yaralyzer 0.9.4__tar.gz → 0.9.6__tar.gz

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/.yaralyzer.example

@@ -9,10 +9,11 @@
 # YARALYZER_MAXIMIZE_WIDTH=True
 
 
+
 # Expand the width of the output to the fit the display window (same as the --maximize-width options)
 #    YARALYZER_MAXIMIZE_WIDTH=True
 
-# Passed through to yara.set_config() as the stack_size and max_match_data arguments
+# yara-python internal options passed through to yara.set_config() as the stack_size and max_match_data arguments
 #    YARALYZER_STACK_SIZE=10485760
 #    YARALYZER_MAX_MATCH_LENGTH=10737418240
 
@@ -27,7 +28,7 @@
 #    YARALYZER_MIN_CHARDET_CONFIDENCE=2.0
 
 # Configure how many bytes before and after any binary data should be included in scans and visualizations
-#    PDFAlYZER_SURROUNDING_BYTES=64
+#    YARALYZER_SURROUNDING_BYTES=64
 
 # Size thresholds (in bytes) under/over which yaralyzer will NOT make attempts to decode a match.
 # Longer byte sequences are for obvious reasons slower to decode by force.
@@ -35,8 +36,8 @@
 # (in my experience) less likely to be maningful. Consider it - two frontslash characters 20,000 lines apart
 # are more likely to be random than those same frontslashes when placed nearer to each other and
 # in the vicinity of lot of computerized sigils of internet power like `.', `+bacd*?`,. and other regexes.*
-# Keeping the max value number low will do more to affect the speed of the app than ay anything else you
-# can easily configure..
+# Keeping the max value number low will do more to affect the speed of the app than anything else you
+# can easily configure.
 #
 #    YARALYZER_MIN_DECODE_LENGTH=1
 #    YARALYZER_MAX_DECODE_LENGTH=256
@@ -58,6 +59,3 @@
 
 # Log level
 #    YARALYZER_LOG_LEVEL='WARN'
-
-# Path to directory containing Didier Stevens's pdf-parser.py. Only required for extracting binary streams to files.
-#    YARALYZER_PDF_PARSER_PY_PATH=/path/to/pdfparserdotpy/

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/CHANGELOG.md

@@ -1,5 +1,12 @@
 # NEXT RELEASE
 
+### 0.9.6
+* Fix help message
+
+### 0.9.5
+* Use all files in a directory specified by `--rule-dir` instead of just those with the extension `.yara`
+* Fix bug where `--rule-dir` is prefixed by `./`
+
 ### 0.9.4
 * Bump `yara-python` to 4.3.0+ and deal with backwards incompatibility
 

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: yaralyzer
-Version: 0.9.4
+Version: 0.9.6
 Summary: Visualize and force decode YARA and regex matches found in a file or byte stream. With colors. Lots of colors.
 Home-page: https://github.com/michelcrypt4d4mus/yaralyzer
 License: GPL-3.0-or-later
@@ -131,7 +131,7 @@ The Yaralyzer can export visualizations to HTML, ANSI colored text, and SVG vect
 
 
 # TODO
-* For some reason when displaying matches the output to a file iterates over all matches in a different way than just running in the console. Presumably this is related to the `rich` rendering engine in some way. For now the console output is the "more correct" one so it's generally OK. See [`issue_with_output_to_console_correct`](doc/rendered_images/issue_with_output_to_console_correct.png) vs. [`doc/rendered_images/issue_with_output_to_txt_file_incorrect.png`](doc/rendered_images/issue_with_output_to_txt_file_incorrect.png)
+* For some reason when displaying matches the output to a file iterates over all matches in a different way than just running in the console. Presumably this is related to the `rich` rendering engine in some way. For now the console output is the "more correct" one so it's generally OK. See [`issue_with_output_to_console_correct`](doc/rendered_images/issue_with_output_to_console_correct.png) vs. [`issue_with_output_to_txt_file_incorrect.png`](doc/rendered_images/issue_with_output_to_txt_file_incorrect.png)
 * highlight decodes done at `chardet`s behest
 * deal with repetitive matches
 

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/README.md

@@ -105,7 +105,7 @@ The Yaralyzer can export visualizations to HTML, ANSI colored text, and SVG vect
 
