61,7 @@ Run `yaralyze -h` to see the command line options (screenshot below).
 For info on exporting SVG images, HTML, etc., see [Example Output](#example-output).
 
 ### Configuration
-If you place a filed called `.yaralyzer` in your home directory or the current working directory then environment variables specified in that `.yaralyzer` file will be added to the environment each time yaralyzer is invoked. This provides a mechanism for permanently configuring various command line options so you can avoid typing them over and over. See the example file [`.yaralyzer.example`](.yaralyzer.example) to see which options can be configured this way.
+If you place a file called `.yaralyzer` in your home directory or the current working directory then environment variables specified in that `.yaralyzer` file will be added to the environment each time yaralyzer is invoked. This provides a mechanism for permanently configuring various command line options so you can avoid typing them over and over. See the example file [`.yaralyzer.example`](.yaralyzer.example) to see which options can be configured this way.
 
 Only one `.yaralyzer` file will be loaded and the working directory's `.yaralyzer` takes precedence over the home directory's `.yaralyzer`.
 
@@ -105,6 +105,7 @@ The Yaralyzer can export visualizations to HTML, ANSI colored text, and SVG vect
 
 
 # TODO
+* For some reason when displaying matches the output to a file iterates over all matches in a different way than just running in the console. Presumably this is related to the `rich` rendering engine in some way. For now the console output is the "more correct" one so it's generally OK. See [`issue_with_output_to_console_correct`](doc/rendered_images/issue_with_output_to_console_correct.png) vs. [`issue_with_output_to_txt_file_incorrect.png`](doc/rendered_images/issue_with_output_to_txt_file_incorrect.png)
 * highlight decodes done at `chardet`s behest
 * deal with repetitive matches
 

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "yaralyzer"
-version = "0.9.3"
+version = "0.9.5"
 description = "Visualize and force decode YARA and regex matches found in a file or byte stream. With colors. Lots of colors."
 authors = ["Michel de Cryptadamus <michel@cryptadamus.com>"]
 readme = "README.md"
@@ -44,7 +44,7 @@ chardet = "^5.0.0"
 python-dotenv = "^0.21.0"
 rich = "^12.5.1"
 rich-argparse-plus = "^0.3.1"
-yara-python = "~4.2.3"
+yara-python = "^4.3.0"
 
 [tool.poetry.group.dev.dependencies]
 pytest = "^7.1.3"

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/yaralyzer/bytes_match.py

@@ -10,6 +10,7 @@ from typing import Iterator, Optional
 
 from rich.table import Table
 from rich.text import Text
+from yara import StringMatch, StringMatchInstance
 
 from yaralyzer.config import YaralyzerConfig
 from yaralyzer.helpers.rich_text_helper import prefix_with_plain_text_obj
@@ -41,10 +42,10 @@ class BytesMatch:
         self.label: str = label
         self.ordinal: int = ordinal
         self.match: Optional[re.Match] = match
-        # Maybe should be called "matched_bytes"
-        self.bytes = matched_against[start_idx:self.end_idx]
+        self.bytes = matched_against[start_idx:self.end_idx]  # TODO: Maybe should be called "matched_bytes"
         self.match_groups: Optional[tuple] = match.groups() if match else None
         self._find_surrounding_bytes()
+
         # Adjust the highlighting start point in case this match is very early in the stream
         self.highlight_start_idx = start_idx - self.surrounding_start_idx
         self.highlight_end_idx = self.highlight_start_idx + self.length
@@ -65,14 +66,15 @@ class BytesMatch:
             cls,
             matched_against: bytes,
             rule_name: str,
-            yara_str: dict,
+            yara_str_match: StringMatch,
+            yara_str_match_instance: StringMatchInstance,
             ordinal: int,
             highlight_style: str = YaralyzerConfig.HIGHLIGHT_STYLE
         ) -> 'BytesMatch':
-        """Build a BytesMatch from a yara string match. matched_against is the set of bytes yara was run against"""
-        # Don't duplicate the labeling if rule_name and yara_str are the same
-        pattern_label = yara_str[1]
+        """Build a BytesMatch from a yara string match. 'matched_against' is the set of bytes yara was run against."""
+        pattern_label = yara_str_match.identifier
 
