Tuesday, August 9, 2016

notes of yara 3.5.0 compiling

It's modified version of my 'notes of yara 3.4.0 compiling' post

 

What's good in 3.5.0 in comparison with 3.4.0


Official description is quite short, so I watched commits:
  • speed up into 2.6x times! - https://twitter.com/plusvic/status/763753320381046784
  • bugfixes: ~70 bugfixes - some of them led to crashes - I personally occured crashes bcs of 2 bugs, which is fixed by now
  • new stuff:
    • length operator ! (don't know who will really use it)
    • useful stuff in pe module:
      • imports(dll_name)
      • imports(dll_name, ordinal)
      • is_dll()
      • is_3bit()
      • is_64bit()
      • 2 new functions in 'rich_signature' in 'pe' module:
        • version(version, [toolid])
        • toolid(toolid, [version])
Also in my yara module I will need to change stuff like:
    foreach_memory_block(context, block)
to
    foreach_memory_block(iterator, block)
and declare this iterator before, and change the way how to deal with this stuff - now need to write smth like 'block_data = block->fetch_data(block);'

and also struct _YR_MATCH changed - match->length became match->match_length so I'd need to fix it in my module source accordingly.

tools & version:

  • windows 8.1
  • visual studio 2013
  • yara library 3.5.0

foreword

Just notes of yara compiling process on windows with visual studio. I will compile without CUCKOO support - bcs I don't need this.


action


1) unpack archive

2) go to yara-3.5.0\windows\lib and delete all these libraries. I prefer to compile everything what I need by myself. And these libraries will interfere with libraries which I will compile.

3) open solution: .\yara-3.5.0\windows\vs2010\yara.sln

4) open 'utils.h' -> replace '#define YR_API EXTERNC __declspec(dllexport)' to '#define YR_API EXTERNC' (bcs I don't like exported symbols in my exe files, and link I wanna statically)

5) choose platform & mode

6) set runtime library for all projects (yara & yarac & libyara):
    properties -> c/c++ -> code generation -> runtime library -> /MTd for debug or /MT for release
    (you can select several projects in time - using 'ctrl'+left_mouse_button_click)

7) add to "Preprocessor Definitions" of 'libyara' project
    (Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions)
    lines to not conflict with mysql c connector, for example:
strlcat=libyara_internal_strlcat

8) open 'strutils.c' and replace '#if !HAVE_STRLCAT && !defined(strlcat)' to '#if !HAVE_STRLCAT', open 'strutils.h' and make the same.

9) Go to libyara properties:
    Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions
    and delete CUCKOO from this list.
Then go to libyara properties:
    Properties -> Configuration Properties -> Librarian -> General -> Additional Dependencies
    and delete jansson64.lib from this list.

10) Here are you must choose - you want to compile it with openssl or without.
Why do you need openssl in yara library:
    - Generate an import hash: https://www.mandiant.com/blog/tracking-malware-import-hashing/ (uses define HAVE_LIBCRYPTO)
    - PE module of yara can extract some info from pe digital signature certificate. (uses define HAVE_LIBCRYPTO)
#if defined(HAVE_LIBCRYPTO)
begin_struct_array("signatures");
  declare_string("issuer");
  declare_string("subject");
  declare_integer("version");
  declare_string("algorithm");
  declare_string("serial");
  declare_integer("not_before");
  declare_integer("not_after");
  declare_function("valid_on", "i", "i", valid_on);
  end_struct_array("signatures");
declare_integer("number_of_signatures");
#endif   

    - HASH module of yara can calc provide you cryptographic hash functions: md5, sha1, sha256, checksum32 (uses define HASH, appeared in 3.3.0 version)
   
If you need some of this functionality - you need to build openssl & you need add for all projects:
    - Additional library directory
    - library file of openssl (libeay32.lib on my pc)
    - add HASH_MODULE to preprocessor of libyara project

If you don't need this functionality
    - delete HAVE_LIBCRYPTO from "Preprocessor Definitions" of libyara, and insert HAVE_TIMEGM line - else you get undefined type 'tm'.
        Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions
    - delete libeay64.lib from
        Properties -> Configuration Properties -> Librarian -> General -> Additional Dependencies

11) If you need add your module - you need add it to 'libyara\modules\module_list'

After that everything will compiles fine.

No comments:

Post a Comment