yarabuilder package

Submodules

yarabuilder.yararule module

Python representation of a YARA rule

class yarabuilder.yararule.YaraComment

Bases: object

Class to represent a comment (or multiple comments) in a YaraRule Can be applied to YaraMetaEntry and YaraString

above

comment(s) located a line above the entry

Type:list
inline

comment located on the same line after the entry

Type:str
below

comment(s) located a line below the entry

Type:list
get_yara_comment()

Method to return a structured POD version of YaraComment

Returns:the constructed YaraComment
Return type:OrderedDict
set_yara_comment(yara_comment)

Method to set the YaraComment from a dictionary

Parameters:yara_comment (dict) – the dictionary representing the comment
class yarabuilder.yararule.YaraCommentEnabledClass

Bases: object

Class to be inherited that contains comment utility functions

add_comment(comment, position='inline')

Add a comment entry (appends to above and below, replaces inline)

Parameters:
  • comment (str) – the comment
  • position (str) – the position of the comment relative to the entry
build_comments(raw, whitespace=' ')

Build the comment around the (built) entry its associated with

Parameters:
  • raw (str) – the raw entry that has already been built (e.g. raw_meta_entry)
  • whitespace (str) – whitespace to use when building the comment
Returns:

the entry with comments built around it
Return type:

str
class yarabuilder.yararule.YaraCondition

Bases: object

Class to represent the YARA condition section

raw_condition

string representing the built condition

Type:str
add_raw_condition(raw_condition)

Add a raw condition

Parameters:raw_condition (str) – the string representing the condition
get_yara_condition()

Method to return a structured POD version of YaraCondition

Returns:the constructed YaraCondition
Return type:str
set_yara_condition(yara_condition)

Method to set the YaraCondition from a string

Parameters:yara_condition (str) – the string representing the YaraCondition
class yarabuilder.yararule.YaraImports

Bases: object

Class to represent the YARA imports section

raw_imports

string to represent the built imports

Type:str
imports

list of the imports

Type:list of str
add_import(import_str)

Add an import to the YaraImports object

Parameters:import_str (str) – the import string to add
build_imports()

Build the imports section into one string

get_yara_imports()

Method to return a structured POD version of YaraImports

Returns:the constructred YaraImports
Return type:list
has_imports()

Utility method to determine if there are any imports

Returns:True if there are imports, False otherwise
Return type:bool
set_yara_imports(yara_imports)

Method to set the YaraImports from a list

Parameters:yara_imports (list) – the list representing the YaraImports
class yarabuilder.yararule.YaraMeta(logger=None)

Bases: object

Class to represent the YARA meta section

meta

dictionary of YaraMetaEntry objects

Type:OrderedDict
raw_meta

list of the built meta strings

Type:list of str
number_of_meta_entries

the number of meta values overall (not necessarily equal to the number of names in the OrderedDict)

Type:int
valid_meta_types

list of valid meta types

Type:list of str
logger

the logger for this class

Type:Logger
add_meta(name, value, meta_type='text')

Add a YaraMetaEntry to YaraMeta

Parameters:
  • name (str) – the name of the meta entry
  • value (str, int, bool) – the meta entry
  • meta_type (str, optional) – the type of the meta entry (defaults to “text”)
Returns:

the index into the list that this YaraMetaEntry was added into
Return type:

int
build_meta(whitespace=' ')

Build the meta section in the correct order

Parameters:whitespace (str) – whitespace to use when building the meta
get_yara_meta()

Method to return a structured POD version of YaraMeta

Returns:the constructed YaraMeta
Return type:OrderedDict
set_yara_meta(yara_meta)

Method to set the YaraMeta from a dictionary

Parameters:yara_meta (dict) – the dictionary representing the YaraMeta
class yarabuilder.yararule.YaraMetaEntry(name, value, position, meta_type='text')

Bases: yarabuilder.yararule.YaraCommentEnabledClass

Class to represent an entry in the meta section

yara_comment

the comment associated with this entry

Type:YaraComment
raw_meta_entry

variable to store the built meta_entry

Type:str
build_meta_entry(whitespace=' ')

Build a meta_entry into a string (stored in raw_meta_entry)

Parameters:whitespace (str) – whitespace to use when building the meta_entry
get_yara_meta_entry()

Method to return a structured POD version of YaraMetaEntry

Returns:the constructed YaraMetaEntry
Return type:dict
set_yara_meta_entry(yara_meta_entry)

Method to set the YaraMetaEntry from a dictionary

Parameters:yara_meta_entry (dict) – the dictionary representing the meta entry
class yarabuilder.yararule.YaraRule(rule_name, whitespace=' ', logger=None)

