Traceback (most recent call last):
File "yara-memoryview.py", line 12, in <module>
rules.match(data=data)
TypeError: argument 3 must be read-only bytes-like object, not memoryview
In this case, we have a memoryview of a bytes object, so it is actually both read-only and bytes-like, which makes the error message very confusing.
Some formats require a read-only bytes-like object, and set a pointer instead of a buffer structure. They work by checking that the object’s PyBufferProcs.bf_releasebuffer field is NULL, which disallows mutable objects such as bytearray.
memoryview does define a releasebuffer callback (regardless of mutability), which is why according to the above PyArg_ParseTuple heuristic it is not considered read-only. This is a known issue.
Short of fixing PyArg_ParseTuple's heuristic somehow, the only solution I can see is dropping the read-only requirement for the data buffer. I.e., replace the s# formatter with s*.
It is currently not possible to pass a memoryview to yara-python for matching rules. Consider this minimal example:
This fails:
In this case, we have a
memoryview
of abytes
object, so it is actually both read-only and bytes-like, which makes the error message very confusing.The root of the issue seems to be that yara-python uses the
s#
formatter for parsing thedata
argument. According to the documentation:memoryview
does define a releasebuffer callback (regardless of mutability), which is why according to the abovePyArg_ParseTuple
heuristic it is not considered read-only. This is a known issue.Short of fixing
PyArg_ParseTuple
's heuristic somehow, the only solution I can see is dropping the read-only requirement for thedata
buffer. I.e., replace thes#
formatter withs*
.