yaralyzer 1.0.5__py3-none-any.whl → 1.0.7__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of yaralyzer might be problematic. Click here for more details.
- CHANGELOG.md +8 -0
- yaralyzer/__init__.py +0 -2
- yaralyzer/bytes_match.py +35 -33
- yaralyzer/config.py +1 -1
- yaralyzer/decoding/bytes_decoder.py +3 -6
- yaralyzer/decoding/decoding_attempt.py +4 -3
- yaralyzer/encoding_detection/character_encodings.py +38 -39
- yaralyzer/encoding_detection/encoding_assessment.py +2 -2
- yaralyzer/encoding_detection/encoding_detector.py +3 -4
- yaralyzer/helpers/bytes_helper.py +4 -4
- yaralyzer/helpers/dict_helper.py +0 -1
- yaralyzer/helpers/list_helper.py +1 -0
- yaralyzer/helpers/rich_text_helper.py +7 -7
- yaralyzer/output/file_export.py +1 -1
- yaralyzer/output/file_hashes_table.py +4 -4
- yaralyzer/output/rich_console.py +1 -1
- yaralyzer/util/argument_parser.py +10 -10
- yaralyzer/util/logging.py +1 -1
- yaralyzer/yara/yara_match.py +1 -1
- yaralyzer/yara/yara_rule_builder.py +16 -17
- yaralyzer/yaralyzer.py +27 -28
- yaralyzer-1.0.7.dist-info/LICENSE +674 -0
- {yaralyzer-1.0.5.dist-info → yaralyzer-1.0.7.dist-info}/METADATA +7 -2
- yaralyzer-1.0.7.dist-info/RECORD +32 -0
- yaralyzer-1.0.5.dist-info/RECORD +0 -31
- /yaralyzer-1.0.5.dist-info/LICENSE → /LICENSE +0 -0
- {yaralyzer-1.0.5.dist-info → yaralyzer-1.0.7.dist-info}/WHEEL +0 -0
- {yaralyzer-1.0.5.dist-info → yaralyzer-1.0.7.dist-info}/entry_points.txt +0 -0
|
@@ -4,12 +4,11 @@ Builds bare bones YARA rules to match strings and regex patterns. Example rule s
|
|
|
4
4
|
rule Just_A_Piano_Man {
|
|
5
5
|
meta:
|
|
6
6
|
author = "Tim"
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
7
|
+
strings:
|
|
8
|
+
$hilton_producer = /Scott.*Storch/
|
|
9
|
+
condition:
|
|
10
|
+
$hilton_producer
|
|
11
11
|
}
|
|
12
|
-
|
|
13
12
|
"""
|
|
14
13
|
import re
|
|
15
14
|
from typing import Optional
|
|
@@ -60,12 +59,12 @@ rule {rule_name} {{
|
|
|
60
59
|
|
|
61
60
|
|
|
62
61
|
def yara_rule_string(
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
62
|
+
pattern: str,
|
|
63
|
+
pattern_type: str = REGEX,
|
|
64
|
+
rule_name: str = YARALYZE,
|
|
65
|
+
pattern_label: Optional[str] = PATTERN,
|
|
66
|
+
modifier: Optional[str] = None
|
|
67
|
+
) -> str:
|
|
69
68
|
"""Build a YARA rule string for a given pattern"""
|
|
70
69
|
if not (modifier is None or modifier in YARA_REGEX_MODIFIERS):
|
|
71
70
|
raise TypeError(f"Modifier '{modifier}' is not one of {YARA_REGEX_MODIFIERS}")
|
|
@@ -89,12 +88,12 @@ def yara_rule_string(
|
|
|
89
88
|
|
|
90
89
|
|
|
91
90
|
def build_yara_rule(
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
91
|
+
pattern: str,
|
|
92
|
+
pattern_type: str = REGEX,
|
|
93
|
+
rule_name: str = YARALYZE,
|
|
94
|
+
pattern_label: Optional[str] = PATTERN,
|
|
95
|
+
modifier: Optional[str] = None
|
|
96
|
+
) -> yara.Rule:
|
|
98
97
|
"""Build a compiled YARA rule"""
|
|
99
98
|
rule_string = yara_rule_string(pattern, pattern_type, rule_name, pattern_label, modifier)
|
|
100
99
|
return yara.compile(source=rule_string)
|
yaralyzer/yaralyzer.py
CHANGED
|
@@ -9,7 +9,6 @@ Alternate constructors are provided depending on whether:
|
|
|
9
9
|
The real action happens in the __rich__console__() dunder method.
