Monday, February 10, 2014

Installing Yara into IDA Pro 64-bit Linux

tl;dr Install a 32-bit VM, compile Yara, copy files over. See link below for files to just install.

Last Friday, pnX posted that he updated his awesome IDA plug-in, IDAScope, to include Yara support. This means that you can now run Yara sigs against files you are reversing to help in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analysis process.

After I installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new version of IDAScope into IDA Pro, however, I received errors stating that Yara could not be imported. I thought this was odd as I had Yara installed on my system, until I remembered how IDA works on a 64-bit Linux system.

The following is based off my observations and experiences. If I am incorrect on this, please forgive me and let me know in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 comments.

IDA is a 32-bit program. Even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 64-bit version of IDA is compiled as a 32-bit program.

$ file idaq idaq64
idaq:   ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), BuildID[sha1]=0xcb635dd38de5c73f050de37a0f2e492688b3ab9a, stripped
idaq64: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), BuildID[sha1]=0x1f03dcff4bfd776b23df71c8d9d471fb63b0bf48, stripped

This causes a number of interesting issues on 64-bit Linux systems, especially with Python. Hex Rays has gotten cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se fixed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default install so you don't worry about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way it does this with Python is by allowing you to install a bundled Python into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDA Pro directory. (There are ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ways, but I have not done cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.) This gives you a working "out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box" product.

This also means that when you want to install a new Python library and use it in IDA, you have to install it into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDA's bundled Python directory as well. If this is a pure Python module, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n no problem. Just copy and it should work. Yara is different.

Since Yara compiles as a 64-bit library on a 64-bit system, and yara-python does cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same, we can't just install it directly into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDA Python directory. If you do, you'll receive errors that IDA is unable to load a 64-bit module.

In order to get Yara working, we'll need to compile it as a 32-bit library. The easiest way, IMO, to do this is to load a 32-bit Linux system into a VM, compile Yara, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n copy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files into your IDA installation. I did this in a Debian 6.0.3 and it worked without a problem. Just to be safe, make sure you are using a system with Python 2.7 as well since that is what IDA bundles.

There are two files you will need: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Yara library libyara.so.0 and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Yara Python library yara.so (located in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Python dist-packages directory after installation). Follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instructions to compile and install Yara in your 32-bit VM, and copy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files onto your 64-bit system. libyara.so.0 goes into your base IDA install directory, and yara.so goes into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 python directory underneath that.

After you do that, Yara-python will be installed and will work great!



Don't want to go through all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trouble of installing a 32-bit VM, compiling, and copying? I don't blame you. I uploaded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 version I compiled to my Google Drive here.

yara-ida-libs.tgz (SHA256: 38674b584adf3932e5cd1cafbd0bb288b7db3302304a83041bad9295472aa064)

Just untar this into your base install dir for IDA and you should be good to go.

Hex Rays has published instructions on how to install Python packages from Pip on a 64-bit system. I recommend checking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m out. This time, my way just felt easier.