search

VirusTotal / yara-python

The Python interface for YARA
http://virustotal.github.io/yara/
Apache License 2.0
646 stars 179 forks source link

dotnet module not accessible from yara-python #211

Closed arenicola closed 2 years ago

arenicola commented 2 years ago

Hi, I can't get a rule using the dotnet module to compile with yara-python. It feels like the dotnet module isn't being loaded when using yara-python.

I'm a yara noob so might be missing something obvious.

In a ubuntu 22.04 docker container

Python 3.8.10 (default, Jun 22 2022, 20:18:18)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import yara
>>> yara.compile(source="""
... import "dotnet"
... rule not_exactly_five_streams
... {
... condition:
...     dotnet.number_of_streams != 5
... }""")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
yara.SyntaxError: line 6: invalid field name "number_of_streams"

Yara is compiled in the container, dotnet module seems to be included by default now

root@f1fa8d24cc31:~# yara -v
4.2.1

yarac compiles the rule fine.

root@f1fa8d24cc31:~# yarac test.yara test-out.yac
root@f1fa8d24cc31:~#

error occurs when yara-python is built with or without --dynamic-linking

Any idea what I'm missing?

arenicola commented 2 years ago

Ok so you need to include --enable-dotnet when building yara-python.