- Fixed detection of expression array types
- Started doing YARA-X compatibility with adding
withexpression and expression arrays(..., ...)(#264, #265)
- Added support for
vtmodule
- Added deferred includes parsing mode for not automatically following and parsing includes but storing just paths, letting caller to handle includes themselves (#260)
- Performance improvements in construction of
Yaramodobject - Several memory issues & stability fixes
- Update of
re2to the latest non-abseil version
- Python 3.12 compatibility - the package no longer relies on
distutilsbut requires newer versions ofsetuptools
- fix: Deletion of tags no longer leaves trailing
:(#254) - fix: Fixed missing attributes in
dotnetmodule
- fix: Correct the type of
dotnet.guidsto array (#248)
- Add support for string module (#244)
- Fixed parsing of empty alternation groups (#247)
- include every time std::<int_type> is used (#246)
- Use the right python to create
WRAP_MODULE_SOURCES(#225) - Improve release docs (#243)
- Open json modules in read only mode (#242)
- Added missing string operators (icontains, endswith, iendswith, startswith, istartswith) (#239)
- Add support for Linux binary wheels (#236)
- Enabled support for python 3.11 (#231)
- Updated list of VirusTotal AVs to reflect the current state
- Added support for not operator in hex strings
- Added
math.to_int,math.to_stringfunctions - Added
rvaattribute tope.import_detailsandpe.delayed_import_details
- Fixed support for octal integers
- Added support for removal of string modifiers (#217)
- Generated UIDs for rule condition expression nodes (#218)
- Fixed usage of strings in place of implicit boolean expressions in builder interface (#216)
- Fixed default handler of
ModifyingVisitorforOfExpressionto not crash and be correctly called from Python bindings
- Added
YaraFile::expandRulePrefixFromOriginto expand rule prefixes from the viewpoint of a specific rule - Added
IdWildcardExpressioninto Python bindings
- Fixed Python bindings to work again in recusrive visitors
- Yaramod now fully supports YARA 4.2 syntax
- Added support for
<N> of <rule_set>(#214) - Upgraded pybind11 to v2.9.2
- Fixed parsing of
\rescape sequence in strings which was added in YARA 4.2
- Fix console module generating
- References for existing structures (#209)
- Store rule modifiers in container and fix their deleting (#206)
- Add console module(#205, #210)
- Add is_dotnet to dotnet module (#208)
- Add comment_behind and comment_before_token to Expression builder (#195, #194)
- Introduce on-line commenting of con/disjunctions (#195, #194)
- Add
dex.has_methodanddex.has_class(#157, #201) - Add
math.to_number,math.abs,math.count,math.percentageandmath.modefunctions (#157, #199) - Add operator
in(#157, #204) - Add
pe.import_detailsandpe.delayed_import_details(#157, #200) - Add support for % numeric literal in
ofexpressions (#157, #198) - Add support for
nonekeyword (#157, #203) - Add
pe.entry_point_raw(#157, #200) - Update YARA_SYNTAX_VERSION in docs to 4.2
- Added support for
dynsym_entriesanddynsymELF module attributes (#196) - Added support for
algorithm_oidfrom PE module (#197)
- Make empty strings section invalid (#141, #192)
- Fix escaped character handling in regex (#186, #191)
- Dropped support for Python 3.7 and added support for Python 3.10 (#190)
- Strip trailing whitespace off oneline comments (#149, #189)
- Fix adding meta to add it after comment of last present meta if present (#102, #188)
- Separate includes and imports with blank lines (#187, #130)
- Added additional constants of enums to
pemodule (#183) - Added support for
iequalsoperator (#182) - Make
stringsandvariablessections interchangable (#184) - Added missing
dotnetmodule (#185)
- Add Python binding for
yaramod::IntFunctionEndianness(#132, #181). - Add unary operator
defined(#178). - Fix generation of double values - always use decimal notation (#179).
- Fix typos in documentation (#180).
- Avoid global symbols to be renamed when renaming local variable (#174)
- Fix for multi-line arrays to be formatted with proper indentation (#172, #171)
- Added pe.version_info_list and pe.number_of_version_infos (#167)
- Fixed YaraFileBuilder::get with recheck to use the builder's module pool (#166)
- Travis: Add brew upgrade step (#164)
- Add missing REFERENCE_SYMBOL, LSQB_ENUMERATION, RSQB_ENUMERATION Pytnoh bindings (#160)
- Incomplete rules parsing allowing also unknown symbols and imports (#159, #45, #97)
- Fixed pe.rich_signature.raw_data and pe.rich_signature.clear_data types to string.
- Feature for older compilers: Include filesystem library based on its availability.
- Fixed previous release by adding cmake foulder in MANIFEST.sh.
- Fixed issues with older compilers not providing symbols for std::filesystem function (#156)
- Hotfix for user-defined arrays to be handled correctly by autoformatter (#170, #171)
- Allow hotfix branches to be built in Travis and Appveyor (#170)
- Turned
ImportFeaturesintoFeaturesbecause it now affects more than just imported modules (#148) - Added support for
ofexpression with user-defined arrays (#148) - Added support for user-defined variables inside rules scope (#148)
- Added building of Python wheel for Windows using Python 3.9
- Yara 4.0 features as Base64 string modifier, for loop over dictionary and more (#144)
- Added new VirusTotal AV external variables
- Converted
TokenTypeenum to c++11 enum class (#123) - Fixed include directive not to extract tokens (#129)
- Fixed token location computing of plain and hex strings (#124)
- Exposed token and symbol file position via python bindings (#120)
- Fixed both python and c++ bool Simplifiers (#121)
- Renamed
ModifyingVisitor::cleanUpTokenStreamstoModifyingVisitor::cleanup_tokenstreams(#121) - Unified duplicated
location.hheaders (#118)
- Return to the root directory before deploying stage in Travis build so the deploy to pypi is succesful
- Added function for suricata matching (#115)
- Added support for classes and windows matching in the cuckoo module (#113)
- Modifiers of rules can be altered with
Rule::setModifier. (#110, #114) - Tokens of expressions changed by modifying visitors are altered appropriately. (#100, (#111), #75)
- The documentation is built in Travis to check its correctness.