+        # Don't duplicate the labeling if rule_name and yara_str are the same
         if pattern_label == '$' + rule_name:
             label = pattern_label
         else:
@@ -80,8 +82,8 @@ class BytesMatch:
 
         return cls(
             matched_against=matched_against,
-            start_idx=yara_str[0],
-            length=len(yara_str[2]),
+            start_idx=yara_str_match_instance.offset,
+            length=yara_str_match_instance.matched_length,
             label=label,
             ordinal=ordinal,
             highlight_style=highlight_style)
@@ -94,8 +96,20 @@ class BytesMatch:
             highlight_style: str = YaralyzerConfig.HIGHLIGHT_STYLE
         ) -> Iterator['BytesMatch']:
         """Iterator w/a BytesMatch for each string returned as part of a YARA match result dict."""
-        for i, yara_str in enumerate(yara_match['strings']):
-            yield(cls.from_yara_str(matched_against, yara_match['rule'], yara_str, i + 1, highlight_style))
+        i = 0  # For numbered labeling
+
+        # yara-python's internals changed with 4.3.0: https://github.com/VirusTotal/yara-python/releases/tag/v4.3.0
+        for yara_str_match in yara_match['strings']:
+            for yara_str_match_instance in yara_str_match.instances:
+                i += 1
+
+                yield(cls.from_yara_str(
+                    matched_against,
+                    yara_match['rule'],
+                    yara_str_match,
+                    yara_str_match_instance,
+                    i,
+                    highlight_style))
 
     def style_at_position(self, idx) -> str:
         """Get the style for the byte at position idx within the matched bytes"""

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/yaralyzer/config.py

@@ -13,10 +13,9 @@ MEGABYTE = 1024 * KILOBYTE
 
 def config_var_name(env_var: str) -> str:
     """
-    Get the name of env_var and strip off 'YARALYZER_':
-
-    SURROUNDING_BYTES_ENV_VAR = 'YARALYZER_SURROUNDING_BYTES'
-    config_var_name(SURROUNDING_BYTES_ENV_VAR) => 'SURROUNDING_BYTES'
+    Get the name of env_var and strip off 'YARALYZER_', e.g.:
+        SURROUNDING_BYTES_ENV_VAR = 'YARALYZER_SURROUNDING_BYTES'
+        config_var_name(SURROUNDING_BYTES_ENV_VAR) => 'SURROUNDING_BYTES'
     """
     env_var = env_var.removeprefix("YARALYZER_")
     return f'{env_var=}'.partition('=')[0]
@@ -71,7 +70,7 @@ class YaralyzerConfig:
     ]
 
     @classmethod
-    def set_argument_parser(cls, parser):
+    def set_argument_parser(cls, parser: ArgumentParser) -> None:
         cls._argument_parser: ArgumentParser = parser
         cls._argparse_keys: List[str] = sorted([action.dest for action in parser._actions])
 
@@ -93,7 +92,7 @@ class YaralyzerConfig:
             if isinstance(arg_value, bool):
                 setattr(args, option, arg_value or is_env_var_set_and_not_false(env_var))
             elif isinstance(arg_value, (int, float)):
-                # Check against defaults to avoid overriding env var configured optoins
+                # Check against defaults to avoid overriding env var configured options
                 if arg_value == default_value and env_value is not None:
                     setattr(args, option, int(env_value) or arg_value)  # TODO: float args not handled
             else:

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/yaralyzer/encoding_detection/encoding_detector.py

@@ -1,6 +1,6 @@
 """
 Manager class to ease dealing with the chardet encoding detection library 'chardet'.
-Each instance of this classes managed a chardet.detect_all() scan on a single set of bytes.
+Each instance of this class manages a chardet.detect_all() scan on a single set of bytes.
 """
 from operator import attrgetter
 from typing import List
@@ -30,6 +30,7 @@ class EncodingDetector:
         self.bytes_len = len(_bytes)
         self.table = _empty_chardet_results_table()
 
+        # Skip chardet if there's not enough bytes available
         if not self.has_enough_bytes():
             log.debug(f"{self.bytes_len} is not enough bytes to run chardet.detect()")
             self._set_empty_results()

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/yaralyzer/helpers/bytes_helper.py

@@ -1,6 +1,7 @@
-import hashlib
+"""
+Helper methods to work with bytes.
+"""
 import re
-from collections import namedtuple
 from io import StringIO
 from sys import byteorder
 

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/yaralyzer/helpers/file_helper.py

@@ -1,3 +1,6 @@
+"""
+Helper methods to work with files.
+"""
 from datetime import datetime
 from os import listdir, path
 from typing import List, Optional
@@ -10,7 +13,7 @@ def timestamp_for_filename() -> str:
 
 def files_in_dir(dir: str, with_extname: Optional[str] = None) -> List[str]:
     """paths for non dot files, optionally ending in 'with_extname'"""
-    files = [path.join(dir, file) for file in listdir(dir) if not file.startswith('.')]
+    files = [path.join(dir, path.basename(file)) for file in listdir(dir) if not file.startswith('.')]
     files = [file for file in files if not path.isdir(file)]
 
     if with_extname:

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/yaralyzer/helpers/string_helper.py

@@ -1,6 +1,12 @@
+"""
+Helper methods to work with strings.
+"""
 from functools import partial
 from typing import Any, Callable, List
 
+INDENT_DEPTH = 4
+INDENT_SPACES = INDENT_DEPTH * ' '
+
 
 def escape_yara_pattern(pattern: str) -> str:
     return pattern.replace('/', '\\/')

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/yaralyzer/output/file_hashes_table.py

@@ -1,5 +1,5 @@
 """
-Methods for building Rich layout elements
+Methods for building Rich layout elements for display of results.
 """
 import hashlib
 from collections import namedtuple

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/yaralyzer/output/rich_console.py

@@ -1,8 +1,14 @@
+"""
+Variables and methods for working with Rich text output.
+"""
 from shutil import get_terminal_size
+from sys import exit
 from typing import List
 
+from rich import box
 from rich.console import Console
 from rich.errors import MarkupError
+from rich.panel import Panel
 from rich.style import Style
 from rich.text import Text
 from rich.theme import Theme
@@ -107,3 +113,14 @@ def console_print_with_fallback(_string, style=None) -> None:
 
 def theme_colors_with_prefix(prefix: str) -> List[Text]:
     return [Text(k, v) for k, v in YARALYZER_THEME.styles.items() if k.startswith(prefix)]
+
+
+def print_fatal_error_and_exit(error_message: str) -> None:
+    console.line(1)
+    print_header_panel(error_message, style='bold red reverse')
+    console.line(1)
+    exit()
+
+
+def print_header_panel(headline: str, style: str, expand: bool = True, padding: tuple = (0,2)) -> None:
+    console.print(Panel(headline, box=box.DOUBLE_EDGE, style=style, expand=expand, padding=padding))

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/yaralyzer/util/argument_parser.py

@@ -49,7 +49,7 @@ source.add_argument('--yara-file', '-Y',
                     dest='yara_rules_files')
 
 source.add_argument('--rule-dir', '-dir',
-                    help='directory with .yara files (can be supplied more than once)',
+                    help='directory with yara rules files (all files are used, can be supplied more than once)',
                     action='append',
                     metavar='DIR',
                     dest='yara_rules_dirs')
@@ -161,7 +161,7 @@ export = parser.add_argument_group(
     'FILE EXPORT',
     "Multiselect. Choosing nothing is choosing nothing. Sends what you see on the screen to various file " + \
         "formats in parallel. Writes files to the current directory if --output-dir is not provided. " + \
-        "Filenames are expansion of the scanned filename though you can use --file-prefix to make your " +
+        "Filenames are expansions of the scanned filename though you can use --file-prefix to make your " +
         "filenames more unique and beautiful to their beholder.")
 
 export.add_argument('-svg', '--export-svg',

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/yaralyzer/yara/yara_match.py

@@ -8,12 +8,13 @@ Rich text decorator for YARA match dicts, which look like this:
     'rule': 'my_rule',
     'meta': {},
     'strings': [
-        (81L, '$a', 'abc'),
-        (141L, '$b', 'def')
+        StringMatch1,
+        StringMatch2
     ]
 }
 """
 import re
+from copy import deepcopy
 from numbers import Number
 from typing import Any, Dict
 
@@ -21,9 +22,11 @@ from rich.console import Console, ConsoleOptions, RenderResult
 from rich.padding import Padding
 from rich.panel import Panel
 from rich.text import Text
+from yara import StringMatch
 
 from yaralyzer.helpers.bytes_helper import clean_byte_string
 from yaralyzer.helpers.rich_text_helper import CENTER
+from yaralyzer.helpers.string_helper import INDENT_SPACES
 from yaralyzer.output.rich_console import console_width, theme_colors_with_prefix
 from yaralyzer.util.logging import log
 
@@ -56,16 +59,16 @@ class YaraMatch:
 
     def __rich_console__(self, _console: Console, options: ConsoleOptions) -> RenderResult:
         """Renders a panel showing the color highlighted raw YARA match info."""
-        yield(Text("\n"))
+        yield Text("\n")
         yield Padding(Panel(self.label, expand=False, style=f"on color(251) reverse"), MATCH_PADDING)
-        yield(RAW_YARA_THEME_TXT)
+        yield RAW_YARA_THEME_TXT
         yield Padding(Panel(_rich_yara_match(self.match)), MATCH_PADDING)
 
