yaralyzer 0.9.6__tar.gz → 1.0.0__tar.gz

{yaralyzer-0.9.6 → yaralyzer-1.0.0}/CHANGELOG.md

@@ -1,5 +1,8 @@
 # NEXT RELEASE
 
+# 1.0.0
+* Add `--export-json` option
+
 ### 0.9.6
 * Fix help message
 

{yaralyzer-0.9.6 → yaralyzer-1.0.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: yaralyzer
-Version: 0.9.6
+Version: 1.0.0
 Summary: Visualize and force decode YARA and regex matches found in a file or byte stream. With colors. Lots of colors.
 Home-page: https://github.com/michelcrypt4d4mus/yaralyzer
 License: GPL-3.0-or-later
@@ -113,7 +113,7 @@ for bytes_match, bytes_decoder in yaralyzer.match_iterator():
 ```
 
 # Example Output
-The Yaralyzer can export visualizations to HTML, ANSI colored text, and SVG vector images using the file export functionality that comes with [Rich](https://github.com/Textualize/rich). SVGs can be turned into `png` format images with a tool like [Inkscape](https://inkscape.org/) or `cairosvg`. In our experience they both work though we've seen some glitchiness with `cairosvg`.
+The Yaralyzer can export visualizations to HTML, ANSI colored text, and SVG vector images using the file export functionality that comes with [Rich](https://github.com/Textualize/rich) as well as a (somewhat limited) plain text JSON format. SVGs can be turned into `png` format images with a tool like [Inkscape](https://inkscape.org/) or `cairosvg`. In our experience they both work though we've seen some glitchiness with `cairosvg`.
 
 **PyPi Users:** If you are reading this document [on PyPi](https://pypi.org/project/yaralyzer/) be aware that it renders a lot better [over on GitHub](https://github.com/michelcrypt4d4mus/yaralyzer). Pretty pictures, footnotes that work, etc.
 

{yaralyzer-0.9.6 → yaralyzer-1.0.0}/README.md

@@ -87,7 +87,7 @@ for bytes_match, bytes_decoder in yaralyzer.match_iterator():
 ```
 
 # Example Output
-The Yaralyzer can export visualizations to HTML, ANSI colored text, and SVG vector images using the file export functionality that comes with [Rich](https://github.com/Textualize/rich). SVGs can be turned into `png` format images with a tool like [Inkscape](https://inkscape.org/) or `cairosvg`. In our experience they both work though we've seen some glitchiness with `cairosvg`.
+The Yaralyzer can export visualizations to HTML, ANSI colored text, and SVG vector images using the file export functionality that comes with [Rich](https://github.com/Textualize/rich) as well as a (somewhat limited) plain text JSON format. SVGs can be turned into `png` format images with a tool like [Inkscape](https://inkscape.org/) or `cairosvg`. In our experience they both work though we've seen some glitchiness with `cairosvg`.
 
 **PyPi Users:** If you are reading this document [on PyPi](https://pypi.org/project/yaralyzer/) be aware that it renders a lot better [over on GitHub](https://github.com/michelcrypt4d4mus/yaralyzer). Pretty pictures, footnotes that work, etc.
 

{yaralyzer-0.9.6 → yaralyzer-1.0.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "yaralyzer"
-version = "0.9.6"
+version = "1.0.0"
 description = "Visualize and force decode YARA and regex matches found in a file or byte stream. With colors. Lots of colors."
 authors = ["Michel de Cryptadamus <michel@cryptadamus.com>"]
 readme = "README.md"

{yaralyzer-0.9.6 → yaralyzer-1.0.0}/yaralyzer/__init__.py

@@ -12,7 +12,7 @@ if not environ.get('INVOKED_BY_PYTEST', False):
             break
 
 from yaralyzer.config import YaralyzerConfig
-from yaralyzer.output.file_export import invoke_rich_export
+from yaralyzer.output.file_export import export_json, invoke_rich_export
 from yaralyzer.output.rich_console import console
 from yaralyzer.util.argument_parser import get_export_basepath, parse_arguments
 from yaralyzer.util.logging import log
@@ -59,6 +59,9 @@ def yaralyze():
     if args.export_svg:
         invoke_rich_export(console.save_svg, output_basepath)
 
+    if args.export_json:
+        export_json(yaralyzer, output_basepath)
+
     if args.file_to_scan_path.endswith('.pdf'):
         console.print(PDFALYZER_MSG_TXT)
 

{yaralyzer-0.9.6 → yaralyzer-1.0.0}/yaralyzer/bytes_match.py

@@ -14,9 +14,8 @@ from yara import StringMatch, StringMatchInstance
 
 from yaralyzer.config import YaralyzerConfig
 from yaralyzer.helpers.rich_text_helper import prefix_with_plain_text_obj
-from yaralyzer.output.rich_console import ALERT_STYLE, GREY_ADDRESS
 from yaralyzer.output.file_hashes_table import bytes_hashes_table
-from yaralyzer.util.logging import log
+from yaralyzer.output.rich_console import ALERT_STYLE, GREY_ADDRESS
 
 
 class BytesMatch:
@@ -157,6 +156,25 @@ class BytesMatch:
 
         return txt
 
+    def to_json(self) -> dict:
+        """Convert this BytesMatch to a JSON-serializable dict."""
+        json_dict = {
+            'label': self.label,
+            'match_length': self.match_length,
+            'matched_bytes': self.bytes.hex(),
+            'ordinal': self.ordinal,
+            'start_idx': self.start_idx,
+            'end_idx': self.end_idx,
+            'surrounding_bytes': self.surrounding_bytes.hex(),
+            'surrounding_start_idx': self.surrounding_start_idx,
+            'surrounding_end_idx': self.surrounding_end_idx,
+        }
+
+        if self.match:
+            json_dict['pattern'] = self.match.re.pattern
+
+        return json_dict
+
     def _find_surrounding_bytes(self, num_before: Optional[int] = None, num_after: Optional[int] = None) -> None:
         """Find the surrounding bytes, making sure not to step off the beginning or end"""
         num_after = num_after or num_before or YaralyzerConfig.args.surrounding_bytes

{yaralyzer-0.9.6 → yaralyzer-1.0.0}/yaralyzer/output/file_export.py

@@ -1,9 +1,13 @@
+import json
 import time
+from argparse import Namespace
+from pathlib import Path
 from os import path
 
 from rich.terminal_theme import TerminalTheme
 
 from yaralyzer.util.logging import log_and_print
+from yaralyzer.yaralyzer import Yaralyzer
 
 # TerminalThemes are used when saving SVGS. This one just swaps white for black in DEFAULT_TERMINAL_THEME
 YARALYZER_TERMINAL_THEME = TerminalTheme(
@@ -47,6 +51,22 @@ _EXPORT_KWARGS = {
 }
 
 
+def export_json(yaralyzer: Yaralyzer, output_basepath: str | None) -> str:
+    """Export YARA scan results to JSON. Returns the path to the output file that was written."""
+    output_path = f"{output_basepath or 'yara_matches'}.json"
+
+    matches_data = [
+        bytes_match.to_json()
+        for bytes_match, _bytes_decoder in yaralyzer.match_iterator()
+    ]
+
+    with open(output_path, 'w') as f:
+        json.dump(matches_data, f, indent=4)
+
+    log_and_print(f"YARA matches exported to JSON file: '{output_path}'")
+    return output_path
+
+
 def invoke_rich_export(export_method, output_file_basepath) -> str:
     """
     Announce the export, perform the export, announce completion.

{yaralyzer-0.9.6 → yaralyzer-1.0.0}/yaralyzer/util/argument_parser.py

@@ -179,6 +179,11 @@ export.add_argument('-html', '--export-html',
                     const='html',
                     help='export analysis to styled html files')
 
+export.add_argument('-json', '--export-json',
+                    action='store_const',
+                    const='json',
+                    help='export analysis to JSON files')
+
 export.add_argument('-out', '--output-dir',
                     metavar='OUTPUT_DIR',
                     help='write files to OUTPUT_DIR instead of current dir, does nothing if not exporting a file')
@@ -257,7 +262,7 @@ def parse_arguments(args: Optional[Namespace] = None):
         EncodingDetector.force_display_threshold = args.force_display_threshold
 
     # File export options
-    if args.export_svg or args.export_txt or args.export_html:
+    if args.export_html or args.export_json or args.export_svg or args.export_txt:
         args.output_dir = args.output_dir or getcwd()
     elif args.output_dir:
         log.warning('--output-dir provided but no export option was chosen')

{yaralyzer-0.9.6 → yaralyzer-1.0.0}/yaralyzer/yara/yara_match.py

@@ -14,7 +14,6 @@ Rich text decorator for YARA match dicts, which look like this:
 }
 """
 import re
-from copy import deepcopy
 from numbers import Number
 from typing import Any, Dict