Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Relative paths in include statements #56

Open
uggwar opened this issue Dec 11, 2019 · 7 comments
Open

Relative paths in include statements #56

uggwar opened this issue Dec 11, 2019 · 7 comments

Comments

@uggwar
Copy link

uggwar commented Dec 11, 2019

Hi!

Can't seem to load files that has include statements like this:

include "subdir/SomeGreatYaraRules.yar"

I load these files with err := compiler.AddFile(f, "ns")

@hillu
Copy link
Owner

hillu commented Dec 11, 2019

Are you expecting the file to be found relative to the current working directory of your program? Or are you expecting it to be found relative to the directory in which the including file resides?

@uggwar
Copy link
Author

uggwar commented Dec 12, 2019

Relative to where the including file resides. Usually I have subfolders with rules divided into files. At the top level there are yar-files that include certain files relative to its own location. Using yarac works fine, but compiler.AddFile panics saying that the relative path cannot be found.

@hillu
Copy link
Owner

hillu commented Dec 12, 2019

Curious. I just ran into the problem you described today. Without having looked at the commit history, I'm pretty sure that this has to do with a behavior change in libyara. I'll have to investigate further…

@hillu
Copy link
Owner

hillu commented Dec 20, 2019

I just created a.yar containing the following two lines:

include "b.yar"
include "subdir/c.yar"

Both included files exist and are empty.

I can compile this using yarac from both YARA 3.11 and current master (commit b534f03eecd8a109db2b085ab24d419b6486de97), also with the following little Go test program built with Go 1.13.5 (Linux/amd64) against either version:

package main

import (
	"github.com/hillu/go-yara"

	"log"
	"os"
)

func main() {
	c, _ := yara.NewCompiler()
	f, _ := os.Open("a.yar")
	log.Printf("Using '%s'…", f.Name())
	if err := c.AddFile(f, ""); err != nil {
		log.Fatalf("addfile: %v", err)
	}
	if _, err := c.GetRules(); err != nil {
		log.Fatalf("compile: %v", err)
	}
	log.Print("Done.")
}

@hillu
Copy link
Owner

hillu commented Dec 20, 2019

@uggwar The problem you encountered may have to do with your ruleset resulting in multiple errors: When I try to compile index.yar from https://github.com/Yara-Rules/rules with yarac from a YARA build without Cuckoo support, this results in a number of error messages:

./malware/MALW_AZORULT.yar(5): error: unknown module "cuckoo"
./malware/MALW_AZORULT.yar(23): error: invalid field name "sync"
./malware/MALW_AZORULT.yar(167): error: can't open include file: ./malware/MALW_AgentTesla.yar
./malware/MALW_AZORULT.yar(168): error: can't open include file: ./malware/MALW_AgentTesla_SMTP.yar
./malware/MALW_AZORULT.yar(169): error: can't open include file: ./malware/MALW_AlMashreq.yar
[…]
./malware/MALW_AZORULT.yar(443): error: can't open include file: ./malware/TOOLKIT_THOR_HackTools.yar
./malware/MALW_AZORULT.yar(444): error: can't open include file: ./malware/TOOLKIT_Wineggdrop.yar
./malware/MALW_AZORULT.yar(445): error: can't open include file: ./malware/TOOLKIT_exe2hex_payload.yar

(I am pretty sure that all the "cannot open include file" messages are symptoms of a bug within YARA itself.)

Now, when I use my test program to compile this rule, I only get the following message:

addfile: can't open include file: ./malware/TOOLKIT_exe2hex_payload.yar

This is only the last error reported by YARA. However, all the warnings and errors are stored in (*Compiler).Warnings and (*Compiler).Errors, respectively.

@hillu
Copy link
Owner

hillu commented Jan 7, 2020

@uggwar Ping? Do you think that my analysis is correct?

@uggwar
Copy link
Author

uggwar commented Jan 9, 2020 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants