Building libyara-1.6 for yara-ctypes¶
This guide captures some of the steps taken to make a clean checkout of tags/yara-1.6/ build and work for yara-ctypes.
Patch a clean checkout of yara-1.6¶
Checkout yara-1.6.0 from:
svn co http://yara-project.googlecode.com/svn/tags/yara-1.6.0 .
Modify the following two files from ./libyara/
to allow yara.rules
cleanup after each search:
>>>yara.h<<<
+ void yr_free_matches(YARA_CONTEXT* context);
>>>libyara.c<<<
+ void yr_free_matches(YARA_CONTEXT* context)
+ {
+ RULE* rule;
+ STRING* string;
+ MATCH* match;
+ MATCH* next_match;
+ rule = context->rule_list.head;
+ while (rule != NULL)
+ {
+ string = rule->string_list_head;
+
+ while (string != NULL)
+ {
+ match = string->matches_head;
+ while (match != NULL)
+ {
+ next_match = match->next;
+ yr_free(match->data);
+ yr_free(match);
+ match = next_match;
+ }
+ string->matches_head = NULL;
+ string->matches_tail = NULL;
+ string = string->next;
+ }
+ rule = rule->next;
+ }
+ }
Building for Ubuntu¶
Install the development pre-requisites:
> sudo apt-get install build-essential flex libpcre3-dev libpcre3 bison
First attempt:
> cd $ROOTDIR/yara-1.6/
> ./configure
> make
- If that fails, try to reconfigure::
- > aclocal > automake -ac > autoheader > autoconf > ./configure make
Thats it, nice and easy...
Building for Windows¶
Build using Mingw32
Install prerequisites:
> install mingw32
> pcre-8.20 builds fine... ./configure && make install
Run the build:
> autoreconf -fiv # force an autoreconf (or update/replace libtools m4)
> install build auto tools (including autoconf autogen)
> find the latest pcre and bison - build them! :P
> cd $ROOTDIR/yara-1.6/
> ./configure
> make
This will get you a 32bit dll. If you figure out how to do it under mingw64, let me know...
Build under Visual Studios
To build using Visual Studio, the following settings were added to the
windows/libyara/libyara.vcproj
Properties Page.
- [General][Configuration Type] = “Dynamic Library (.dll)”
- [C/C++][Runtime Library] = “Multi-threaded DLL (/MD)”
The C/C++ All Options view:
/I"..\..\windows\include" /Zi /nologo /W1 /WX- /O2 /Ob2 /Oi /Ot /Oy- /D "PCRE_STATIC" /D "_WINDLL" /D "_MBCS" /Gm- /MD /GS- /fp:precise /Zc:wchar_t /Zc:forScope /Fp"Release\libyara.pch" /Fa"Release\" /Fo"Release\" /Fd"Release\vc100.pdb" /Gd /TC /wd"4996" /analyze- /errorReport:queue
The Linker All Options view:
/OUT:".\yara\tags\yara-1.6.0\windows\libyara\Release\libyara.dll" /NOLOGO /LIBPATH:"..\lib" /LIBPATH:".\yara\tags\yara-1.6.0\windows\libyara\Release\" /DLL "pcre32.lib" "kernel32.lib" "user32.lib" "gdi32.lib" "winspool.lib" "comdlg32.lib" "advapi32.lib" "shell32.lib" "ole32.lib" "oleaut32.lib" "uuid.lib" "odbc32.lib" "odbccp32.lib" /MANIFEST /ManifestFile:"Release\libyara.dll.intermediate.manifest" /ALLOWISOLATION /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /PDB:".\yara\tags\yara-1.6.0\windows\libyara\Release\libyara.pdb" /PGD:".\yara\tags\yara-1.6.0\windows\libyara\Release\libyara.pgd" /TLBID:1 /DYNAMICBASE /NXCOMPAT /MACHINE:X86 /ERRORREPORT:QUEUE
Finally, to export the functions in the libyara.dll you need to ensure that
each export function includes/yara.h
has a __declspec(dllexport)
defined before it:
>>>yara.h<<<
__declspec(dllexport) RULE* lookup_rule(RULE_LIST* rules, const char* identifier, NAMESPACE* ns);
__declspec(dllexport) STRING* lookup_string(STRING* string_list_head, const char* identifier);
__declspec(dllexport) TAG* lookup_tag(TAG* tag_list_head, const char* identifier);
__declspec(dllexport) META* lookup_meta(META* meta_list_head, const char* identifier);
__declspec(dllexport) VARIABLE* lookup_variable(VARIABLE* _list_head, const char* identifier);
__declspec(dllexport) void yr_init();
__declspec(dllexport) YARA_CONTEXT* yr_create_context();
__declspec(dllexport) void yr_destroy_context(YARA_CONTEXT* context);
__declspec(dllexport) int yr_calculate_rules_weight(YARA_CONTEXT* context);
__declspec(dllexport) NAMESPACE* yr_create_namespace(YARA_CONTEXT* context, const char* name);
__declspec(dllexport) int yr_define_integer_variable(YARA_CONTEXT* context, const char* identifier, size_t value);
__declspec(dllexport) int yr_define_boolean_variable(YARA_CONTEXT* context, const char* identifier, int value);
__declspec(dllexport) int yr_define_string_variable(YARA_CONTEXT* context, const char* identifier, const char* value);
__declspec(dllexport) int yr_undefine_variable(YARA_CONTEXT* context, const char* identifier);
__declspec(dllexport) char* yr_get_current_file_name(YARA_CONTEXT* context);
__declspec(dllexport) int yr_push_file_name(YARA_CONTEXT* context, const char* file_name);
__declspec(dllexport) void yr_pop_file_name(YARA_CONTEXT* context);
__declspec(dllexport) int yr_compile_file(FILE* rules_file, YARA_CONTEXT* context);
__declspec(dllexport) int yr_compile_string(const char* rules_string, YARA_CONTEXT* context);
__declspec(dllexport) int yr_scan_mem(unsigned char* buffer, size_t buffer_size, YARA_CONTEXT* context, YARACALLBACK callback, void* user_data);
__declspec(dllexport) int yr_scan_file(const char* file_path, YARA_CONTEXT* context, YARACALLBACK callback, void* user_data);
__declspec(dllexport) int yr_scan_proc(int pid, YARA_CONTEXT* context, YARACALLBACK callback, void* user_data);
__declspec(dllexport) char* yr_get_error_message(YARA_CONTEXT* context, char* buffer, int buffer_size);
__declspec(dllexport) void yr_free_matches(YARA_CONTEXT* context);
Building for OS X Mountain Lion¶
Install Homebrew and install the following packages:
brew install libtool pcre bison automake autoconf svn
Patch libyara/configure.ac with the following:
>>>libyara/configure.ac<<<
+ m4_pattern_allow([AM_PROG_AR])
+ AM_PROG_AR
Reconfigure the auto build tool chain:
autoreconf -fiv
Due to a bug in the auto config files (somewhere) replace the generated libyara/libtool with:
rm libyara/libtool
ln -s /usr/local/Cellar/libtool/2.4.2/bin/glibtool libyara/libtool
Copy and rename the dynamic link library:
cp ./libyara/.libs/libyara.0.dylib <DESTPATH>/libyara.so