hyuunnn / hyara Goto Github PK

Both comment and wildcard option are checked but the wildcard option is not working with the new version of Hyara.

Radare2 is a highly-portable crossplatform reverse engineering framework and a toolkit without dependencies. It has support for analyzing binaries, disassembling code, debugging programs, attaching to remote GDB/LLDB, WinDbg servers, rich plugin system (see r2pm), and integration with various decompilers. It is actively developed and can be easily integrated in various open source and commercial products. I believe, it will be highly beneficial to support these and provide a package for install from r2pm, see the package repository here: https://github.com/radareorg/radare2-pm

For documentation on writing plugins for radare2 see Scripting and Plugins Radare2 Book chapters. Radare2 already has a Yara plugins:

• r2pm install r2yara for installing Yara with r2 plugin inside
• r2pm install yara-r2 for installing Yara plugin for radare2 itself.
• pcy command of radare2 to print the data in the Yara format.

Cutter is a crossplatform Qt/C++ GUI frontend to radare2:

For documentation on writing plugins for Cutter see the official tutorial and the curated list of various popular plugins.

It will be developed in Java. (using Swing)

Can you split out the Binary Ninja plugin as a sub module so that it can be directly added to the plugin manager?

See: https://binary.ninja/2019/07/04/plugin-manager-2.0.html for more information.

if you keep updating your old release but keeping the version number the same Binary Ninja users who use the plugin manager won't get any updates they need to update their plugin. You need to actually increment the plugin version number so that the plugin manager knows to update.

You might find this tool helpful for automating that:

https://github.com/vector35/release_helper

Just realized that this is my own theme question.

First: thank you for writing Hyara, it's a pretty useful tool.

Maybe I did something wrong, but the plugin didn't run after cloning from master, because of missing imports.
After looking into the source, I noticed that the imports of IDA functionality was mixed wildcard imports and pure module imports, which results in inconsistent code. I think it's probably a good idea to import module-wise and call it explicitly as a module function. In my opinion, the code becomes more readable and maintainable this way.

I started to convert it, fixed the missing imports and will open a pull request.

It works fine.

Bug

Hyara fails to work with IDA pro 7.5 and python3. As Python 2 is no longer supported, it would be worth a update to Hyara.

Be aware that for now yara-python can't automatically install from PIP on macos in some configurations (likely homebrew related) until a new release is triggered:

VirusTotal/yara-python#239

The work-around described at the end of the issue works for me. To adapt to the runtime environment of BN, copy/paste the log and add the appropriate environment variabels (assuming a homebrew python). Something like:

CFLAGS="-I/opt/homebrew/opt/openssl/include" LDFLAGS="-L/opt/homebrew/opt/openssl/lib" pip install \\
yara-python /opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/bin/python3.11 \\
-m pip --isolated --disable-pip-version-check install --upgrade --upgrade-strategy only-if-needed --target \\
/Users/jwiens/Library/Application Support/Binary Ninja/python311/site-packages yara-python>=4.3.0

Because when this window is present, I cannot operate my original IDA window, it will have focus on the detector window.

https://github.com/jlu5/icoextract/
https://www.angusj.com/resourcehacker/

https://github.com/hyuunnn/Hyara/blob/master/hyara_lib/ui/settings.py#L200
https://github.com/hyuunnn/Hyara/blob/master/hyara_lib/ui/settings.py#L267
https://github.com/hyuunnn/Hyara/blob/master/hyara_lib/ui/settings.py#L273
https://github.com/hyuunnn/Hyara/blob/master/hyara_lib/ui/settings.py#L276

Using yara-python-4.3.1 on IDA 8.3
Yara Checker raise 'yara.StringMatch' object is not subscriptable error.
This is probably because yara-python reports matches has changed between versions 4.2.3 and version 4.3.0.
In version 4.2.3 matches the yara.Match object contained an attribute strings which was a list of Tuples. In version 4.3.0 (and presumably any future version) the match object contains an attribute strings which is a list of yara.StringMatchInstance values.

Similar issue: volatilityfoundation/volatility3#932