yara-python installation fatal error

[hexrom]

Tried to install yara-python through both options, pip install yara-python and build but still getting this error when trying to run the mac setup script.

fatal: destination path 'yara-python' already exists and is not an empty directory. python: can't open file 'setup.py': [Errno 2] No such file or directory Collecting apkid Using cached apkid-1.0.0-py2.py3-none-any.whl Collecting yara-python==3.5.0.999 (from apkid) Could not find a version that satisfies the requirement yara-python==3.5.0.999 (from apkid) (from versions: 3.4.0.0, 3.5.0, 3.6.0, 3.6.1, 3.6.2, 3.6.3) No matching distribution found for yara-python==3.5.0.999 (from aphid)

Any work around for this issue?

[xtiankisutsa]

Do not install yara-python via pip, you need to use the version of yara on the rednaga repo. Inside the MARA_Framework folder, try and delete the yara-python folder, located inside the tools folder. Then run these commands inside the tools folder:

• git clone https://github.com/rednaga/yara-python
• cd yara-python/
• sudo -H python setup.py install
• sudo -H pip install apkid

[hexrom]

@xtiankisutsa Thanks for the quick response. When running the "sudo -H python setup.py install" command it exits with the following error:

yara/libyara/modules/hash.c:30:10: fatal error: 'openssl/md5.h' file not found

include <openssl/md5.h>

     ^

1 error generated. error: command 'cc' failed with exit status 1

Here's my output from openssl:

MacBook-Pro:~ roman$ brew install openssl Updating Homebrew... Warning: openssl 1.0.2l is already installed MacBook-Pro:~ roman$ brew unlink openssl && brew link openssl --force Unlinking /usr/local/Cellar/openssl/1.0.2l... 0 symlinks removed Warning: Refusing to link: openssl Linking keg-only openssl means you may end up linking against the insecure, deprecated system OpenSSL while using the headers from Homebrew's openssl. Instead, pass the full include/library paths to your compiler e.g.: -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib

[xtiankisutsa]

This seems like an issue with openssl, please try running

• brew install openssl or
• brew install openssl --upgrade

[hexrom]

@xtiankisutsa openssl is already installed and latest version. I think it's an issue with it refusing to link ? (refer to snippet from above)

MacBook-Pro:~ roman$ brew install openssl --upgrade Updating Homebrew... Warning: openssl 1.0.2l is already installed

"Warning: Refusing to link: openssl Linking keg-only openssl means you may end up linking against the insecure, deprecated system OpenSSL while using the headers from Homebrew's openssl. Instead, pass the full include/library paths to your compiler e.g.: -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib"

[xtiankisutsa]

I recommend opening an issue on the APKiD repo here. They are definitely in a much better position to assist.

[hexrom]

The only viable solution for this I've been able to find is you could disable the module which requires crypto. I believe it is the hash module. So skimming the setup.py you likely could change:

  if building_for_windows:
    module.define_macros.append(('HASH_MODULE', '1'))
    module.libraries.append('libeay%s' % bits)
  elif (has_function('MD5_Init', libraries=['crypto']) and
      has_function('SHA256_Init', libraries=['crypto'])):
    module.define_macros.append(('HASH_MODULE', '1'))
    module.libraries.append('crypto')
  else:
    exclusions.append('yara/libyara/modules/hash.c')

to

  exclusions.append('yara/libyara/modules/hash.c')

[xtiankisutsa]

This issue is not present on the APKiD v1.2.1 which is the latest version at this point in time.