Major release: v2.0.0.
Changes
* Parsed "meta" sections now return individual native Python types, rather than always strings. (See migration notes below).
* Parsed "meta" section is now represented as an ordered list of dictionaries with a single key, rather than an unsorted dictionary. (See migration notes below).
* Refactored static methods of the `Parser` class into a new `plyara.utils` module.
* Now strips extra quotes from strings in the "strings" section, and adds a new key called "type" to string dictionaries that will be one of "text", "byte", or "regex".
Migration Notes
When migrating from v1.x to v2.x, there are some changes you may need to account for in your plyara usage.
Native Types and Metadata List
YARA:
meta:
MyString = "Test"
MyInt = 10
MyBool = true
Before:
json
"metadata": {
"MyBool": "true",
"MyInt": "10",
"MyString": "Test"
},
Now:
json
"metadata": [
{
"MyString": "Test"
},
{
"MyInt": 10
},
{
"MyBool": true
}
],
String Quoting and Type
YARA:
strings:
$a = { 00 00 00 00 00 00 }
$b = "test"
$c = /test/
Before:
json
"strings": [
{
"name": "$a",
"value": "{ 00 00 00 00 00 00 }"
},
{
"name": "$b",
"value": "\"test\""
},
{
"name": "$c",
"value": "/test/"
}
]
Now:
json
"strings": [
{
"name": "$a",
"type": "byte",
"value": "{ 00 00 00 00 00 00 }"
},
{
"name": "$b",
"type": "text",
"value": "test"
},
{
"name": "$c",
"type": "regex",
"value": "/test/"
}
]
Utils Functions
Before:
python
import plyara
with open('test.yara', 'r') as f:
parser = plyara.Plyara()
rules = parser.parse_string(f.read())
for rule in rules:
Don't do this!
print(parser.rebuild_yara_rule(rule))
Now:
python
import plyara
import plyara.utils
with open('test.yara', 'r') as f:
parser = plyara.Plyara()
rules = parser.parse_string(f.read())
for rule in rules:
Do this instead!
print(plyara.utils.rebuild_yara_rule(rule))