Invalid field name "imphash" on 4.1.0

[mitch3ls]

The latest version of yara-python is unable to compile rules with pe.imphash():

# reproduce.py

import yara

print(yara.YARA_VERSION)

rule = yara.compile(source='import "pe" rule my_imphash {condition: pe.imphash()=="eecc824da5b175f530705611127a6b41"}')

$ python3 reproduce.py
4.1.0
Traceback (most recent call last):
  File "reproduce.py", line 5, in <module>
    rule = yara.compile(source='import "pe" rule my_imphash {condition: pe.imphash()=="eecc824da5b175f530705611127a6b41"}')
yara.SyntaxError: line 1: invalid field name "imphash"

I am running this on Ubuntu 20.04.2 on Windows Subsystem for Linux:

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.2 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.2 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

I installed yara-python with:

$ python3 -m pip install --global-option="build" --global-option="--enable-cuckoo" --global-option="--enable-magic" --no-cache-dir yara-python
/usr/lib/python3/dist-packages/pip/_internal/commands/install.py:255: UserWarning: Disabling all use of wheels due to the use of --build-option / --global-option / --install-option.
  cmdoptions.check_install_build_global(options)
Collecting yara-python
  Downloading yara-python-4.1.0.tar.gz (425 kB)
     |████████████████████████████████| 425 kB 10.6 MB/s
Skipping wheel build for yara-python, due to binaries being disabled for it.
Installing collected packages: yara-python
    Running setup.py install for yara-python ... done
Successfully installed yara-python-4.1.0

Here's the package info:

$ python3 -m pip show yara-python
Name: yara-python
Version: 4.1.0
Summary: Python interface for YARA
Home-page: https://github.com/VirusTotal/yara-python
Author: Victor M. Alvarez
Author-email: [email protected], [email protected]
License: Apache 2.0
Location: /home/michael/.local/lib/python3.8/site-packages
Requires:
Required-by:

To verify the package:

$ tar cvf - /home/michael/.local/lib/python3.8/site-packages | sha1sum
tar: Removing leading `/' from member names
/home/michael/.local/lib/python3.8/site-packages/
/home/michael/.local/lib/python3.8/site-packages/yara.cpython-38-x86_64-linux-gnu.so
/home/michael/.local/lib/python3.8/site-packages/yara_python-4.1.0.egg-info/
/home/michael/.local/lib/python3.8/site-packages/yara_python-4.1.0.egg-info/dependency_links.txt
/home/michael/.local/lib/python3.8/site-packages/yara_python-4.1.0.egg-info/installed-files.txt
/home/michael/.local/lib/python3.8/site-packages/yara_python-4.1.0.egg-info/not-zip-safe
/home/michael/.local/lib/python3.8/site-packages/yara_python-4.1.0.egg-info/PKG-INFO
/home/michael/.local/lib/python3.8/site-packages/yara_python-4.1.0.egg-info/SOURCES.txt
/home/michael/.local/lib/python3.8/site-packages/yara_python-4.1.0.egg-info/top_level.txt
e4684e352ae0ae660ed5010b38bd73d989317af1  -

[plusvic]

That's probably because you don't have openssl installed in your system, and imphash needs that library. Try sudo apt-get install libssl-dev before installing yara-python.

[lazydaemon]

Same problem on Mac OS Monterey (12.1). Tried different things:

• Installing yara from source with all the needed build options
• Installing via brew (I guess brew dont use all the available build options per default)
• Installing yara-python via pip with --dynamic-linking and without (no effect)