https://blog.csdn.net/szxpck/article/details/107203718
目標:在IDA pro7.0上安裝findcrypt這個插件。
而findcrypt這個插件需要依賴python的yara-python模塊。因此先安裝yara-python。
因為要用到pip安裝,並且是給IDA自帶的python安裝模塊。所以事先需要把當前python2的環境變量修改為IDA使用的python2.
修改完成后pip -V 就能查看當前使用的pip信息
然后使用pip install yara-python 報各種亂七八糟的錯。
C:\Users\ygt>python -m pip install yara-python DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support Looking in indexes: https://pypi.tuna.tsinghua.edu.cn/simple Collecting yara-python Using cached https://pypi.tuna.tsinghua.edu.cn/packages/5f/32/23a3234978d746acfad00f306b13446a1935c52ec74a033416f457328239/yara-python-4.0.2.tar.gz (405 kB) Using legacy setup.py install for yara-python, since package 'wheel' is not installed. Installing collected packages: yara-python Running setup.py install for yara-python ... error ERROR: Command errored out with exit status 1: command: 'D:\IDA\python27\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'c:\\users\\ygt\\appdata\\local\\temp\\pip-install-cmkquh\\yara-python\\setup.py'"'"'; __file__='"'"'c:\\users\\ygt\\appdata\\local\\temp\\pip-install-cmkquh\\yara-python\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'c:\users\ygt\appdata\local\temp\pip-record-3a7pdh\install-record.txt' --single-version-externally-managed --compile --install-headers 'D:\IDA\python27\Include\yara-python' cwd: c:\users\ygt\appdata\local\temp\pip-install-cmkquh\yara-python\ Complete output (21 lines): running install running build running build_ext building 'yara' extension creating build creating build\temp.win-amd64-2.7 creating build\temp.win-amd64-2.7\Release creating build\temp.win-amd64-2.7\Release\yara creating build\temp.win-amd64-2.7\Release\yara\libyara creating build\temp.win-amd64-2.7\Release\yara\libyara\modules creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\demo creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\elf creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\math creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\pe creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\tests creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\time creating build\temp.win-amd64-2.7\Release\yara\libyara\proc C:\Users\ygt\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe /c /nologo /Ox /MD /W3 /GS- /DNDEBUG -DUSE_WINDOWS_PROC=1 -D_CRT_SECURE_NO_WARNINGS=1 -Iyara/libyara/include -Iyara/libyara/ -I. -ID:\IDA\python27\include -ID:\IDA\python27\PC /Tcyara-python.c /Fobuild\temp.win-amd64-2.7\Release\yara-python.obj yara-python.c yara/libyara/include\yara/types.h(33) : fatal error C1083: Cannot open include file: 'stdbool.h': No such file or directory error: command 'C:\\Users\\ygt\\AppData\\Local\\Programs\\Common\\Microsoft\\Visual C++ for Python\\9.0\\VC\\Bin\\amd64\\cl.exe' failed with exit status 2 ---------------------------------------- ERROR: Command errored out with exit status 1: 'D:\IDA\python27\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'c:\\users\\ygt\\appdata\\local\\temp\\pip-install-cmkquh\\yara-python\\setup.py'"'"'; __file__='"'"'c:\\users\\ygt\\appdata\\local\\temp\\pip-install-cmkquh\\yara-python\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'c:\users\ygt\appdata\local\temp\pip-record-3a7pdh\install-record.txt' --single-version-externally-managed --compile --install-headers 'D:\IDA\python27\Include\yara-python' Check the logs for full command output. C:\Users\ygt>python -m pip install yara-python DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support Looking in indexes: https://pypi.tuna.tsinghua.edu.cn/simple Collecting yara-python Using cached https://pypi.tuna.tsinghua.edu.cn/packages/5f/32/23a3234978d746acfad00f306b13446a1935c52ec74a033416f457328239/yara-python-4.0.2.tar.gz (405 kB) Using legacy setup.py install for yara-python, since package 'wheel' is not installed. Installing collected packages: yara-python Running setup.py install for yara-python ... error ERROR: Command errored out with exit status 1: command: 'D:\IDA\python27\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'c:\\users\\ygt\\appdata\\local\\temp\\pip-install-cmkquh\\yara-python\\setup.py'"'"'; __file__='"'"'c:\\users\\ygt\\appdata\\local\\temp\\pip-install-cmkquh\\yara-python\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'c:\users\ygt\appdata\local\temp\pip-record-3a7pdh\install-record.txt' --single-version-externally-managed --compile --install-headers 'D:\IDA\python27\Include\yara-python' cwd: c:\users\ygt\appdata\local\temp\pip-install-cmkquh\yara-python\ Complete output (21 lines): running install running build running build_ext building 'yara' extension creating build creating build\temp.win-amd64-2.7 creating build\temp.win-amd64-2.7\Release creating build\temp.win-amd64-2.7\Release\yara creating build\temp.win-amd64-2.7\Release\yara\libyara creating build\temp.win-amd64-2.7\Release\yara\libyara\modules creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\demo creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\elf creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\math creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\pe creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\tests creating build\temp.win-amd64-2.7\Release\yara\libyara\modules\time creating build\temp.win-amd64-2.7\Release\yara\libyara\proc C:\Users\ygt\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe /c /nologo /Ox /MD /W3 /GS- /DNDEBUG -DUSE_WINDOWS_PROC=1 -D_CRT_SECURE_NO_WARNINGS=1 -Iyara/libyara/include -Iyara/libyara/ -I. -ID:\IDA\python27\include -ID:\IDA\python27\PC /Tcyara-python.c /Fobuild\temp.win-amd64-2.7\Release\yara-python.obj yara-python.c yara/libyara/include\yara/types.h(33) : fatal error C1083: Cannot open include file: 'stdbool.h': No such file or directory error: command 'C:\\Users\\ygt\\AppData\\Local\\Programs\\Common\\Microsoft\\Visual C++ for Python\\9.0\\VC\\Bin\\amd64\\cl.exe' failed with exit status 2 ---------------------------------------- ERROR: Command errored out with exit status 1: 'D:\IDA\python27\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'c:\\users\\ygt\\appdata\\local\\temp\\pip-install-cmkquh\\yara-python\\setup.py'"'"'; __file__='"'"'c:\\users\\ygt\\appdata\\local\\temp\\pip-install-cmkquh\\yara-python\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'c:\users\ygt\appdata\local\temp\pip-record-3a7pdh\install-record.txt' --single-version-externally-managed --compile --install-headers 'D:\IDA\python27\Include\yara-python' Check the logs for full command output.
在查閱了
https://blog.csdn.net/fjh1997/article/details/107167704/
的博客之后才知道,要想安裝成功,需要限定wheel的版本——只有3.11的輪子支持python2,而且是windows版本。
因此使用
python -m pip install yara-python==3.11.0 - 1
如果提示:Using legacy setup.py install for yara-python, since package 'wheel' is not installed.
可以使用python -m pip install wheel安裝wheel模塊。
yara-python安裝好后,去https://github.com/polymorf/findcrypt-yara 將下載好的 findcrypt3.py 和findcrypt3.rules拷貝到 IDA\plugins 目錄。隨后打開IDA,隨便拖入一個程序,就可以在edit-plugins里面找到Findcrypt這個插件了。
Findcrypt可以很有效地識別許多公開的加密算法。有效避免了把過多的時間花費在閱讀加密代碼上。當然了如果是自定義的加密函數肯定還是只有手擼的