search

VirusTotal / yara-x

A rewrite of YARA in Rust.
https://virustotal.github.io/yara-x/
BSD 3-Clause "New" or "Revised" License
565 stars 46 forks source link

Unable to access some proto generated code #107

Closed russellbanks closed 1 month ago

russellbanks commented 1 month ago

For example:

pe.resources.iter().find(|resource| {
    resource.type_() == yara_x::modules::protos::pe::ResourceType::RESOURCE_TYPE_MANIFEST
});

I can get the ResourceType from resource.type_() but I can't check which type it is because yara_x::modules is private.

russellbanks commented 1 month ago

I'm also confused because the code in lib/src/modules/pe is very different to what's accessible from the library on crates.io. I've only been able to parse a PE file by doing yara_x::mods::invoke_mod::<yara_x::mods::PE>(data), but pe/mod.rs#L33 shows it as being just PE::parse. They also return different structs.

plusvic commented 1 month ago

I've exposed all data structures and enums defined by modules in https://github.com/VirusTotal/yara-x/commit/91795a50cf58a6b0439f290f2aac3c7972cb5803. They are now accessible from outside this crate.

Let me clarify your question about the code being exposed. The intention with the yara_x::mods::invoke_mod function is allowing any user to obtain the same data structure that a YARA module produces and exposes to YARA rules. The intention is not exporting the internal code that parses the file and populate such structures.

The confusion may arise because of the use of the word "module" both in the Rust and YARA worlds. But we are talking about different things when we talk about the YARA pe module, and the Rust pe module in lib/src/modules/pe. The Rust pe module is not part of the public API, it contains the code for parsing a PE file and producing the protobuf structure that you can obtain via yara_x::mods::invoke_mod, but this Rust module is private.

The code in lib/src/modules/pe is modular enough, and it could be moved to a separate crate that could be used outside of YARA-X for parsing PE files, but that's not the intention yet. I can consider publishing it as a standalone crate in the future, if enough people find it useful.

russellbanks commented 1 month ago

Thank you for clarifying @plusvic! I personally am considering using this for parsing and analysing PE files, and perhaps extending that to other files if I lean more into Yara rules. Even in its current state, the module for parsing PE files feels very powerful compared to other libraries I've used (and more resilient to slightly incorrect files), or at least requires much less boilerplate.