Warning, /frameworks/syntax-highlighting/autotests/folding/test.yara.fold is written in an unsupported language. File is not indexed.
0001 // Sample YARA file for Syntax Highlighting
0002 // Obtained from: https://yara.readthedocs.io/en/stable/writingrules.html
0003
0004 <beginfold id='1'>/*</beginfold id='1'>
0005 This is a multi-line comment ...
0006 <endfold id='1'>*/</endfold id='1'>
0007
0008 rule silent_banker : banker
0009 <beginfold id='2'>{</beginfold id='2'>
0010 meta:
0011 description = "This is just an example"
0012 threat_level = 3
0013 in_the_wild = true
0014 strings:
0015 $a = <beginfold id='2'>{</beginfold id='2'>6A 40 68 00 30 00 00 6A 14 8D 91<endfold id='2'>}</endfold id='2'>
0016 $b = <beginfold id='2'>{</beginfold id='2'>8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9<endfold id='2'>}</endfold id='2'>
0017 $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
0018 condition:
0019 $a or $b or $c
0020 <endfold id='2'>}</endfold id='2'>
0021
0022 rule dummy
0023 <beginfold id='2'>{</beginfold id='2'>
0024 condition:
0025 false
0026 <endfold id='2'>}</endfold id='2'>
0027
0028 rule ExampleRule
0029 <beginfold id='2'>{</beginfold id='2'>
0030 strings:
0031 $my_text_string = "text here"
0032 $my_hex_string = <beginfold id='2'>{</beginfold id='2'> E2 34 A1 C8 23 FB <endfold id='2'>}</endfold id='2'>
0033
0034 condition:
0035 $my_text_string or $my_hex_string
0036 <endfold id='2'>}</endfold id='2'>
0037
0038 // Hexadecimal strings
0039
0040 rule WildcardExample
0041 <beginfold id='2'>{</beginfold id='2'>
0042 strings:
0043 $hex_string = <beginfold id='2'>{</beginfold id='2'> E2 34 ?? C8 A? FB <endfold id='2'>}</endfold id='2'>
0044
0045 condition:
0046 $hex_string
0047 <endfold id='2'>}</endfold id='2'>
0048
0049 rule JumpExample
0050 <beginfold id='2'>{</beginfold id='2'>
0051 strings:
0052 $hex_string = <beginfold id='2'>{</beginfold id='2'> F4 23 [4-6] 62 B4 <endfold id='2'>}</endfold id='2'>
0053
0054 condition:
0055 $hex_string
0056 <endfold id='2'>}</endfold id='2'>
0057
0058 rule AlternativesExample
0059 <beginfold id='2'>{</beginfold id='2'>
0060 strings:
0061 $hex_string = <beginfold id='2'>{</beginfold id='2'> F4 23 ( 62 B4 | 56 | 45 ?? 67 ) 45 <endfold id='2'>}</endfold id='2'>
0062
0063 condition:
0064 $hex_string
0065 <endfold id='2'>}</endfold id='2'>
0066
0067 // Text strings
0068
0069 rule CaseInsensitiveTextExample
0070 <beginfold id='2'>{</beginfold id='2'>
0071 strings:
0072 $text_string = "foobar" nocase
0073
0074 condition:
0075 $text_string
0076 <endfold id='2'>}</endfold id='2'>
0077
0078 rule WideCharTextExample
0079 <beginfold id='2'>{</beginfold id='2'>
0080 strings:
0081 $wide_and_ascii_string = "Borland" wide ascii
0082
0083 condition:
0084 $wide_and_ascii_string
0085 <endfold id='2'>}</endfold id='2'>
0086
0087 // XOR strings
0088
0089 rule XorExample1
0090 <beginfold id='2'>{</beginfold id='2'>
0091 strings:
0092 $xor_string = "This program cannot" xor
0093
0094 condition:
0095 $xor_string
0096 <endfold id='2'>}</endfold id='2'>
0097
0098 rule XorExample2
0099 <beginfold id='2'>{</beginfold id='2'>
0100 strings:
0101 $xor_string_00 = "This program cannot"
0102 $xor_string_01 = "Uihr!qsnfs`l!b`oonu"
0103 $xor_string_02 = "Vjkq\"rpmepco\"acllmv"
0104 // Repeat for every single byte XOR
0105 condition:
0106 any of them
0107 <endfold id='2'>}</endfold id='2'>
0108
0109 rule XorExample3
0110 <beginfold id='2'>{</beginfold id='2'>
0111 strings:
0112 $xor_string = "This program cannot" xor wide ascii
0113 condition:
0114 $xor_string
0115 <endfold id='2'>}</endfold id='2'>
0116
0117 rule XorExample4
0118 <beginfold id='2'>{</beginfold id='2'>
0119 strings:
0120 $xor_string_00 = "T\x00h\x00i\x00s\x00 \x00p\x00r\x00o\x00g\x00r\x00a\x00m\x00 \x00c\x00a\x00n\x00n\x00o\x00t\x00"
0121 $xor_string_01 = "U\x01i\x01h\x01r\x01!\x01q\x01s\x01n\x01f\x01s\x01`\x01l\x01!\x01b\x01`\x01o\x01o\x01n\x01u\x01"
0122 $xor_string_02 = "V\x02j\x02k\x02q\x02\"\x02r\x02p\x02m\x02e\x02p\x02c\x02o\x02\"\x02a\x02c\x02l\x02l\x02m\x02v\x02"
0123 // Repeat for every single byte XOR operation.
0124 condition:
0125 any of them
0126 <endfold id='2'>}</endfold id='2'>
0127
0128 rule XorExample5
0129 <beginfold id='2'>{</beginfold id='2'>
0130 strings:
0131 $xor_string = "This program cannot" xor(0x01-0xff)
0132 condition:
0133 $xor_string
0134 <endfold id='2'>}</endfold id='2'>
0135
0136 // Base64 strings
0137
0138 rule Base64Example1
0139 <beginfold id='2'>{</beginfold id='2'>
0140 strings:
0141 $a = "This program cannot" base64
0142
0143 condition:
0144 $a
0145 <endfold id='2'>}</endfold id='2'>
0146
0147 rule Base64Example2
0148 <beginfold id='2'>{</beginfold id='2'>
0149 strings:
0150 $a = "This program cannot" base64("!@#$%^&*(){}[].,|ABCDEFGHIJ\x09LMNOPQRSTUVWXYZabcdefghijklmnopqrstu")
0151
0152 condition:
0153 $a
0154 <endfold id='2'>}</endfold id='2'>
0155
0156 // Regular expressions
0157
0158 rule RegExpExample1
0159 <beginfold id='2'>{</beginfold id='2'>
0160 strings:
0161 $re1 = /md5: [0-9a-fA-F]{32}/
0162 $re2 = /state: (on|off)/
0163
0164 condition:
0165 $re1 and $re2
0166 <endfold id='2'>}</endfold id='2'>
0167
0168 // Conditions
0169
0170 rule Example
0171 <beginfold id='2'>{</beginfold id='2'>
0172 strings:
0173 $a = "text1"
0174 $b = "text2"
0175 $c = "text3"
0176 $d = "text4"
0177
0178 condition:
0179 ($a or $b) and ($c or $d)
0180 <endfold id='2'>}</endfold id='2'>
0181
0182 rule CountExample
0183 <beginfold id='2'>{</beginfold id='2'>
0184 strings:
0185 $a = "dummy1"
0186 $b = "dummy2"
0187
0188 condition:
0189 #a == 6 and #b > 10
0190 <endfold id='2'>}</endfold id='2'>
0191
0192
0193 rule AtExample
0194 <beginfold id='2'>{</beginfold id='2'>
0195 strings:
0196 $a = "dummy1"
0197 $b = "dummy2"
0198
0199 condition:
0200 $a at 100 and $b at 200
0201 <endfold id='2'>}</endfold id='2'>
0202
0203 rule InExample
0204 <beginfold id='2'>{</beginfold id='2'>
0205 strings:
0206 $a = "dummy1"
0207 $b = "dummy2"
0208
0209 condition:
0210 $a in (0..100) and $b in (100..filesize)
0211 <endfold id='2'>}</endfold id='2'>
0212
0213 // File size
0214
0215 rule FileSizeExample
0216 <beginfold id='2'>{</beginfold id='2'>
0217 condition:
0218 filesize > 200KB
0219 <endfold id='2'>}</endfold id='2'>
0220
0221 // Executable entry point
0222
0223 rule EntryPointExample
0224 <beginfold id='2'>{</beginfold id='2'>
0225 strings:
0226 $a = <beginfold id='2'>{</beginfold id='2'> 9C 50 66 A1 ?? ?? ?? 00 66 A9 ?? ?? 58 0F 85 <endfold id='2'>}</endfold id='2'>
0227
0228 condition:
0229 $a in (entrypoint..entrypoint + 10)
0230 <endfold id='2'>}</endfold id='2'>
0231
0232
0233 // Accessing data at a given position
0234
0235 rule IsPE
0236 <beginfold id='2'>{</beginfold id='2'>
0237 condition:
0238 // MZ signature at offset 0 and ...
