Warning, /frameworks/syntax-highlighting/autotests/input/test.yara is written in an unsupported language. File is not indexed. 

0001 // Sample YARA file for Syntax Highlighting
0002 // Obtained from: https://yara.readthedocs.io/en/stable/writingrules.html
0003 
0004 /*
0005     This is a multi-line comment ...
0006 */
0007 
0008 rule silent_banker : banker
0009 {
0010     meta:
0011         description = "This is just an example"
0012         threat_level = 3
0013         in_the_wild = true
0014     strings:
0015         $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
0016         $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
0017         $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
0018     condition:
0019         $a or $b or $c
0020 }
0021 
0022 rule dummy
0023 {
0024     condition:
0025        false
0026 }
0027 
0028 rule ExampleRule
0029 {
0030     strings:
0031         $my_text_string = "text here"
0032         $my_hex_string = { E2 34 A1 C8 23 FB }
0033 
0034     condition:
0035         $my_text_string or $my_hex_string
0036 }
0037 
0038 // Hexadecimal strings
0039 
0040 rule WildcardExample
0041 {
0042     strings:
0043        $hex_string = { E2 34 ?? C8 A? FB }
0044 
0045     condition:
0046        $hex_string
0047 }
0048 
0049 rule JumpExample
0050 {
0051         strings:
0052            $hex_string = { F4 23 [4-6] 62 B4 }
0053 
0054         condition:
0055            $hex_string
0056 }
0057 
0058 rule AlternativesExample
0059 {
0060     strings:
0061        $hex_string = { F4 23 ( 62 B4 | 56 | 45 ?? 67 ) 45 }
0062 
0063     condition:
0064        $hex_string
0065 }
0066 
0067 // Text strings
0068 
0069 rule CaseInsensitiveTextExample
0070 {
0071     strings:
0072         $text_string = "foobar" nocase
0073 
0074     condition:
0075         $text_string
0076 }
0077 
0078 rule WideCharTextExample
0079 {
0080     strings:
0081         $wide_and_ascii_string = "Borland" wide ascii
0082 
0083     condition:
0084        $wide_and_ascii_string
0085 }
0086 
0087 // XOR strings
0088 
0089 rule XorExample1
0090 {
0091     strings:
0092         $xor_string = "This program cannot" xor
0093 
0094     condition:
0095         $xor_string
0096 }
0097 
0098 rule XorExample2
0099 {
0100     strings:
0101         $xor_string_00 = "This program cannot"
0102         $xor_string_01 = "Uihr!qsnfs`l!b`oonu"
0103         $xor_string_02 = "Vjkq\"rpmepco\"acllmv"
0104         // Repeat for every single byte XOR
0105     condition:
0106         any of them
0107 }
0108 
0109 rule XorExample3
0110 {
0111     strings:
0112         $xor_string = "This program cannot" xor wide ascii
0113     condition:
0114         $xor_string
0115 }
0116 
0117 rule XorExample4
0118 {
0119     strings:
0120         $xor_string_00 = "T\x00h\x00i\x00s\x00 \x00p\x00r\x00o\x00g\x00r\x00a\x00m\x00 \x00c\x00a\x00n\x00n\x00o\x00t\x00"
0121         $xor_string_01 = "U\x01i\x01h\x01r\x01!\x01q\x01s\x01n\x01f\x01s\x01`\x01l\x01!\x01b\x01`\x01o\x01o\x01n\x01u\x01"
0122         $xor_string_02 = "V\x02j\x02k\x02q\x02\"\x02r\x02p\x02m\x02e\x02p\x02c\x02o\x02\"\x02a\x02c\x02l\x02l\x02m\x02v\x02"
0123         // Repeat for every single byte XOR operation.
0124     condition:
0125         any of them
0126 }
0127 
0128 rule XorExample5
0129 {
0130     strings:
0131         $xor_string = "This program cannot" xor(0x01-0xff)
0132     condition:
0133         $xor_string
0134 }
0135 
0136 // Base64 strings
0137 
0138 rule Base64Example1
0139 {
0140     strings:
0141         $a = "This program cannot" base64
0142 
0143     condition:
0144         $a
0145 }
0146 
0147 rule Base64Example2
0148 {
0149     strings:
0150         $a = "This program cannot" base64("!@#$%^&*(){}[].,|ABCDEFGHIJ\x09LMNOPQRSTUVWXYZabcdefghijklmnopqrstu")
0151 
0152     condition:
0153         $a
0154 }
0155 
0156 // Regular expressions
0157 
0158 rule RegExpExample1
0159 {
0160     strings:
0161         $re1 = /md5: [0-9a-fA-F]{32}/
0162         $re2 = /state: (on|off)/
0163 
0164     condition:
0165         $re1 and $re2
0166 }
0167 
0168 // Conditions
0169 
0170 rule Example
0171 {
0172     strings:
0173         $a = "text1"
0174         $b = "text2"
0175         $c = "text3"
0176         $d = "text4"
0177 
0178     condition:
0179         ($a or $b) and ($c or $d)
0180 }
0181 
0182 rule CountExample
0183 {
0184     strings:
0185         $a = "dummy1"
0186         $b = "dummy2"
0187 
0188     condition:
0189         #a == 6 and #b > 10
0190 }
0191 
0192 
0193 rule AtExample
0194 {
0195     strings:
0196         $a = "dummy1"
0197         $b = "dummy2"
0198 
0199     condition:
0200         $a at 100 and $b at 200
0201 }
0202 
0203 rule InExample
0204 {
0205     strings:
0206         $a = "dummy1"
0207         $b = "dummy2"
0208 
0209     condition:
0210         $a in (0..100) and $b in (100..filesize)
0211 }
0212 
0213 // File size
0214 
0215 rule FileSizeExample
0216 {
0217     condition:
0218        filesize > 200KB
0219 }
0220 
0221 // Executable entry point
0222 
0223 rule EntryPointExample
0224 {
0225     strings:
0226         $a = { 9C 50 66 A1 ?? ?? ?? 00 66 A9 ?? ?? 58 0F 85 }
0227 
0228     condition:
0229        $a in (entrypoint..entrypoint + 10)
0230 }
0231 
0232 
0233 // Accessing data at a given position
0234 
0235 rule IsPE
0236 {
0237   condition:
0238      // MZ signature at offset 0 and ...
0239      uint16(0) == 0x5A4D and
0240      // ... PE signature at offset stored in MZ header at 0x3C
0241      uint32(uint32(0x3C)) == 0x00004550
0242 }
0243 
0244 // Sets of strings
0245 
0246 rule OfExample1
0247 {
0248     strings:
0249         $a = "dummy1"
0250         $b = "dummy2"
0251         $c = "dummy3"
0252 
0253     condition:
0254         2 of ($a,$b,$c)
0255 }
0256 
0257 rule OfExample2
0258 {
0259     strings:
0260         $foo1 = "foo1"
0261         $foo2 = "foo2"
0262         $foo3 = "foo3"
0263 
0264     condition:
0265         2 of ($foo*)  // equivalent to 2 of ($foo1,$foo2,$foo3)
0266 }
0267 
0268 rule OfExample3
0269 {
0270     strings:
0271         $a = "dummy1"
0272         $b = "dummy2"
0273         $c = "dummy3"
0274 
0275     condition:
0276         1 of them // equivalent to 1 of ($*)
0277 }
0278 
0279 // Iterating over string occurrences
0280 
0281 rule Occurrences
0282 {
0283     strings:
0284         $a = "dummy1"
0285         $b = "dummy2"
0286 
0287     condition:
0288         for all i in (1,2,3) : ( @a[i] + 10 == @b[i] )
0289 }
0290 
0291 // Referencing other rules
0292 
0293 rule Rule1
0294 {
0295     strings:
0296         $a = "dummy1"
0297 
0298     condition:
0299         $a
0300 }
0301 
0302 rule Rule2
0303 {
0304     strings:
0305         $a = "dummy2"
0306 
0307     condition:
0308         $a and Rule1
0309 }
0310 
0311 // Metadata
0312 
0313 rule MetadataExample
0314 {
0315     meta:
0316         my_identifier_1 = "Some string data"
0317         my_identifier_2 = 24
0318         my_identifier_3 = true
0319 
0320     strings:
0321         $my_text_string = "text here"
0322         $my_hex_string = { E2 34 A1 C8 23 FB }
0323 
0324     condition:
0325         $my_text_string or $my_hex_string
0326 }
0327 
0328 // External variables
0329 
0330 rule ExternalVariableExample1
0331 {
0332     condition:
0333        ext_var == 10
0334 }
0335 
0336 rule ExternalVariableExample2
0337 {
0338     condition:
0339        bool_ext_var or filesize < int_ext_var
0340 }
0341 
0342 rule ExternalVariableExample3
0343 {
0344     condition:
0345         string_ext_var contains "text"
0346 }
0347 
0348 rule ExternalVariableExample4
0349 {
0350     condition:
0351         string_ext_var matches /[a-z]+/
0352 }
0353 
0354 rule ExternalVariableExample5
0355 {
0356     condition:
0357         /* case insensitive single-line mode */
0358         string_ext_var matches /[a-z]+/is
0359 }
0360 
0361 // Including files
0362 
0363 include "other.yar"
0364 include "./includes/other.yar"
0365 include "../includes/other.yar"