 
 # TODO
-* For some reason when displaying matches the output to a file iterates over all matches in a different way than just running in the console. Presumably this is related to the `rich` rendering engine in some way. For now the console output is the "more correct" one so it's generally OK. See [`issue_with_output_to_console_correct`](doc/rendered_images/issue_with_output_to_console_correct.png) vs. [`doc/rendered_images/issue_with_output_to_txt_file_incorrect.png`](doc/rendered_images/issue_with_output_to_txt_file_incorrect.png)
+* For some reason when displaying matches the output to a file iterates over all matches in a different way than just running in the console. Presumably this is related to the `rich` rendering engine in some way. For now the console output is the "more correct" one so it's generally OK. See [`issue_with_output_to_console_correct`](doc/rendered_images/issue_with_output_to_console_correct.png) vs. [`issue_with_output_to_txt_file_incorrect.png`](doc/rendered_images/issue_with_output_to_txt_file_incorrect.png)
 * highlight decodes done at `chardet`s behest
 * deal with repetitive matches
 

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "yaralyzer"
-version = "0.9.4"
+version = "0.9.6"
 description = "Visualize and force decode YARA and regex matches found in a file or byte stream. With colors. Lots of colors."
 authors = ["Michel de Cryptadamus <michel@cryptadamus.com>"]
 readme = "README.md"

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/yaralyzer/encoding_detection/encoding_detector.py

@@ -1,6 +1,6 @@
 """
 Manager class to ease dealing with the chardet encoding detection library 'chardet'.
-Each instance of this classes managed a chardet.detect_all() scan on a single set of bytes.
+Each instance of this class manages a chardet.detect_all() scan on a single set of bytes.
 """
 from operator import attrgetter
 from typing import List
@@ -30,6 +30,7 @@ class EncodingDetector:
         self.bytes_len = len(_bytes)
         self.table = _empty_chardet_results_table()
 
+        # Skip chardet if there's not enough bytes available
         if not self.has_enough_bytes():
             log.debug(f"{self.bytes_len} is not enough bytes to run chardet.detect()")
             self._set_empty_results()

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/yaralyzer/helpers/bytes_helper.py

@@ -1,6 +1,7 @@
-import hashlib
+"""
+Helper methods to work with bytes.
+"""
 import re
-from collections import namedtuple
 from io import StringIO
 from sys import byteorder
 

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/yaralyzer/helpers/file_helper.py

@@ -1,3 +1,6 @@
+"""
+Helper methods to work with files.
+"""
 from datetime import datetime
 from os import listdir, path
 from typing import List, Optional
@@ -10,7 +13,7 @@ def timestamp_for_filename() -> str:
 
 def files_in_dir(dir: str, with_extname: Optional[str] = None) -> List[str]:
     """paths for non dot files, optionally ending in 'with_extname'"""
-    files = [path.join(dir, file) for file in listdir(dir) if not file.startswith('.')]
+    files = [path.join(dir, path.basename(file)) for file in listdir(dir) if not file.startswith('.')]
     files = [file for file in files if not path.isdir(file)]
 
     if with_extname:

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/yaralyzer/helpers/string_helper.py

@@ -1,3 +1,6 @@
+"""
+Helper methods to work with strings.
+"""
 from functools import partial
 from typing import Any, Callable, List
 

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/yaralyzer/output/file_hashes_table.py

@@ -1,5 +1,5 @@
 """
-Methods for building Rich layout elements
+Methods for building Rich layout elements for display of results.
 """
 import hashlib
 from collections import namedtuple

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/yaralyzer/output/rich_console.py

@@ -1,8 +1,14 @@
+"""
+Variables and methods for working with Rich text output.
+"""
 from shutil import get_terminal_size
+from sys import exit
 from typing import List
 
+from rich import box
 from rich.console import Console
 from rich.errors import MarkupError
+from rich.panel import Panel
 from rich.style import Style
 from rich.text import Text
 from rich.theme import Theme
@@ -107,3 +113,14 @@ def console_print_with_fallback(_string, style=None) -> None:
 
 def theme_colors_with_prefix(prefix: str) -> List[Text]:
     return [Text(k, v) for k, v in YARALYZER_THEME.styles.items() if k.startswith(prefix)]
+
+
+def print_fatal_error_and_exit(error_message: str) -> None:
+    console.line(1)
+    print_header_panel(error_message, style='bold red reverse')
+    console.line(1)
+    exit()
+
+
+def print_header_panel(headline: str, style: str, expand: bool = True, padding: tuple = (0,2)) -> None:
+    console.print(Panel(headline, box=box.DOUBLE_EDGE, style=style, expand=expand, padding=padding))

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/yaralyzer/util/argument_parser.py

@@ -29,7 +29,7 @@ DESCRIPTION = "Get a good hard colorful look at all the byte sequences that make
 EPILOG = "* Values for various config options can be set permanently by a .yaralyzer file in your home directory; " + \
          "see the documentation for details.\n" + \
          f"* A registry of previous yaralyzer invocations will be incribed to a file if the " + \
-         "'{YaralyzerConfig.LOG_DIR_ENV_VAR}' environment variable is configured."
+         f"{YaralyzerConfig.LOG_DIR_ENV_VAR} environment variable is configured."
 
