Windows下给IDApro 安装yara-python报错原因及解决

最新推荐文章于 2024-08-11 17:08:05 发布

爱吃素的武士

最新推荐文章于 2024-08-11 17:08:05 发布

阅读量2.2k

点赞数 1

分类专栏： ctf

原文链接：https://blog.csdn.net/u011718707/article/details/107571811

版权

ctf 专栏收录该内容

23 篇文章 0 订阅

订阅专栏

在IDA pro7.0上安装findcrypt这个插件。

源地址：https://blog.csdn.net/u011718707/article/details/107571811

而findcrypt这个插件需要依赖python的yara-python模块。因此先安装yara-python。

因为要用到pip安装，并且是给IDA自带的python安装模块。所以事先需要把当前python2的环境变量修改为IDA使用的python2.

修改完成后pip -V 就能查看当前使用的pip信息
在这里插入图片描述
然后使用pip install yara-python 报各种乱七八糟的错。

C:\Users\ygt>python -m pip install yara-python
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Looking in indexes: https://pypi.tuna.tsinghua.edu.cn/simple
Collecting yara-python
  Using cached https://pypi.tuna.tsinghua.edu.cn/packages/5f/32/23a3234978d746acfad00f306b13446a1935c52ec74a033416f457328239/yara-python-4.0.2.tar.gz (405 kB)
Using legacy setup.py install for yara-python, since package 'wheel' is not installed.
Installing collected packages: yara-python
    Running setup.py install for yara-python ... error
    ERROR: Command errored out with exit status 1:
     command: 'D:\IDA\python27\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'c:\\users\\ygt\\appdata\\local\\temp\\pip-install-cmkquh\\yara-python\\setup.py'"'"'; __file__='"'"'c:\\users\\ygt\\appdata\\local\\temp\\pip-install-cmkquh\\yara-python\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'c:\users\ygt\appdata\local\temp\pip-record-3a7pdh\install-record.txt' --single-version-externally-managed --compile --install-headers 'D:\IDA\python27\Include\yara-python'
         cwd: c:\users\ygt\appdata\local\temp\pip-install-cmkquh\yara-python\
    Complete output (21 lines):
    running install
    running build
    running build_ext
    building 'yara' extension
    creating build
    creating build\temp.win-amd64-2.7
    creating build\temp.win-amd64-2.7\Release
    creating build\temp.win-amd64-2.7\Release\yara
    creating build\temp.win-amd64-2.7\Release\yara\libyara
    creating build\temp.win-amd64-2.7\Release\yara\libyara\modules
    creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\demo
    creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\elf
    creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\math
    creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\pe
    creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\tests
    creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\time
    creating build\temp.win-amd64-2.7\Release\yara\libyara\proc
    C:\Users\ygt\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe /c /nologo /Ox /MD /W3 /GS- /DNDEBUG -DUSE_WINDOWS_PROC=1 -D_CRT_SECURE_NO_WARNINGS=1 -Iyara/libyara/include -Iyara/libyara/ -I. -ID:\IDA\python27\include -ID:\IDA\python27\PC /Tcyara-python.c /Fobuild\temp.win-amd64-2.7\Release\yara-python.obj
    yara-python.c
    yara/libyara/include\yara/types.h(33) : fatal error C1083: Cannot open include file: 'stdbool.h': No such file or directory
    error: command 'C:\\Users\\ygt\\AppData\\Local\\Programs\\Common\\Microsoft\\Visual C++ for Python\\9.0\\VC\\Bin\\amd64\\cl.exe' failed with exit status 2
    ----------------------------------------
ERROR: Command errored out with exit status 1: 'D:\IDA\python27\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'c:\\users\\ygt\\appdata\\local\\temp\\pip-install-cmkquh\\yara-python\\setup.py'"'"'; __file__='"'"'c:\\users\\ygt\\appdata\\local\\temp\\pip-install-cmkquh\\yara-python\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'c:\users\ygt\appdata\local\temp\pip-record-3a7pdh\install-record.txt' --single-version-externally-managed --compile --install-headers 'D:\IDA\python27\Include\yara-python' Check the logs for full command output.

在查阅了

https://blog.csdn.net/fjh1997/article/details/107167704/

的博客之后才知道，要想安装成功，需要限定wheel的版本——只有3.11的轮子支持python2，而且是windows版本。

因此使用

python -m pip install yara-python==3.11.0

如果提示：
Using legacy setup.py install for yara-python, since package 'wheel' is not installed.

可以使用
python -m pip install wheel安装wheel模块。

yara-python安装好后，去https://github.com/polymorf/findcrypt-yara 将下载好的 findcrypt3.py 和findcrypt3.rules拷贝到 IDA\plugins 目录。随后打开IDA，随便拖入一个程序，就可以在edit-plugins里面找到Findcrypt这个插件了。

在这里插入图片描述 Findcrypt可以很有效地识别许多公开的加密算法。有效避免了把过多的时间花费在阅读加密代码上。当然了如果是自定义的加密函数肯定还是只有手撸的。