3

I tried installing Yara 3.8.1 with androguard module. During the installation, I faced this issue, so I applied the patch given by @reox to the androguard.c file and it solved the problem. After that I tried a simple Yara rule with import "androguard" using command-line and it worked perfectly. Then I tried to use Yara rules inside my python app so I installed yara-python and used it in this way:

import yara

dex_path = './classes.dex'
my_rule = './rule.yar'
json_data = load_json_data()

rule = yara.compile(my_rule)
matches = rule.match(filepath=dex_path, modules_data={'androguard': json_data})
print(matches)

The match function works good when using Yara rules without import "androguard" module but when I want to apply a rule which imports androguard, the match function gives an error :

yara.Error: could not map file "./classes.dex" into memory

I'm applying a simple rule to an small file, in order of KB. I think that the problem is with the androguard module since when I remove the import "androguard", it works correctly. Any idea?

Mehran Torki
  • 977
  • 1
  • 9
  • 37
  • Androgaurd has some memory leak issues. When a 4MB file was analysed, it is consuming ~2GB of memory. – Chillar Anand Nov 22 '18 at 08:53
  • @ChillarAnand So why it doesn't cause memory leak issue when i use it inside command line ( `yara -x androguard=andro-report.json rule.yar sample.apk`) ? I don't know exactly the origin of problem, is it Androguard iteslt, or maybe the [androguar-yara](https://github.com/Koodous/androguard-yara) module or [yara-python](https://github.com/VirusTotal/yara-python) module? – Mehran Torki Nov 22 '18 at 09:40

1 Answers1

0

I had the same mistake with androguard, I solve the problem installing yara-python in the version 3.8.0

https://github.com/VirusTotal/yara-python/releases/tag/v3.8.0

Luis Carlos Herrera Santos
  • 157
  • 3