 
 # Positional args, version, help, etc
@@ -49,7 +49,7 @@ source.add_argument('--yara-file', '-Y',
                     dest='yara_rules_files')
 
 source.add_argument('--rule-dir', '-dir',
-                    help='directory with .yara files (can be supplied more than once)',
+                    help='directory with yara rules files (all files are used, can be supplied more than once)',
                     action='append',
                     metavar='DIR',
                     dest='yara_rules_dirs')
@@ -95,7 +95,7 @@ tuning.add_argument('--suppress-decodes-table', action='store_true',
                     help='suppress decodes table entirely (including hex/raw output)')
 
 tuning.add_argument('--suppress-decoding-attempts', action='store_true',
-                    help='suppress decodes attempts for matched bytes (only hex/raw output will be shown)')
+                    help='suppress decode attempts for matched bytes (only hex/raw output will be shown)')
 
 tuning.add_argument('--min-decode-length',
                     help='suppress decode attempts for quoted byte sequences shorter than N',

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/yaralyzer/yaralyzer.py

@@ -9,6 +9,7 @@ Alternate constructors are provided depending on whether:
 The real action happens in the __rich__console__() dunder method.
 """
 from os import path
+from sys import exit
 from typing import Iterator, List, Optional, Tuple, Union
 
 import yara
@@ -23,13 +24,12 @@ from yaralyzer.helpers.file_helper import files_in_dir, load_binary_data
 from yaralyzer.helpers.rich_text_helper import dim_if, reverse_color
 from yaralyzer.helpers.string_helper import comma_join, newline_join
 from yaralyzer.output.regex_match_metrics import RegexMatchMetrics
-from yaralyzer.output.rich_console import YARALYZER_THEME, console
+from yaralyzer.output.rich_console import YARALYZER_THEME, console, print_fatal_error_and_exit
 from yaralyzer.output.file_hashes_table import bytes_hashes_table
 from yaralyzer.util.logging import log
 from yaralyzer.yara.yara_match import YaraMatch
 from yaralyzer.yara.yara_rule_builder import yara_rule_string
 
-YARA_EXT = 'yara'
 YARA_FILE_DOES_NOT_EXIST_ERROR_MSG = "is not a valid yara rules file (it doesn't exist)"
 
 
@@ -97,7 +97,12 @@ class Yaralyzer:
                 raise ValueError(f"'{file}' {YARA_FILE_DOES_NOT_EXIST_ERROR_MSG}")
 
         filepaths_arg = {path.basename(file): file for file in yara_rules_files}
-        yara_rules = yara.compile(filepaths=filepaths_arg)
+
+        try:
+            yara_rules = yara.compile(filepaths=filepaths_arg)
+        except yara.SyntaxError as e:
+            print_fatal_error_and_exit(f"Failed to parse YARA rules file(s): {e}")
+
         yara_rules_label = comma_join(yara_rules_files, func=path.basename)
         return cls(yara_rules, yara_rules_label, scannable, scannable_label)
 
@@ -112,7 +117,7 @@ class Yaralyzer:
         if not (isinstance(dirs, list) and all(path.isdir(dir) for dir in dirs)):
             raise TypeError(f"'{dirs}' is not a list of valid directories")
 
-        rules_files = [path.join(dir, f) for dir in dirs for f in files_in_dir(dir, YARA_EXT)]
+        rules_files = [path.join(dir, f) for dir in dirs for f in files_in_dir(dir)]
         return cls.for_rules_files(rules_files, scannable, scannable_label)
 
     @classmethod

{yaralyzer-0.9.4 → yaralyzer-0.9.6}/yaralyzer/output/file_export.py

@@ -46,6 +46,7 @@ _EXPORT_KWARGS = {
     },
 }
 
+
 def invoke_rich_export(export_method, output_file_basepath) -> str:
     """
     Announce the export, perform the export, announce completion.
@@ -72,4 +73,3 @@ def invoke_rich_export(export_method, output_file_basepath) -> str:
     elapsed_time = time.perf_counter() - start_time
     log_and_print(f"'{output_file_path}' written in {elapsed_time:02f} seconds")
     return output_file_path
-