notes of yara 3.5.0 compiling

It's modified version of my 'notes of yara 3.4.0 compiling' post


What's good in 3.5.0 in comparison with 3.4.0

Official description is quite short, so I watched commits:
  • speed up into 2.6x times! - https://twitter.com/plusvic/status/763753320381046784
  • bugfixes: ~70 bugfixes - some of them led to crashes - I personally occured crashes bcs of 2 bugs, which is fixed by now
  • new stuff:
    • length operator ! (don't know who will really use it)
    • useful stuff in pe module:
      • imports(dll_name)
      • imports(dll_name, ordinal)
      • is_dll()
      • is_3bit()
      • is_64bit()
      • 2 new functions in 'rich_signature' in 'pe' module:
        • version(version, [toolid])
        • toolid(toolid, [version])
Also in my yara module I will need to change stuff like:
    foreach_memory_block(context, block)
    foreach_memory_block(iterator, block)
and declare this iterator before, and change the way how to deal with this stuff - now need to write smth like 'block_data = block->fetch_data(block);'

and also struct _YR_MATCH changed - match->length became match->match_length so I'd need to fix it in my module source accordingly.

tools & version:

  • windows 8.1
  • visual studio 2013
  • yara library 3.5.0


Just notes of yara compiling process on windows with visual studio. I will compile without CUCKOO support - bcs I don't need this.


1) unpack archive

2) go to yara-3.5.0\windows\lib and delete all these libraries. I prefer to compile everything what I need by myself. And these libraries will interfere with libraries which I will compile.

3) open solution: .\yara-3.5.0\windows\vs2010\yara.sln

4) open 'utils.h' -> replace '#define YR_API EXTERNC __declspec(dllexport)' to '#define YR_API EXTERNC' (bcs I don't like exported symbols in my exe files, and link I wanna statically)

5) choose platform & mode

6) set runtime library for all projects (yara & yarac & libyara):
    properties -> c/c++ -> code generation -> runtime library -> /MTd for debug or /MT for release
    (you can select several projects in time - using 'ctrl'+left_mouse_button_click)

7) add to "Preprocessor Definitions" of 'libyara' project
    (Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions)
    lines to not conflict with mysql c connector, for example:

8) open 'strutils.c' and replace '#if !HAVE_STRLCAT && !defined(strlcat)' to '#if !HAVE_STRLCAT', open 'strutils.h' and make the same.

9) Go to libyara properties:
    Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions
    and delete CUCKOO from this list.
Then go to libyara properties:
    Properties -> Configuration Properties -> Librarian -> General -> Additional Dependencies
    and delete jansson64.lib from this list.

10) Here are you must choose - you want to compile it with openssl or without.
Why do you need openssl in yara library:
    - Generate an import hash: https://www.mandiant.com/blog/tracking-malware-import-hashing/ (uses define HAVE_LIBCRYPTO)
    - PE module of yara can extract some info from pe digital signature certificate. (uses define HAVE_LIBCRYPTO)
#if defined(HAVE_LIBCRYPTO)
  declare_function("valid_on", "i", "i", valid_on);

    - HASH module of yara can calc provide you cryptographic hash functions: md5, sha1, sha256, checksum32 (uses define HASH, appeared in 3.3.0 version)
If you need some of this functionality - you need to build openssl & you need add for all projects:
    - Additional library directory
    - library file of openssl (libeay32.lib on my pc)
    - add HASH_MODULE to preprocessor of libyara project

If you don't need this functionality
    - delete HAVE_LIBCRYPTO from "Preprocessor Definitions" of libyara, and insert HAVE_TIMEGM line - else you get undefined type 'tm'.
        Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions
    - delete libeay64.lib from
        Properties -> Configuration Properties -> Librarian -> General -> Additional Dependencies

11) If you need add your module - you need add it to 'libyara\modules\module_list'

After that everything will compiles fine.