|
|
10
10
|
"""
|
|
11
11
|
from os import path
|
|
12
|
-
from sys import exit
|
|
13
12
|
from typing import Iterator, List, Optional, Tuple, Union
|
|
14
13
|
|
|
15
14
|
import yara
|
|
@@ -36,13 +35,13 @@ YARA_FILE_DOES_NOT_EXIST_ERROR_MSG = "is not a valid yara rules file (it doesn't
|
|
|
36
35
|
# TODO: might be worth introducing a Scannable namedtuple or similar
|
|
37
36
|
class Yaralyzer:
|
|
38
37
|
def __init__(
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
38
|
+
self,
|
|
39
|
+
rules: Union[str, yara.Rules],
|
|
40
|
+
rules_label: str,
|
|
41
|
+
scannable: Union[bytes, str],
|
|
42
|
+
scannable_label: Optional[str] = None,
|
|
43
|
+
highlight_style: str = YaralyzerConfig.HIGHLIGHT_STYLE
|
|
44
|
+
) -> None:
|
|
46
45
|
"""
|
|
47
46
|
If rules is a string it will be compiled by yara
|
|
48
47
|
If scannable is bytes then scannable_label must be provided.
|
|
@@ -83,11 +82,11 @@ class Yaralyzer:
|
|
|
83
82
|
|
|
84
83
|
@classmethod
|
|
85
84
|
def for_rules_files(
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
85
|
+
cls,
|
|
86
|
+
yara_rules_files: List[str],
|
|
87
|
+
scannable: Union[bytes, str],
|
|
88
|
+
scannable_label: Optional[str] = None
|
|
89
|
+
) -> 'Yaralyzer':
|
|
91
90
|
"""Alternate constructor loads yara rules from files, labels rules w/filenames"""
|
|
92
91
|
if not isinstance(yara_rules_files, list):
|
|
93
92
|
raise TypeError(f"{yara_rules_files} is not a list")
|
|
@@ -108,11 +107,11 @@ class Yaralyzer:
|
|
|
108
107
|
|
|
109
108
|
@classmethod
|
|
110
109
|
def for_rules_dirs(
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
110
|
+
cls,
|
|
111
|
+
dirs: List[str],
|
|
112
|
+
scannable: Union[bytes, str],
|
|
113
|
+
scannable_label: Optional[str] = None
|
|
114
|
+
) -> 'Yaralyzer':
|
|
116
115
|
"""Alternate constructor that will load all .yara files in yara_rules_dir"""
|
|
117
116
|
if not (isinstance(dirs, list) and all(path.isdir(dir) for dir in dirs)):
|
|
118
117
|
raise TypeError(f"'{dirs}' is not a list of valid directories")
|
|
@@ -122,15 +121,15 @@ class Yaralyzer:
|
|
|
122
121
|
|
|
123
122
|
@classmethod
|
|
124
123
|
def for_patterns(
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
124
|
+
cls,
|
|
125
|
+
patterns: List[str],
|
|
126
|
+
patterns_type: str,
|
|
127
|
+
scannable: Union[bytes, str],
|
|
128
|
+
scannable_label: Optional[str] = None,
|
|
129
|
+
rules_label: Optional[str] = None,
|
|
130
|
+
pattern_label: Optional[str] = None,
|
|
131
|
+
regex_modifier: Optional[str] = None,
|
|
132
|
+
) -> 'Yaralyzer':
|
|
134
133
|
"""Constructor taking regex pattern strings. Rules label defaults to patterns joined by comma"""
|
|
135
134
|
rule_strings = []
|
|
136
135
|
|
|
@@ -186,7 +185,7 @@ class Yaralyzer:
|
|
|
186
185
|
# Only show the non matches if there were valid ones, otherwise just show the number
|
|
187
186
|
if len(self.matches) == 0:
|
|
188
187
|
non_match_desc = f" did not match any of the {len(self.non_matches)} yara rules"
|
|
189
|
-
console.print(dim_if(self.__text__()
|
|
188
|
+
console.print(dim_if(self.__text__() + Text(non_match_desc, style='grey'), True))
|
|
190
189
|
return
|
|
191
190
|
|
|
192
191
|
non_match_desc = f" did not match the other {len(self.non_matches)} yara rules"
|