Bindings for the Yara library from VirusTotal

Bindings for the the Yara's documentation

yara-rust

Bindings for the Yara library from VirusTotal.

More documentation can be found on the Yara's documentation.

Example

The implementation is inspired from yara-python.

Features

  • Support from Yara v4.1.
  • Compile rules from strings or files.
  • Save and load compiled rules.
  • Scan byte arrays (&[u8]) or files.

Feature flags and Yara linking.

Look at the yara-sys crate documentation for a list of feature flags and how to link to your Yara crate.

TODO

  • Remove some unwrap on string conversions (currently this crate assume the rules, meta and namespace identifier are valid Rust's str).
  • Accept AsRef<Path> instead of &str on multiple functions.
  • Implement the scanner API.
  • Add process scanning.
  • Report the warnings to the user.

License

Licensed under either of

  • Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
  • MIT license (LICENSE-MIT or #404)

at your option.

Contributing

Please follow the conventional commit rules when committing to this repository.

If you add any new feature, add the corresponding unit/doc tests.

Issues

Collection of the latest Issues

Hugal31

Hugal31

0

The unit test rules::test::rules_scan_proc failed on a CI build with the configuration ubuntu-20.04,vendored,bindgen,nightly. I ran it again and it passed.

May be related to #25.

ikrivosheev

ikrivosheev

10

I tested my application and see a huge growth of memory! Files to reproduce error: 16025.tar.gz.zip (this is simple txt files)

Simple code to reproduce:

What am I doing wrong?

Orycterope

Orycterope

8

When I'm compiling for windows x86, the following trivial test fails:

On the line corresponding to rules_scan_mem().unwrap(). Error 53 corresponds to ERROR_CALLBACK_REQUIRED.

In yara-rust, the call boils down to this code in internals::scan :

Some(scan_callback) is the function pointer to the callback, and p_callback is the user data that will be passed by libyara as an argument to scan_callback. (It's a pointer the actual callback closure that will be reconstructed by our scan_callback and then called, but this is not relevant here).

The thing is: Some(scan_callback) is definitely not a function pointer, and does not have the same size as a function pointer.

Here are the arguments that rust pushes on the stack before doing the FFI call:

This is one stack slot more than expected by the C function yr_rules_scan_mem, because of the space needed for the Option's variant tag. Because of this, yr_rules_scan_mem sees all variables shifted by one slot:

Screenshot_20211001_231855

callback is now 0x0 (the tag for variant Some), user_data is now callback, and timeout amounts to the address of user_data as seconds.

Officially, yr_rules_scan_mem is defined in rules.h as

where YR_CALLBACK_FUNC is

Definitely no Option here. However, bindgen (I'm using the bundled bindings) has generated:

No idea where this Option comes from.

Somehow this bug is miraculously not triggered in x64, either because the ABI is different (no stack slots, args are passed via registers), or because Option<unsafe extern "C" fn(...)> is properly optimized to be the same size as the function pointer, just like Option<NonNull<T>> is.

For now my conclusion is that bindgen is at fault here. I'll try to pinpoint the reason, and when I find it I'll open an issue on their repo linking to this one.

tclausen

tclausen

enhancement
7

Hi,

We're trying to cross-compile this little program:

to Windows from Linux by issuing:

cargo build --bin thomas --target x86_64-pc-windows-gnu

We have set the correct inc dir: YARA_INCLUDE_DIR="../yara-3.11.0/libyara/include"

The error we get is:

dfirence

dfirence

4

Hi

What is the possible estimate on ur implementation of these features from the REDAME?

Implement the scanner API. Add process scanning.

Versions

Find the latest versions by id

v0.12.0 - Oct 29, 2021

⚠ BREAKING CHANGES

  • The feature bundled-4_1_2 becomes bundled-4_1_3. However, since there are no ABI changes between the two versions, it is still compatible with yara v4.1.2.

Features

v0.11.1 - Oct 29, 2021

Bug Fixes

v0.11.0 - Oct 29, 2021

Features

  • Add support for the include directive (26273f0)

Bug Fixes

  • add missing CallbackMsg type (ea2a28c)
  • add scan flags (af34e15)
  • avoid warnings in generated bindings on x64 windows msvc (43d0be1)
  • improve API safety (7dd00b1)
  • remove Box closure (50a9a4e)
  • remove non_upper_case_globals warning with windows x86 target (d1176b7)
  • remove unused flag (15f2472)

v0.10.0 - Sep 20, 2021

⚠ BREAKING CHANGES

  • Compiler.add_rules_* functions now takes Compiler by value and return it if the rule is succesfully added.
  • Minimum Rust version is now 1.55.

Features

  • yara-sys: vendored feature uses v4.1.2 (18b7ae4)
  • add support for yr_scanner_scan_mem_blocks (e1aa11e)

Bug Fixes

  • prevent UB when failing to compile a rule (99f756a), closes #47

Information - Updated Jun 22, 2022

Stars: 35
Forks: 18
Issues: 8

Repositories & Extras

This is an example of a Rust server that functions as a remote schema for...

Rust + Hasura Rust server that functions as a Hasura

This is an example of a Rust server that functions as a remote schema for...

Newport Engine is a modular 2D and 3D game engine built in Rust for Rust

It is designed to be easily extendable and easy to use

Newport Engine is a modular 2D and 3D game engine built in Rust for Rust

Newport Engine is a modular 2D and 3D game engine built in Rust for Rust

It is designed to be easily extendable and easy to use

Newport Engine is a modular 2D and 3D game engine built in Rust for Rust

liboqs-rust: Rust bindings for liboqs

Qyantum Safe liboqs rust bindings

liboqs-rust: Rust bindings for liboqs

msgflo-rust: Rust participant support for MsgFlo

Flowhub visual programming IDE

msgflo-rust: Rust participant support for MsgFlo

Trojan-rust is a rust implementation for Trojan protocol that is targeted to circumvent GFW

Trojan protocol that is targeted to circumvent tokio-rs to achieve high performance async io

Trojan-rust is a rust implementation for Trojan protocol that is targeted to circumvent GFW
Actix

1.0K

How to be a full stack Rust Developer

Read Rust the Rust blog posts at Steadylearner

How to be a full stack Rust Developer

Rust library translation (rust-src/rust-std/stdlib/rustlib translation)

This is the place to translate Having a documentation in your native language is essential if you don't speak English, and still enjoyable even if...

Rust library translation (rust-src/rust-std/stdlib/rustlib translation)

False Positive for rust-lang/rust#83583

The deprecation lint proc_macro_derive_resolution_fallback is intended to catch proc macro generated code that refers to items from parent modules that should not be in scope:

False Positive for rust-lang/rust#83583

A CHIP-8 &amp; SuperChip interpreter written in Rust using rust-sdl2

If you're getting compile errors it may be because

A CHIP-8 &amp; SuperChip interpreter written in Rust using rust-sdl2

Rust-Svelte-on-Rust

Starter template for Rocket backend server

Rust-Svelte-on-Rust
Facebook Instagram Twitter GitHub Dribbble
Privacy