matonis / yara_tools Goto Github PK

test

Unsurprisingly this routine is unnecessarily complicated. Code is hard to understand, needs better abstraction.

Users might find value in inline comments for conditions.

Hi, wondered if functionality to edit an existing rule (from str) was on the roadmap?

I'd like to be able to add meta fields to my existing rules programmatically

Cheers

Is there a workaround at the moment for adding a string of bytes to a rule in Yara's format?
Looked around in documentation/examples and I haven't found anything.

• Eg:

  my_string = " 80 42 00 8b 4d 08 ba 01 00 00 00 ff d0 81 c4 00 01 00 00 5"

  Then programmatically build the rule such that I end up with:

  `$a = {80 42 00 8b 4d 08 ba 01 00 00 00 ff d0 81 c4 00 01 00 00 5}`
  

Thank you for help!

The current design for condition groups might create some problems. Conditions might get complex enough to warrant its own object. This would enable unique processing of complex conditions without bogging down the code.

Is it possible to use variables when crafting condition statements.
Eg rule.add_condition(condition="pe.imphash() == "+ str(myvar))

Currently this fails when attempting to compile with Yara-python

I want to pip install yara_tools.

rule.add_strings(strings="HelloWorld",condition="$IDENTIFIER at 0")

This possibly relates to enhancing condition functionality, but the template for conditions has no idea to map integers assigned to unitialized string variables. Meaning, the template cannot identifiy which incremental integer is represented in the rule.

This bug might be the start of an entire rewrite of relating strings & conditions in an entirely separate object. Not entirely sure yet if this is a bug based on how many might be actually using YARA.