https://blog.csdn.net/szxpck/article/details/107203718
目标:在IDA pro7.0上安装findcrypt这个插件。
而findcrypt这个插件需要依赖python的yara-python模块。因此先安装yara-python。
因为要用到pip安装,并且是给IDA自带的python安装模块。所以事先需要把当前python2的环境变量修改为IDA使用的python2.
修改完成后pip -V 就能查看当前使用的pip信息
然后使用pip install yara-python 报各种乱七八糟的错。
C:Usersygt>python -m pip install yara-python
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Looking in indexes: https://pypi.tuna.tsinghua.edu.cn/simple
Collecting yara-python
Using cached https://pypi.tuna.tsinghua.edu.cn/packages/5f/32/23a3234978d746acfad00f306b13446a1935c52ec74a033416f457328239/yara-python-4.0.2.tar.gz (405 kB)
Using legacy setup.py install for yara-python, since package 'wheel' is not installed.
Installing collected packages: yara-python
Running setup.py install for yara-python ... error
ERROR: Command errored out with exit status 1:
command: 'D:IDApython27python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'c:\users\ygt\appdata\local\temp\pip-install-cmkquh\yara-python\setup.py'"'"'; __file__='"'"'c:\users\ygt\appdata\local\temp\pip-install-cmkquh\yara-python\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'
'"'"', '"'"'
'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'c:usersygtappdatalocal emppip-record-3a7pdhinstall-record.txt' --single-version-externally-managed --compile --install-headers 'D:IDApython27Includeyara-python'
cwd: c:usersygtappdatalocal emppip-install-cmkquhyara-python
Complete output (21 lines):
running install
running build
running build_ext
building 'yara' extension
creating build
creating build emp.win-amd64-2.7
creating build emp.win-amd64-2.7Release
creating build emp.win-amd64-2.7Releaseyara
creating build emp.win-amd64-2.7Releaseyaralibyara
creating build emp.win-amd64-2.7Releaseyaralibyaramodules
creating build emp.win-amd64-2.7Releaseyaralibyaramodulesdemo
creating build emp.win-amd64-2.7Releaseyaralibyaramoduleself
creating build emp.win-amd64-2.7Releaseyaralibyaramodulesmath
creating build emp.win-amd64-2.7Releaseyaralibyaramodulespe
creating build emp.win-amd64-2.7Releaseyaralibyaramodules ests
creating build emp.win-amd64-2.7Releaseyaralibyaramodules ime
creating build emp.win-amd64-2.7Releaseyaralibyaraproc
C:UsersygtAppDataLocalProgramsCommonMicrosoftVisual C++ for Python9.0VCBinamd64cl.exe /c /nologo /Ox /MD /W3 /GS- /DNDEBUG -DUSE_WINDOWS_PROC=1 -D_CRT_SECURE_NO_WARNINGS=1 -Iyara/libyara/include -Iyara/libyara/ -I. -ID:IDApython27include -ID:IDApython27PC /Tcyara-python.c /Fobuild emp.win-amd64-2.7Releaseyara-python.obj
yara-python.c
yara/libyara/includeyara/types.h(33) : fatal error C1083: Cannot open include file: 'stdbool.h': No such file or directory
error: command 'C:\Users\ygt\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe' failed with exit status 2
----------------------------------------
ERROR: Command errored out with exit status 1: 'D:IDApython27python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'c:\users\ygt\appdata\local\temp\pip-install-cmkquh\yara-python\setup.py'"'"'; __file__='"'"'c:\users\ygt\appdata\local\temp\pip-install-cmkquh\yara-python\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'
'"'"', '"'"'
'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'c:usersygtappdatalocal emppip-record-3a7pdhinstall-record.txt' --single-version-externally-managed --compile --install-headers 'D:IDApython27Includeyara-python' Check the logs for full command output.