- Improve links between individual constructs in internal representation. (#96, #73)
- Added new
elfmodule functionelf.symtab_symbol()(#94) - Added new overloads of
androguard.signature.hits()function
- Added
metadatamodule (#90)
- Fix and/or conjunction auto-formatting: comment/newline tokens before it are moved behind it. (#89)
- In autoformatting, new lines before and/or are removed. (#79, #86)
- In autoformatting, unwanted multiple blank lines are made single new line. (#77)
- CXX flags are propagated to POG's dependencies. (#82, #87)
- In autoformatting, comments are aligned together with the corresponding lines. (#81)
- files are loaded as binary which prevents wrong line endings on Windows. (#80)
YaraFileBuildersorts imports lexicographically and avoids duplicities. (#78)
- Fixed regression introduced in previous version by breaking parsing of
[and](#70)
- Fixed issues with parsing
[and]inside regular expressions classes enclosed in[and](#69, #67) - Installation through
pipnow properly fails if CMake is not found (#64)
- Yaramod can now be reused without crashing after if raised error because of failed parsing (#66, #65)
- Fixed segfault in case of syntax error which was caused by unexpected end of file
- Builders now work properly when you create
YaraExpressionBuilderout of already existing expression. - Calculation of rule locations now works again.
- Include files are now closed as soon as possible to not exhaust file descriptors.
- Very last rule in the parsed file is now reported to be located in the correct file.
- Include guarded parsing mode now works properly again.
- Added Python bindings for
ImportFeatures - Import features are now specified when creating
Yaramodinstance
- Target
installis now properly installing yaramod again. - Added support for language YARA features added in 3.11.0 (#51, #52).
- Autoformatting now automatically adds new lines where needed (#53).
- Make autoformatting use LF or CRLF depending on what is used in the file (#48).
- Added missing getter IdExpression::getSymbol().
- Replaced
flexandbisonwithpog. - Added autoformatting of YARA rules.
- Added
cuckoo.process.scheduled_task().
- Re-release of v2.12.0 because it was broken on git
- Enhancement: Bump the required C++ standard from 14 to 17.
- Enhancement: Replace uses of
nonstd::optionalfromdep/optional_litewith standard C++17std::optional. Remove theoptional_litedependency. - Enhancement: Replace uses of
mpark::variantfromdep/variantwith standard C++17std::variant. Remove thevariantdependency.
- New: Added
cuckoo.process.modified_clipboard(),cuckoo.network.connection_ip(),cuckoo.network.connection_country()andcuckoo.network.irc_command(). - New: Module
phish.
- New: Added
cuckoo.process.api_call()
- New: Interface for obtaining internal representation of regular expressions (#29).
- New: Interface for visitor over regular expressions (#33).
- New: Added support for
pe.iconhash()function.
- New: Methods for manipulation of rule name and tags (#27).
- Fix: Support for anonymous string has been fixed (#26).
- New: Class
Rulenow has interface for direct manipulation with meta of the rules.
- New: Expression builder now contains
doubleValfor building double expressions (#22). - Fix: Compilation now works in Cygwin environment (#25).
- Fix:
pe.data_directoriesis now correctly an array and not a structure.
- Enhancement: Python interface of
String.pure_textnow returnsbytesinstead ofstrto prevent unicode decoding errors with strings containg invalid UTF-8 sequences.
- New: Added modules
androguard,dex,macho,timeand new fields inpemodule (#14). - New: Added new functions to
cuckoomodule related to matching Android executable files. - New: Added support for
xorstring modifier (#14). - New: Added constants
YARAMOD_VERSION_MAJOR,YARAMOD_VERSION_MINOR,YARAMOD_VERSION_PATCHandYARAMOD_VERSIONwhich contain the version of the yaramod. - New: Added constant
YARA_SYNTAX_VERSIONwhich contains the version of YARA from whichyaramodis based of. - New: Symbols reported in parser errors now have human friendly aliases instead of enum names.
- Fix: Multiline hex strings are now correctly parsed (#10).
- Fix: Unexpected character after import statement now raises an error (#16).
- Fix: Build with bison 3.2 (#11).
- Enhancement: Updated optional-lite dependency to the newest version.
- Fix: Fixed build on certain specific MSVC versions.
- New: Added method for removing meta information from the rules.
- New: Added install target to build system.
- New: Added new cuckoo module functions.
- Fix: Fixed problem with too many open files on Windows when includes are used.
- Enhancement: Unknown escape sequences in plain strings are now considered as parser errors.
- Fix: Integer-based for-loops now won't raise the
'Redefinition of variable ...'error if they are independent of each other (#3). - Fix: Plain strings now only allow escape sequences
\n,\t,\\,\"and\xYZ. - Fix: TAB now counts only as a single character when reporting errors.
- Fix:
ModifyingVisitornow won't delete string offset or length expression without array subscript on its own.
- New: Python bindings were added to the
yaramodlibrary. - Enhancement: Parsed rules now contain information about the file they are located in and the line number.
- Fix: Line numbers of errors are now reported correctly for files with includes.
- Enhancement: Syntax errors not throw exceptions instead of just returning empty file.
- Enhancement: Removed submodule dependencies.
Initial release.