Plyara

Patch release to address a bug.

* https://github.com/plyara/plyara/pull/108

New Features:

* https://github.com/plyara/plyara/pull/62 The parser can be reused without reinstantiation via the new `clear()` method. This saves time between parsing sessions when using plyara on a large amount of data. Thanks malwarefrank!
* https://github.com/plyara/plyara/pull/69 Python 3.8 support.
* https://github.com/plyara/plyara/pull/84 A new parameter `meta_as_kv` can be used to emit the old 1.x JSON schema for entries in the meta section of a rule. Thanks [sbruno](https://github.com/sbruno) and Neo23x0!
* https://github.com/plyara/plyara/pull/90 New instructions and configuration for contributors. Thanks malwarefrank!
* https://github.com/plyara/plyara/pull/92 YARA 4.0 support. Thanks malvidin!!!!
* https://github.com/plyara/plyara/pull/93 New rule hashing utility. Thanks malvidin!

Changes:

* https://github.com/plyara/plyara/pull/81 Removed deprecated methods: `is_valid_rule_name()`, `is_valid_rule_tag()`, `detect_imports()`, `detect_dependencies()`, `generate_logic_hash()`, and `rebuild_yara_rule(). Functionality of each of these is found in the utilities.

Patch release to address a bug.

* Fix handling of empty metadata strings. (58 from Tasssadar)

Note: this release will be unsigned on PyPI.

Patch release to address a bug.

* Fix handling of empty metadata strings. (54)

Patch release, no functional changes.

* Add support for Python 3.5. (51 from hillu)

Major release: v2.0.0.

Changes

* Parsed "meta" sections now return individual native Python types, rather than always strings. (See migration notes below).
* Parsed "meta" section is now represented as an ordered list of dictionaries with a single key, rather than an unsorted dictionary. (See migration notes below).
* Refactored static methods of the `Parser` class into a new `plyara.utils` module.
* Now strips extra quotes from strings in the "strings" section, and adds a new key called "type" to string dictionaries that will be one of "text", "byte", or "regex".

Migration Notes

When migrating from v1.x to v2.x, there are some changes you may need to account for in your plyara usage.

Native Types and Metadata List

YARA:


meta:
MyString = "Test"
MyInt = 10
MyBool = true


Before:

json
"metadata": {
"MyBool": "true",
"MyInt": "10",
"MyString": "Test"
},


Now:

json
"metadata": [
{
"MyString": "Test"
},
{
"MyInt": 10
},
{
"MyBool": true
}
],


String Quoting and Type

YARA:


strings:
$a = { 00 00 00 00 00 00 }
$b = "test"
$c = /test/


Before:

json
"strings": [
{
"name": "$a",
"value": "{ 00 00 00 00 00 00 }"
},
{
"name": "$b",
"value": "\"test\""
},
{
"name": "$c",
"value": "/test/"
}
]


Now:

json
"strings": [
{
"name": "$a",
"type": "byte",
"value": "{ 00 00 00 00 00 00 }"
},
{
"name": "$b",
"type": "text",
"value": "test"
},
{
"name": "$c",
"type": "regex",
"value": "/test/"
}
]


Utils Functions

Before:

python
import plyara

with open('test.yara', 'r') as f:
parser = plyara.Plyara()
rules = parser.parse_string(f.read())

for rule in rules:
Don't do this!
print(parser.rebuild_yara_rule(rule))


Now:

python
import plyara
import plyara.utils

with open('test.yara', 'r') as f:
parser = plyara.Plyara()
rules = parser.parse_string(f.read())

for rule in rules:
Do this instead!
print(plyara.utils.rebuild_yara_rule(rule))