wxsBSD
commented
7 years ago I updated this PR to also define HAVE_LIBCRYPTO when libcrypto exists, so that pe.imphash() and other things actually work.
Closed wxsBSD closed 7 years ago
wxsBSD
commented
7 years ago I updated this PR to also define HAVE_LIBCRYPTO when libcrypto exists, so that pe.imphash() and other things actually work.
tlansec
commented
7 years ago Hey,
I installed YARA 3.6.1 and have encountered a similar issue with pe.imphash().
Here are the steps to reproduce:
1) Install yara-python 3.6.1 (python 2.7) using the binary & setup yara 3.6.1 with the official binary. 2) Testing the imphash() function against my local copy of PuTTy does not yield a hit.
File used to test:
9f9e74241d59eccfe7040bfdcbbceacb374eda397cc53a4197b59e4f6f380a91
Imphash should be:
295ab1f69e6bf3827f008b4baeb119de
Using the rule:
import "pe"
rule test_imp { condition: pe.imphash() == "295ab1f69e6bf3827f008b4baeb119de" }
Does not yield a hit using yara-python. Using the official python binary there is a hit.
Thanks, Tom
wxsBSD
commented
7 years ago As discussed with @tlansec offline, applying this PR will fix it. He's running into the issue where the bits that require HAVE_LIBCRYPTO are not working (namely the hash module and pe.imphash() pieces are what he's run into).
I don't really know how the Windows build works but it's apparently broken for those too, according to Tom. I don't have a Windows environment handy to test the build on though.
tlansec
commented
7 years ago Hey,
Following the merge above, some of the issue has been fixed. For example, the pe.imphash() function is working perfectly in both yara-python and the compiled binary in 3.6.2. The compiled binary also correctly functions with rules using the "hash" module.
However, when it comes to using the "hash" module with yara-python, there are still issues.
If you install yara-python on a windows machine either using the .whl or the binary on dropbox, it installs without error. However, when you try to compile a rule which uses the hash module, it fails to recognise the variable names throwing errors such as:
rule.yar(26): invalid field name "sha256"
Is it intended that the hash module should not function via yara-python?
Please let me know if there are any steps i can take to help troubleshoot.
Cheers, Tom
On my system openssl (via brew) is installed in /usr/local/opt/openssl/include, which was causing the build to fail. I'm not sure if my system is just in a screwed up state or if this is causing pain for others.