0239 uint16(0) == 0x5A4D and
0240 // ... PE signature at offset stored in MZ header at 0x3C
0241 uint32(uint32(0x3C)) == 0x00004550
0242 <endfold id='2'>}</endfold id='2'>
0243
0244 // Sets of strings
0245
0246 rule OfExample1
0247 <beginfold id='2'>{</beginfold id='2'>
0248 strings:
0249 $a = "dummy1"
0250 $b = "dummy2"
0251 $c = "dummy3"
0252
0253 condition:
0254 2 of ($a,$b,$c)
0255 <endfold id='2'>}</endfold id='2'>
0256
0257 rule OfExample2
0258 <beginfold id='2'>{</beginfold id='2'>
0259 strings:
0260 $foo1 = "foo1"
0261 $foo2 = "foo2"
0262 $foo3 = "foo3"
0263
0264 condition:
0265 2 of ($foo*) // equivalent to 2 of ($foo1,$foo2,$foo3)
0266 <endfold id='2'>}</endfold id='2'>
0267
0268 rule OfExample3
0269 <beginfold id='2'>{</beginfold id='2'>
0270 strings:
0271 $a = "dummy1"
0272 $b = "dummy2"
0273 $c = "dummy3"
0274
0275 condition:
0276 1 of them // equivalent to 1 of ($*)
0277 <endfold id='2'>}</endfold id='2'>
0278
0279 // Iterating over string occurrences
0280
0281 rule Occurrences
0282 <beginfold id='2'>{</beginfold id='2'>
0283 strings:
0284 $a = "dummy1"
0285 $b = "dummy2"
0286
0287 condition:
0288 for all i in (1,2,3) : ( @a[i] + 10 == @b[i] )
0289 <endfold id='2'>}</endfold id='2'>
0290
0291 // Referencing other rules
0292
0293 rule Rule1
0294 <beginfold id='2'>{</beginfold id='2'>
0295 strings:
0296 $a = "dummy1"
0297
0298 condition:
0299 $a
0300 <endfold id='2'>}</endfold id='2'>
0301
0302 rule Rule2
0303 <beginfold id='2'>{</beginfold id='2'>
0304 strings:
0305 $a = "dummy2"
0306
0307 condition:
0308 $a and Rule1
0309 <endfold id='2'>}</endfold id='2'>
0310
0311 // Metadata
0312
0313 rule MetadataExample
0314 <beginfold id='2'>{</beginfold id='2'>
0315 meta:
0316 my_identifier_1 = "Some string data"
0317 my_identifier_2 = 24
0318 my_identifier_3 = true
0319
0320 strings:
0321 $my_text_string = "text here"
0322 $my_hex_string = <beginfold id='2'>{</beginfold id='2'> E2 34 A1 C8 23 FB <endfold id='2'>}</endfold id='2'>
0323
0324 condition:
0325 $my_text_string or $my_hex_string
0326 <endfold id='2'>}</endfold id='2'>
0327
0328 // External variables
0329
0330 rule ExternalVariableExample1
0331 <beginfold id='2'>{</beginfold id='2'>
0332 condition:
0333 ext_var == 10
0334 <endfold id='2'>}</endfold id='2'>
0335
0336 rule ExternalVariableExample2
0337 <beginfold id='2'>{</beginfold id='2'>
0338 condition:
0339 bool_ext_var or filesize < int_ext_var
0340 <endfold id='2'>}</endfold id='2'>
0341
0342 rule ExternalVariableExample3
0343 <beginfold id='2'>{</beginfold id='2'>
0344 condition:
0345 string_ext_var contains "text"
0346 <endfold id='2'>}</endfold id='2'>
0347
0348 rule ExternalVariableExample4
0349 <beginfold id='2'>{</beginfold id='2'>
0350 condition:
0351 string_ext_var matches /[a-z]+/
0352 <endfold id='2'>}</endfold id='2'>
0353
0354 rule ExternalVariableExample5
0355 <beginfold id='2'>{</beginfold id='2'>
0356 condition:
0357 <beginfold id='1'>/*</beginfold id='1'> case insensitive single-line mode <endfold id='1'>*/</endfold id='1'>
0358 string_ext_var matches /[a-z]+/is
0359 <endfold id='2'>}</endfold id='2'>
0360
0361 // Including files
0362
0363 include "other.yar"
0364 include "./includes/other.yar"
0365 include "../includes/other.yar"