It's modified version of my 'notes of yara 3.4.0 compiling' post
What's good in 3.5.0 in comparison with 3.4.0
Official description is quite short, so I watched commits:
- speed up into 2.6x times! - https://twitter.com/plusvic/status/763753320381046784
- bugfixes: ~70 bugfixes - some of them led to crashes - I personally occured crashes bcs of 2 bugs, which is fixed by now
- new stuff:
- length operator ! (don't know who will really use it)
- useful stuff in pe module:
- imports(dll_name)
- imports(dll_name, ordinal)
- is_dll()
- is_3bit()
- is_64bit()
- 2 new functions in 'rich_signature' in 'pe' module:
- version(version, [toolid])
- toolid(toolid, [version])
foreach_memory_block(context, block)
to
foreach_memory_block(iterator, block)
and declare this iterator before, and change the way how to deal with this stuff - now need to write smth like 'block_data = block->fetch_data(block);'
and also struct _YR_MATCH changed - match->length became match->match_length so I'd need to fix it in my module source accordingly.
tools & version:
- windows 8.1
- visual studio 2013
- yara library 3.5.0
foreword
Just notes of yara compiling process on windows with visual studio. I will compile without CUCKOO support - bcs I don't need this.action
1) unpack archive
2) go to yara-3.5.0\windows\lib and delete all these libraries. I prefer to compile everything what I need by myself. And these libraries will interfere with libraries which I will compile.
3) open solution: .\yara-3.5.0\windows\vs2010\yara.sln
4) open 'utils.h' -> replace '#define YR_API EXTERNC __declspec(dllexport)' to '#define YR_API EXTERNC' (bcs I don't like exported symbols in my exe files, and link I wanna statically)
5) choose platform & mode
6) set runtime library for all projects (yara & yarac & libyara):
properties -> c/c++ -> code generation -> runtime library -> /MTd for debug or /MT for release
(you can select several projects in time - using 'ctrl'+left_mouse_button_click)
7) add to "Preprocessor Definitions" of 'libyara' project
(Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions)
lines to not conflict with mysql c connector, for example:
strlcat=libyara_internal_strlcat
8) open 'strutils.c' and replace '#if !HAVE_STRLCAT && !defined(strlcat)' to '#if !HAVE_STRLCAT', open 'strutils.h' and make the same.
9) Go to libyara properties:
Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions
and delete CUCKOO from this list.
Then go to libyara properties:
Properties -> Configuration Properties -> Librarian -> General -> Additional Dependencies
and delete jansson64.lib from this list.
10) Here are you must choose - you want to compile it with openssl or without.
Why do you need openssl in yara library:
- Generate an import hash: https://www.mandiant.com/blog/tracking-malware-import-hashing/ (uses define HAVE_LIBCRYPTO)
- PE module of yara can extract some info from pe digital signature certificate. (uses define HAVE_LIBCRYPTO)
#if defined(HAVE_LIBCRYPTO)
begin_struct_array("signatures");
declare_string("issuer");
declare_string("subject");
declare_integer("version");
declare_string("algorithm");
declare_string("serial");
declare_integer("not_before");
declare_integer("not_after");
declare_function("valid_on", "i", "i", valid_on);
end_struct_array("signatures");
declare_integer("number_of_signatures");
#endif
- HASH module of yara can calc provide you cryptographic hash functions: md5, sha1, sha256, checksum32 (uses define HASH, appeared in 3.3.0 version)
If you need some of this functionality - you need to build openssl & you need add for all projects:
- Additional library directory
- library file of openssl (libeay32.lib on my pc)
- add HASH_MODULE to preprocessor of libyara project
If you don't need this functionality
- delete HAVE_LIBCRYPTO from "Preprocessor Definitions" of libyara, and insert HAVE_TIMEGM line - else you get undefined type 'tm'.
Properties -> Configuration Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions
- delete libeay64.lib from
Properties -> Configuration Properties -> Librarian -> General -> Additional Dependencies
11) If you need add your module - you need add it to 'libyara\modules\module_list'
After that everything will compiles fine.
No comments:
Post a Comment