 
 def _rich_yara_match(element: Any, depth: int = 0) -> Text:
-    """Mildly painful/hacky way of coloring a yara result hash."""
-    indent = Text((depth + 1) * 4 * ' ')
-    end_indent = Text(depth * 4 * ' ')
+    """Painful/hacky way of recursively coloring a yara result hash."""
+    indent = Text((depth + 1) * INDENT_SPACES)
+    end_indent = Text(depth * INDENT_SPACES)
 
     if isinstance(element, str):
         txt = _yara_string(element)
@@ -79,6 +82,17 @@ def _rich_yara_match(element: Any, depth: int = 0) -> Text:
         if len(element) == 0:
             txt = Text('[]', style='white')
         else:
+            if isinstance(element[0], StringMatch):
+                # In yara-python 4.3.0 the StringMatch type was introduced so we just make it look like
+                # the old list of tuples format (see: https://github.com/VirusTotal/yara-python/releases/tag/v4.3.0)
+                match_tuples = [
+                    (match.identifier, match_instance.offset, match_instance.matched_data)
+                    for match in element
+                    for match_instance in match.instances
+                ]
+
+                return _rich_yara_match(match_tuples, depth)
+
             total_length = sum([len(str(e)) for e in element]) + ((len(element) - 1) * 2) + len(indent) + 2
             elements_txt = [_rich_yara_match(e, depth + 1) for e in element]
             list_txt = Text('[', style='white')

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/yaralyzer/yaralyzer.py

@@ -9,6 +9,7 @@ Alternate constructors are provided depending on whether:
 The real action happens in the __rich__console__() dunder method.
 """
 from os import path
+from sys import exit
 from typing import Iterator, List, Optional, Tuple, Union
 
 import yara
@@ -23,13 +24,13 @@ from yaralyzer.helpers.file_helper import files_in_dir, load_binary_data
 from yaralyzer.helpers.rich_text_helper import dim_if, reverse_color
 from yaralyzer.helpers.string_helper import comma_join, newline_join
 from yaralyzer.output.regex_match_metrics import RegexMatchMetrics
-from yaralyzer.output.rich_console import YARALYZER_THEME, console
+from yaralyzer.output.rich_console import YARALYZER_THEME, console, print_fatal_error_and_exit
 from yaralyzer.output.file_hashes_table import bytes_hashes_table
 from yaralyzer.util.logging import log
 from yaralyzer.yara.yara_match import YaraMatch
 from yaralyzer.yara.yara_rule_builder import yara_rule_string
 
-YARA_EXT = 'yara'
+YARA_FILE_DOES_NOT_EXIST_ERROR_MSG = "is not a valid yara rules file (it doesn't exist)"
 
 
 # TODO: might be worth introducing a Scannable namedtuple or similar
@@ -93,10 +94,15 @@ class Yaralyzer:
 
         for file in yara_rules_files:
             if not path.exists(file):
-                raise ValueError(f"'{file}' is not a valid yara rules file (it doesn't exist)")
+                raise ValueError(f"'{file}' {YARA_FILE_DOES_NOT_EXIST_ERROR_MSG}")
 
         filepaths_arg = {path.basename(file): file for file in yara_rules_files}
-        yara_rules = yara.compile(filepaths=filepaths_arg)
+
+        try:
+            yara_rules = yara.compile(filepaths=filepaths_arg)
+        except yara.SyntaxError as e:
+            print_fatal_error_and_exit(f"Failed to parse YARA rules file(s): {e}")
+
         yara_rules_label = comma_join(yara_rules_files, func=path.basename)
         return cls(yara_rules, yara_rules_label, scannable, scannable_label)
 
@@ -111,7 +117,7 @@ class Yaralyzer:
         if not (isinstance(dirs, list) and all(path.isdir(dir) for dir in dirs)):
             raise TypeError(f"'{dirs}' is not a list of valid directories")
 
-        rules_files = [path.join(dir, f) for dir in dirs for f in files_in_dir(dir, YARA_EXT)]
+        rules_files = [path.join(dir, f) for dir in dirs for f in files_in_dir(dir)]
         return cls.for_rules_files(rules_files, scannable, scannable_label)
 
     @classmethod

{yaralyzer-0.9.3 → yaralyzer-0.9.5}/yaralyzer/output/file_export.py

@@ -46,6 +46,7 @@ _EXPORT_KWARGS = {
     },
 }
 
+
 def invoke_rich_export(export_method, output_file_basepath) -> str:
     """
     Announce the export, perform the export, announce completion.
@@ -72,4 +73,3 @@ def invoke_rich_export(export_method, output_file_basepath) -> str:
     elapsed_time = time.perf_counter() - start_time
     log_and_print(f"'{output_file_path}' written in {elapsed_time:02f} seconds")
     return output_file_path
-