C:Usersygt>python -m pip install yara-python DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support Looking in indexes: https://pypi.tuna.tsinghua.edu.cn/simple Collecting yara-python Using cached https://pypi.tuna.tsinghua.edu.cn/packages/5f/32/23a3234978d746acfad00f306b13446a1935c52ec74a033416f457328239/yara-python-4.0.2.tar.gz (405 kB) Using legacy setup.py install for yara-python, since package 'wheel' is not installed. Installing collected packages: yara-python Running setup.py install for yara-python ... error ERROR: Command errored out with exit status 1: command: 'D:IDApython27python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'c:\users\ygt\appdata\local\temp\pip-install-cmkquh\yara-python\setup.py'"'"'; __file__='"'"'c:\users\ygt\appdata\local\temp\pip-install-cmkquh\yara-python\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"' '"'"', '"'"' '"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'c:usersygtappdatalocal emppip-record-3a7pdhinstall-record.txt' --single-version-externally-managed --compile --install-headers 'D:IDApython27Includeyara-python' cwd: c:usersygtappdatalocal emppip-install-cmkquhyara-python Complete output (21 lines): running install running build running build_ext building 'yara' extension creating build creating build emp.win-amd64-2.7 creating build emp.win-amd64-2.7Release creating build emp.win-amd64-2.7Releaseyara creating build emp.win-amd64-2.7Releaseyaralibyara creating build emp.win-amd64-2.7Releaseyaralibyaramodules creating build emp.win-amd64-2.7Releaseyaralibyaramodulesdemo creating build emp.win-amd64-2.7Releaseyaralibyaramoduleself creating build emp.win-amd64-2.7Releaseyaralibyaramodulesmath creating build emp.win-amd64-2.7Releaseyaralibyaramodulespe creating build emp.win-amd64-2.7Releaseyaralibyaramodules ests creating build emp.win-amd64-2.7Releaseyaralibyaramodules ime creating build emp.win-amd64-2.7Releaseyaralibyaraproc C:UsersygtAppDataLocalProgramsCommonMicrosoftVisual C++ for Python9.0VCBinamd64cl.exe /c /nologo /Ox /MD /W3 /GS- /DNDEBUG -DUSE_WINDOWS_PROC=1 -D_CRT_SECURE_NO_WARNINGS=1 -Iyara/libyara/include -Iyara/libyara/ -I. -ID:IDApython27include -ID:IDApython27PC /Tcyara-python.c /Fobuild emp.win-amd64-2.7Releaseyara-python.obj yara-python.c yara/libyara/includeyara/types.h(33) : fatal error C1083: Cannot open include file: 'stdbool.h': No such file or directory error: command 'C:\Users\ygt\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe' failed with exit status 2 ---------------------------------------- ERROR: Command errored out with exit status 1: 'D:IDApython27python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'c:\users\ygt\appdata\local\temp\pip-install-cmkquh\yara-python\setup.py'"'"'; __file__='"'"'c:\users\ygt\appdata\local\temp\pip-install-cmkquh\yara-python\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"' '"'"', '"'"' '"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'c:usersygtappdatalocal emppip-record-3a7pdhinstall-record.txt' --single-version-externally-managed --compile --install-headers 'D:IDApython27Includeyara-python' Check the logs for full command output.
在查阅了
https://blog.csdn.net/fjh1997/article/details/107167704/
的博客之后才知道,要想安装成功,需要限定wheel的版本——只有3.11的轮子支持python2,而且是windows版本。
因此使用
python -m pip install yara-python==3.11.0
- 1
如果提示:Using legacy setup.py install for yara-python, since package 'wheel' is not installed.
可以使用python -m pip install wheel安装wheel模块。
yara-python安装好后,去https://github.com/polymorf/findcrypt-yara 将下载好的 findcrypt3.py 和findcrypt3.rules拷贝到 IDAplugins 目录。随后打开IDA,随便拖入一个程序,就可以在edit-plugins里面找到Findcrypt这个插件了。
Findcrypt可以很有效地识别许多公开的加密算法。有效避免了把过多的时间花费在阅读加密代码上。当然了如果是自定义的加密函数肯定还是只有手撸的