yaralyzer 0.9.5__py3-none-any.whl → 1.0.0__py3-none-any.whl

CHANGELOG.md

@@ -1,5 +1,11 @@
 # NEXT RELEASE
 
+# 1.0.0
+* Add `--export-json` option
+
+### 0.9.6
+* Fix help message
+
 ### 0.9.5
 * Use all files in a directory specified by `--rule-dir` instead of just those with the extension `.yara`
 * Fix bug where `--rule-dir` is prefixed by `./`

yaralyzer/__init__.py

@@ -12,7 +12,7 @@ if not environ.get('INVOKED_BY_PYTEST', False):
             break
 
 from yaralyzer.config import YaralyzerConfig
-from yaralyzer.output.file_export import invoke_rich_export
+from yaralyzer.output.file_export import export_json, invoke_rich_export
 from yaralyzer.output.rich_console import console
 from yaralyzer.util.argument_parser import get_export_basepath, parse_arguments
 from yaralyzer.util.logging import log
@@ -59,6 +59,9 @@ def yaralyze():
     if args.export_svg:
         invoke_rich_export(console.save_svg, output_basepath)
 
+    if args.export_json:
+        export_json(yaralyzer, output_basepath)
+
     if args.file_to_scan_path.endswith('.pdf'):
         console.print(PDFALYZER_MSG_TXT)
 

yaralyzer/bytes_match.py

@@ -14,9 +14,8 @@ from yara import StringMatch, StringMatchInstance
 
 from yaralyzer.config import YaralyzerConfig
 from yaralyzer.helpers.rich_text_helper import prefix_with_plain_text_obj
-from yaralyzer.output.rich_console import ALERT_STYLE, GREY_ADDRESS
 from yaralyzer.output.file_hashes_table import bytes_hashes_table
-from yaralyzer.util.logging import log
+from yaralyzer.output.rich_console import ALERT_STYLE, GREY_ADDRESS
 
 
 class BytesMatch:
@@ -157,6 +156,25 @@ class BytesMatch:
 
         return txt
 
+    def to_json(self) -> dict:
+        """Convert this BytesMatch to a JSON-serializable dict."""
+        json_dict = {
+            'label': self.label,
+            'match_length': self.match_length,
+            'matched_bytes': self.bytes.hex(),
+            'ordinal': self.ordinal,
+            'start_idx': self.start_idx,
+            'end_idx': self.end_idx,
+            'surrounding_bytes': self.surrounding_bytes.hex(),
+            'surrounding_start_idx': self.surrounding_start_idx,
+            'surrounding_end_idx': self.surrounding_end_idx,
+        }
+
+        if self.match:
+            json_dict['pattern'] = self.match.re.pattern
+
+        return json_dict
+
     def _find_surrounding_bytes(self, num_before: Optional[int] = None, num_after: Optional[int] = None) -> None:
         """Find the surrounding bytes, making sure not to step off the beginning or end"""
         num_after = num_after or num_before or YaralyzerConfig.args.surrounding_bytes

yaralyzer/output/file_export.py

@@ -1,9 +1,13 @@
+import json
 import time
+from argparse import Namespace
+from pathlib import Path
 from os import path
 
 from rich.terminal_theme import TerminalTheme
 
 from yaralyzer.util.logging import log_and_print
+from yaralyzer.yaralyzer import Yaralyzer
 
 # TerminalThemes are used when saving SVGS. This one just swaps white for black in DEFAULT_TERMINAL_THEME
 YARALYZER_TERMINAL_THEME = TerminalTheme(
@@ -47,6 +51,22 @@ _EXPORT_KWARGS = {
 }
 
 
+def export_json(yaralyzer: Yaralyzer, output_basepath: str | None) -> str:
+    """Export YARA scan results to JSON. Returns the path to the output file that was written."""
+    output_path = f"{output_basepath or 'yara_matches'}.json"
+
+    matches_data = [
+        bytes_match.to_json()
+        for bytes_match, _bytes_decoder in yaralyzer.match_iterator()
+    ]
+
+    with open(output_path, 'w') as f:
+        json.dump(matches_data, f, indent=4)
+
+    log_and_print(f"YARA matches exported to JSON file: '{output_path}'")
+    return output_path
+
+
 def invoke_rich_export(export_method, output_file_basepath) -> str:
     """
     Announce the export, perform the export, announce completion.

yaralyzer/util/argument_parser.py

@@ -29,7 +29,7 @@ DESCRIPTION = "Get a good hard colorful look at all the byte sequences that make
 EPILOG = "* Values for various config options can be set permanently by a .yaralyzer file in your home directory; " + \
          "see the documentation for details.\n" + \
          f"* A registry of previous yaralyzer invocations will be incribed to a file if the " + \
-         "'{YaralyzerConfig.LOG_DIR_ENV_VAR}' environment variable is configured."
+         f"{YaralyzerConfig.LOG_DIR_ENV_VAR} environment variable is configured."
 