Bases: object

Class to represent a YARA rule

rule_name

the name of the rule

Type:str
logger

logger to use in the class

raw_rule

the “raw” built string representing the YaraRule

Type:str
strings

the strings for this YaraRule

Type:YaraStrings
condition

the condition for this YaraRule

Type:YaraCondition
imports

the imports for this YaraRule

Type:YaraImports
tags

the tags for this YaraRule

Type:YaraTags
build_rule()

Method to build the whole YARA rule

Returns:the string of the built rule
Return type:str
build_rule_condition_section(rule)

Method to build the rule condition section

Parameters:rule (str) – string of the rule built so far
Returns:string of the built rule with added rule condition
Return type:str
build_rule_header(rule)

Method to build the rule header, including the imports, tags and rule_name

Parameters:rule (str) – string of the rule built so far
Returns:string of the built rule with added rule header
Return type:str
build_rule_meta_section(rule)

Method to build the rule meta section

Parameters:rule (str) – string of the rule built so far
Returns:string of the built rule with added rule meta
Return type:str
build_rule_strings_section(rule)

Method to build the rule strings section

Parameters:rule (str) – string of the rule built so far
Returns:string of the built rule with added rule strings
Return type:str
get_yara_rule()

Method to return a structured POD version of YaraRule

Returns:the constructed YaraRule
Return type:dict
set_yara_rule(yara_rule)

Method to set the YaraRule from a dictionary

Parameters:yara_rule (dict) – the dictionary representing the YaraRule
class yarabuilder.yararule.YaraString(name, value, str_type='text', is_anonymous=False, regex_flags=None, newline_after=False)

Bases: yarabuilder.yararule.YaraCommentEnabledClass

Class to represent a string object

modifiers

the modifiers applied to the string

Type:list of str
is_anonymous

True if anonymous, False otherwise

Type:bool
raw_string

the built string

Type:str
yara_comment

the comment associated with this entry

Type:YaraComment
build_string(whitespace=' ')

Build the string (and store in raw_string)

Parameters:whitespace (str) – whitespace to use when building the string
get_yara_string()

Method to return a structured POD version of YaraString

Returns:the constructed YaraString
Return type:dict
set_yara_string(yara_string)

Method to set the YaraString from a dictionary

Parameters:yara_string (dict) – the dictionary representing the YaraString
class yarabuilder.yararule.YaraStrings

Bases: object

Class to represent the YARA strings section

raw_strings

list of the built strings

Type:list of str
strings

dictionary of the representations of the strings

Type:OrderedDict
number_of_strings

total number of strings in the class

Type:int
number_of_anonymous_strings

number of anonymous string in the class

Type:int
valid_str_types

list of valid str types

Type:list of str
logger

logger for this class

Type:Logger
add_anonymous_string(value, str_type='text', regex_flags=None, newline_after=False)

Add an anonymous string to the YaraStrings object

Parameters:
  • value (str) – the string
  • str_type (str, optional) – the type of the string (“text”, “hex”, “regex”)
  • regex_flags (str, optional) – any regex flags to be applied to a regex string
  • newline_after (bool, optional) – bool to determine if there should be an extra newline after the string
Returns:

the generated name of the string for later handling
Return type:

str
add_modifier(name, modifier)

Add a modifier to a string

Parameters:
  • name (str) – the name of the string to add the modifier to
  • modifier (str) – the modifier to add
add_string(name, value, str_type='text', regex_flags=None, newline_after=False)

Add a named string to the YaraStrings object

Parameters:
  • name (str) – name of the string
  • value (str) – the string
  • str_type (str, optional) – the type of the string (“text”, “hex”, “regex”)
  • regex_flags (str, optional) – any regex flags to be applied to a regex string
  • newline_after (bool, optional) – bool to determine if there should be an extra newline after the string
build_strings()

Build each string object

get_yara_strings()

Method to return a structured POD version of YaraStrings

Returns:the constructed YaraStrings
Return type:OrderedDict
set_yara_strings(yara_strings)

Method to set the YaraStrings from a dictionary

Parameters:yara_strings (dict) – a dictionary representing the YaraStrings
class yarabuilder.yararule.YaraTags

Bases: object

Class to represent the YARA tags section

tags

list of tags

Type:list of str
raw_tags

string representing the built tags

Type:str
add_tag(tag)

Add a tag to the YaraTags object

Parameters:tag (str) – the string representing the tag
build_tags()

Build the tags into one string

get_yara_tags()

Method to return a structured POD version of YaraTags

Returns:the constructed YaraTags
Return type:list
has_tags()

Utility method to determine if there are any tags

Returns:True if there are tags, False otherwise
Return type:bool
set_yara_tags(yara_tags)

Method to set the YaraTags from a list

Parameters:yara_tags (list) – the list representing the YaraTags
yarabuilder.yararule.main()

Method to test if running the module from the command line