findcrypt-yara icon indicating copy to clipboard operation
findcrypt-yara copied to clipboard
verified publisher icon polymorf

TypeError: 'yara.StringMatch' object is not subscriptable

Open 4hem opened this issue 2 years ago • 4 comments

Failed while executing plugin_t.run(): Traceback (most recent call last): File "D:/tools/IDA_Pro_7.7/plugins/findcrypt3.py", line 224, in run self.search() File "D:/tools/IDA_Pro_7.7/plugins/findcrypt3.py", line 180, in search values = self.yarasearch(memory, offsets, rules) File "D:/tools/IDA_Pro_7.7/plugins/findcrypt3.py", line 197, in yarasearch self.toVirtualAddress(string[0], offsets), TypeError: 'yara.StringMatch' object is not subscriptable

4hem avatar Jul 11 '23 04:07 4hem

https://github.com/polymorf/findcrypt-yara/pull/45

serv0id avatar Jul 22 '23 06:07 serv0id

The same problem here with yara-python 4.3.1

muha2xmad avatar Aug 05 '23 11:08 muha2xmad

I solved this problem by installing yara-python 4.2

muha2xmad avatar Aug 05 '23 11:08 muha2xmad

The yarsearch function needs to be modified as follows:

def yarasearch(self, memory, offsets, rules): print(">>> start yara search") values = list() matches = rules.match(data=memory) for match in matches: for stringR in match.strings: name = match.rule for string in stringR.instances: if name.endswith("API"): try: name = name + "" + idc.GetString(self.toVirtualAddress(string.offset, offsets)) except: pass value = [ self.toVirtualAddress(string.offset, offsets), match.namespace, name + "" + hex(self.toVirtualAddress(string.offset, offsets)).lstrip("0x").rstrip("L").upper(), stringR.identifier, repr(string.matched_data) ] idaapi.set_name(value[0], name + "" + hex(self.toVirtualAddress(string.offset, offsets)).lstrip("0x").rstrip("L").upper() , 0) values.append(value) print("<<< end yara search") return values

1198287349 avatar Dec 28 '23 10:12 1198287349