 
 # Positional args, version, help, etc
@@ -95,7 +95,7 @@ tuning.add_argument('--suppress-decodes-table', action='store_true',
                     help='suppress decodes table entirely (including hex/raw output)')
 
 tuning.add_argument('--suppress-decoding-attempts', action='store_true',
-                    help='suppress decodes attempts for matched bytes (only hex/raw output will be shown)')
+                    help='suppress decode attempts for matched bytes (only hex/raw output will be shown)')
 
 tuning.add_argument('--min-decode-length',
                     help='suppress decode attempts for quoted byte sequences shorter than N',
@@ -179,6 +179,11 @@ export.add_argument('-html', '--export-html',
                     const='html',
                     help='export analysis to styled html files')
 
+export.add_argument('-json', '--export-json',
+                    action='store_const',
+                    const='json',
+                    help='export analysis to JSON files')
+
 export.add_argument('-out', '--output-dir',
                     metavar='OUTPUT_DIR',
                     help='write files to OUTPUT_DIR instead of current dir, does nothing if not exporting a file')
@@ -257,7 +262,7 @@ def parse_arguments(args: Optional[Namespace] = None):
         EncodingDetector.force_display_threshold = args.force_display_threshold
 
     # File export options
-    if args.export_svg or args.export_txt or args.export_html:
+    if args.export_html or args.export_json or args.export_svg or args.export_txt:
         args.output_dir = args.output_dir or getcwd()
     elif args.output_dir:
         log.warning('--output-dir provided but no export option was chosen')

yaralyzer/yara/yara_match.py

@@ -14,7 +14,6 @@ Rich text decorator for YARA match dicts, which look like this:
 }
 """
 import re
-from copy import deepcopy
 from numbers import Number
 from typing import Any, Dict
 

{yaralyzer-0.9.5.dist-info → yaralyzer-1.0.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: yaralyzer
-Version: 0.9.5
+Version: 1.0.0
 Summary: Visualize and force decode YARA and regex matches found in a file or byte stream. With colors. Lots of colors.
 Home-page: https://github.com/michelcrypt4d4mus/yaralyzer
 License: GPL-3.0-or-later
@@ -113,7 +113,7 @@ for bytes_match, bytes_decoder in yaralyzer.match_iterator():
 ```
 
 # Example Output
-The Yaralyzer can export visualizations to HTML, ANSI colored text, and SVG vector images using the file export functionality that comes with [Rich](https://github.com/Textualize/rich). SVGs can be turned into `png` format images with a tool like [Inkscape](https://inkscape.org/) or `cairosvg`. In our experience they both work though we've seen some glitchiness with `cairosvg`.
+The Yaralyzer can export visualizations to HTML, ANSI colored text, and SVG vector images using the file export functionality that comes with [Rich](https://github.com/Textualize/rich) as well as a (somewhat limited) plain text JSON format. SVGs can be turned into `png` format images with a tool like [Inkscape](https://inkscape.org/) or `cairosvg`. In our experience they both work though we've seen some glitchiness with `cairosvg`.
 
 **PyPi Users:** If you are reading this document [on PyPi](https://pypi.org/project/yaralyzer/) be aware that it renders a lot better [over on GitHub](https://github.com/michelcrypt4d4mus/yaralyzer). Pretty pictures, footnotes that work, etc.
 

{yaralyzer-0.9.5.dist-info → yaralyzer-1.0.0.dist-info}/RECORD

@@ -1,7 +1,7 @@
 .yaralyzer.example,sha256=4QKFDDNvnAlT3NVS0eiM_Qed9Hxy4ZPQFJkye8lKYAk,3486
-CHANGELOG.md,sha256=Oj68DvFf03uufKLLt4kYkHNmY6o2qu5ie72MgeZYfVQ,2090
-yaralyzer/__init__.py,sha256=sU2sN1lizcfxUg4vghz_L3OUwi7sWXGvNinE_tJCa4Y,2616
-yaralyzer/bytes_match.py,sha256=6QeW1Zk9DpNQ9ks-ixnQZ-clqT8qwB2FKsmH3nmxcYI,7583
+CHANGELOG.md,sha256=XN0_isuQMJy03PATrBkBIPWyIXzUV1g5YG1FMThCves,2158
+yaralyzer/__init__.py,sha256=YItEM_QKbLUj-6QZg2ZINrTzPQZ1IHOjGgoxmRR2buA,2703
+yaralyzer/bytes_match.py,sha256=ShAxI_jZYElG1w-FJ9wNF-5SReL2uv-iJTiQQS3VTM0,8213
 yaralyzer/config.py,sha256=eRJ88wBFs1rfjOv4htI1Ye0LFCFfk4kGDiFHuqZfkX0,3730
 yaralyzer/decoding/bytes_decoder.py,sha256=lulfZZhYmo9ky2KpqBW-c9hs5_uhlaz0gatdtT_NYSY,7951
 yaralyzer/decoding/decoding_attempt.py,sha256=GAxMNOX7I_FsuzGWIelTWAECytLUJD-wpmUAuVe2bn0,7241
@@ -14,17 +14,17 @@ yaralyzer/helpers/file_helper.py,sha256=uf8dTOhRrJng0V36o7Mwk5t-L5gc4_uOaGj9F0s5
 yaralyzer/helpers/rich_text_helper.py,sha256=9Wc6WM625iKxAXRvxBkVzvszfcxb8YtqoQ6d7d8EqoQ,4218
 yaralyzer/helpers/string_helper.py,sha256=AT2_CAgpvtp8GiUSKLTiDoToDD3tBB9BbrlX-s2bL7o,932
 yaralyzer/output/decoding_attempts_table.py,sha256=cMY9eCXZHj0FfGxJ9uoM5cpdhQve-EtTRHv3fTHKJAo,3712
-yaralyzer/output/file_export.py,sha256=AsP43Y1kt-dzAHr3TuFtyihG4NqV1XNyxUve-77CAzU,2270
+yaralyzer/output/file_export.py,sha256=YfF5D8aHOUQHwV0akFaaSMafbhdhUakvipadpq6HZmk,2927
 yaralyzer/output/file_hashes_table.py,sha256=SnS2ip8dSeHoycQ0Ng3Gtpv9rXJSkKnvD2krTuhNg7s,1632
 yaralyzer/output/regex_match_metrics.py,sha256=deJPaVnhpy-AUX6PCE_jbPLIlmfIOtl-cEVWsiFp3KY,3003
 yaralyzer/output/rich_console.py,sha256=Botb8aec4_aRiPyaEkwrnhwERHE8a5-lk5KfgzXVlBE,4202
-yaralyzer/util/argument_parser.py,sha256=T1pkAHpanDQVflBQnPbwgVPhSFIQ_HlgIvH8USBj5is,12577
+yaralyzer/util/argument_parser.py,sha256=cVUe3lQCb6iFnP5leE-C0OeXkBPomw55Xi1MiD1Gl50,12776
 yaralyzer/util/logging.py,sha256=3qtLnCFbN8L1nTSwIQvxfcM5jfhIRWTFZj9XGQk74kc,4326
-yaralyzer/yara/yara_match.py,sha256=qR8GNnmHiN-SzNwkWYcJa1Kb6RQUeNtcjpjccoI8wIQ,5145
+yaralyzer/yara/yara_match.py,sha256=4_26eaJT9I0PULiCdxerQtX4TfAIwcT-B6GJociGM9A,5119
 yaralyzer/yara/yara_rule_builder.py,sha256=kAa3RBojM5GEaXDJjKZODAyx6yj34AlkOnQhACAFfZM,3021
 yaralyzer/yaralyzer.py,sha256=f1y8qST6GZHEWl7nDNEBWpQuYjnsJ8dm9nGPWqZ4Hkk,9417
-yaralyzer-0.9.5.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
-yaralyzer-0.9.5.dist-info/METADATA,sha256=Y1tkX0iDOd7pQIR1lzeLgRwFtxSMnnpIu07ryRjgxvs,10740
-yaralyzer-0.9.5.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
-yaralyzer-0.9.5.dist-info/entry_points.txt,sha256=7LnLJrNTfql0vuctjRWwp_ZD-BYvtv9ENVipdjuT7XI,136
-yaralyzer-0.9.5.dist-info/RECORD,,
+yaralyzer-1.0.0.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+yaralyzer-1.0.0.dist-info/METADATA,sha256=HfE-vyCyOUs_QyM7saQAU9b4hiS9poBxuwLuFf8jsNM,10795
+yaralyzer-1.0.0.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
+yaralyzer-1.0.0.dist-info/entry_points.txt,sha256=7LnLJrNTfql0vuctjRWwp_ZD-BYvtv9ENVipdjuT7XI,136
+yaralyzer-1.0.0.dist-info/RECORD,,