yarabuilder¶
Python module to create Yara rules.
Usage¶
Creating and printing a rule¶
>>> import yarabuilder
>>> import pprint
>>>
>>> yara_builder = yarabuilder.YaraBuilder()
>>>
>>> yara_builder.create_rule("my_rule")
>>> yara_builder.add_meta("my_rule", "description", "Generated by yarabuilder")
>>> yara_builder.add_import("my_rule", "pe")
>>> yara_builder.add_tag("my_rule", "yarabuilder")
>>> yara_builder.add_text_string("my_rule", "Anonymous string")
>>> yara_builder.add_text_string("my_rule", "Named string", name="str", modifiers=["ascii", "wide"])
>>> yara_builder.add_string_comment("my_rule", "str", "example comment")
>>> yara_builder.add_hex_string("my_rule", "DE AD BE EF")
>>> yara_builder.add_regex_string("my_rule", "regex[0-9]{2}")
>>> yara_builder.add_regex_string("my_rule", "/regex_with_flags/i")
>>> yara_builder.add_condition("my_rule", "any of them")
>>>
>>> rule = yara_builder.build_rules()
>>> print(rule)
import "pe"
rule my_rule : yarabuilder {
meta:
description = "Generated by yarabuilder"
strings:
$ = "Anonymous string"
$str = "Named string" ascii wide // example comment
$ = {DE AD BE EF}
$ = /regex[0-9]{2}/
$ = /regex_with_flags/i
condition:
any of them
}
>>>
Converting a YaraBuilder object to lists and dictionaries (and back again)¶
>>> dict_yara_rules = yara_builder.get_yara_rules()
>>> pprint.pprint(dict_yara_rules)
[{'condition': 'any of them',
'imports': ['pe'],
'meta': OrderedDict([('description',
[{'meta_type': 'text',
'name': 'description',
'position': 0,
'value': 'Generated by yarabuilder'}])]),
'rule_name': 'my_rule',
'strings': OrderedDict([('@anon0',
{'is_anonymous': True,
'name': '@anon0',
'str_type': 'text',
'value': 'Anonymous string'}),
('str',
{'comment': {'inline': 'example comment'},
'is_anonymous': False,
'modifiers': ['ascii', 'wide'],
'name': 'str',
'str_type': 'text',
'value': 'Named string'}),
('@anon1',
{'is_anonymous': True,
'name': '@anon1',
'str_type': 'hex',
'value': 'DE AD BE EF'}),
('@anon2',
{'is_anonymous': True,
'name': '@anon2',
'str_type': 'regex',
'value': 'regex[0-9]{2}'}),
('@anon3',
{'is_anonymous': True,
'name': '@anon3',
'regex_flags': 'i',
'str_type': 'regex',
'value': 'regex_with_flags'})]),
'tags': ['yarabuilder']}]
>>>
>>> new_builder = yarabuilder.YaraBuilder()
>>> new_builder.set_yara_rules(dict_yara_rules)
>>>
TODO¶
- More logging in the classes
- Add optional validation for building YARA rules (e.g. checking imports are valid, and more longer term check the condition is valid)
Module Documentation¶
The main interface to work with YaraRule objects
-
class
yarabuilder.yarabuilder.YaraBuilder(whitespace=' ', logger=None)¶ Main class to interface with the YaraRule object
-
yara_rules¶ collection of YaraRule objects being built
Type: OrderedDict()
-
logger¶ the logger for this class
-
add_condition(rule_name, condition)¶ Add a raw condition to the specified rule_name
Parameters: - rule_name (str) – the rule_name to add the condition to
- condition (str) – the condition as a string
-
add_hex_string(rule_name, value, name=None, modifiers=None, newline_after=False)¶ Wrapper method to add a hex string (e.g. $ = {DE AD BE EF}) to the specified rule_name
Parameters: - rule_name (str) – the rule_name to add the string to
- value (str) – the hex string
- name (str, optional) – the name of the string (if not provided will add as anonymous string)
- modifiers (
listofstr, optional) – any modifiers to add to the string - newline_after (bool, optional) – bool to determine if there should be an extra newline after the string
-
add_import(rule_name, import_str)¶ Add an import to a specified rule (i.e. appears before the rule_name when built)
Parameters: - rule_name (str) – the rule_name to add the import to
- import_str (str) – the import to be added
-
add_meta(rule_name, name, value, meta_type=None)¶ Add a meta key/value pair to the specified rule_name
Parameters: - rule_name (str) – the rule_name to add the meta to
- name (str) – the name of the meta key
- value (str/int/bool) – the value to go in the metadata
- meta_type (str, optional) – the type of the meta data, which will be determined by the function if nothing supplied
-
add_meta_comment(rule_name, meta_name, comment, position='inline', meta_entry=0)¶ Add a comment to a meta entry
Parameters: - rule_name (str) – the name of the rule to add the comment to
- meta_name (str) – the name of the meta entry to add the comment to
- comment (str) – the comment
- position (str) – the position of the comment (above, inline, below)
- meta_entry (int) – the meta entry, given there could be multiple meta fields (defaults to the first entry)
-
add_regex_string(rule_name, value, name=None, modifiers=None, newline_after=False)¶ Wrapper method to add a regex string (e.g. $ = /test[0-9]{2}/) to the specified rule_name
Parameters: - rule_name (str) – the rule_name to add the string to
- value (str) – the regex string
- name (str, optional) – the name of the string (if not provided will add as anonymous string)
- modifiers (
listofstr, optional) – any modifiers to add to the string - newline_after (bool, optional) – bool to determine if there should be an extra newline after the string
-
add_string_comment(rule_name, str_name, comment, position='inline')¶ Add a comment to a string
Parameters: - rule_name (str) – the name of the rule to add the comment to
- str_name (str) – the name of the string to add the comment to
- comment (str) – the comment
- position (str) – the position of the comment (above, inline, below)
-
add_tag(rule_name, tag)¶ Add a tag to a specified rule (i.e. appears after the rule_name when built)
Parameters: - rule_name (str) – the rule_name to add the tag to
- tag (str) – the tag to be added
-
add_text_string(rule_name, value, name=None, modifiers=None, newline_after=False)¶ Wrapper method to add a text string (e.g. $ = “test”) to the specified rule_name
Parameters: - rule_name (str) – the rule_name to add the string to
- value (str) – the text string
- name (str, optional) – the optional name of the string (if not provided will add as anonymous string)
- modifiers (
listofstr, optional) – any modifiers to add to the string - newline_after (bool, optional) – bool to determine if there should be an extra newline after the string
-
build_rule(rule_name)¶ Build an individual rule in the YaraBuilder object
Parameters: rule_name (str) – the rule_name to build Returns: a text string of the built rule Return type: str
-
build_rules(imports_at_top=True)¶ Build all rules in the YaraBuilder object
Parameters: imports_at_top (bool) – whether to collect all imports at the top of the rule, or to have them with each individual rule Returns: a text string of all built rules Return type: str
-
create_rule(rule_name)¶ Create a new YaraRule object in the YaraBuilder
Parameters: rule_name (str) – the name of the rule to create
-
get_yara_rule_names()¶ Method to return all Yara rule names in a YaraBuilder object
Returns: list of strings of the Yara rule names Return type: list
-
get_yara_rules()¶ Get POD versions of all YaraRules
Returns: the constructed YaraRules Return type: list
-
set_yara_rules(yara_rules)¶ Set up a YaraBuilder object from a list of YaraRules
Parameters: yara_rules (list) – a list of the YaraRules
-
-
yarabuilder.yarabuilder.main()¶ Method to test if running the module from the command line