Warning, /frameworks/syntax-highlighting/autotests/reference/test.yara.ref is written in an unsupported language. File is not indexed.
0001 <Comment>// Sample YARA file for Syntax Highlighting</Comment><br/> 0002 <Comment>// Obtained from: https://yara.readthedocs.io/en/stable/writingrules.html</Comment><br/> 0003 <Normal Text></Normal Text><br/> 0004 <Comment>/*</Comment><br/> 0005 <Comment> This is a multi-line comment ...</Comment><br/> 0006 <Comment>*/</Comment><br/> 0007 <Normal Text></Normal Text><br/> 0008 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>silent_banker</Rule><Normal Text> : banker</Normal Text><br/> 0009 <Symbol>{</Symbol><br/> 0010 <Normal Text> </Normal Text><Keyword>meta</Keyword><Normal Text>:</Normal Text><br/> 0011 <Normal Text> description = </Normal Text><String>"This is just an example"</String><br/> 0012 <Normal Text> threat_level = </Normal Text><Decimal>3</Decimal><br/> 0013 <Normal Text> in_the_wild = </Normal Text><Boolean>true</Boolean><br/> 0014 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0015 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><Symbol>{</Symbol><Hex String>6A 40 68 00 30 00 00 6A 14 8D 91</Hex String><Symbol>}</Symbol><br/> 0016 <Normal Text> </Normal Text><Identifier>$b</Identifier><Normal Text> = </Normal Text><Symbol>{</Symbol><Hex String>8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9</Hex String><Symbol>}</Symbol><br/> 0017 <Normal Text> </Normal Text><Identifier>$c</Identifier><Normal Text> = </Normal Text><String>"UVODFRYSIHLNWPEJXQZAKCBGMT"</String><br/> 0018 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0019 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> </Normal Text><Keyword>or</Keyword><Normal Text> </Normal Text><Identifier>$b</Identifier><Normal Text> </Normal Text><Keyword>or</Keyword><Normal Text> </Normal Text><Identifier>$c</Identifier><br/> 0020 <Symbol>}</Symbol><br/> 0021 <Normal Text></Normal Text><br/> 0022 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>dummy</Rule><br/> 0023 <Symbol>{</Symbol><br/> 0024 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0025 <Normal Text> </Normal Text><Boolean>false</Boolean><br/> 0026 <Symbol>}</Symbol><br/> 0027 <Normal Text></Normal Text><br/> 0028 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>ExampleRule</Rule><br/> 0029 <Symbol>{</Symbol><br/> 0030 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0031 <Normal Text> </Normal Text><Identifier>$my_text_string</Identifier><Normal Text> = </Normal Text><String>"text here"</String><br/> 0032 <Normal Text> </Normal Text><Identifier>$my_hex_string</Identifier><Normal Text> = </Normal Text><Symbol>{</Symbol><Hex String> E2 34 A1 C8 23 FB </Hex String><Symbol>}</Symbol><br/> 0033 <Normal Text></Normal Text><br/> 0034 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0035 <Normal Text> </Normal Text><Identifier>$my_text_string</Identifier><Normal Text> </Normal Text><Keyword>or</Keyword><Normal Text> </Normal Text><Identifier>$my_hex_string</Identifier><br/> 0036 <Symbol>}</Symbol><br/> 0037 <Normal Text></Normal Text><br/> 0038 <Comment>// Hexadecimal strings</Comment><br/> 0039 <Normal Text></Normal Text><br/> 0040 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>WildcardExample</Rule><br/> 0041 <Symbol>{</Symbol><br/> 0042 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0043 <Normal Text> </Normal Text><Identifier>$hex_string</Identifier><Normal Text> = </Normal Text><Symbol>{</Symbol><Hex String> E2 34 ?? C8 A? FB </Hex String><Symbol>}</Symbol><br/> 0044 <Normal Text></Normal Text><br/> 0045 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0046 <Normal Text> </Normal Text><Identifier>$hex_string</Identifier><br/> 0047 <Symbol>}</Symbol><br/> 0048 <Normal Text></Normal Text><br/> 0049 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>JumpExample</Rule><br/> 0050 <Symbol>{</Symbol><br/> 0051 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0052 <Normal Text> </Normal Text><Identifier>$hex_string</Identifier><Normal Text> = </Normal Text><Symbol>{</Symbol><Hex String> F4 23 </Hex String><Normal Text>[</Normal Text><Decimal>4</Decimal><Normal Text>-</Normal Text><Decimal>6</Decimal><Normal Text>]</Normal Text><Hex String> 62 B4 </Hex String><Symbol>}</Symbol><br/> 0053 <Normal Text></Normal Text><br/> 0054 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0055 <Normal Text> </Normal Text><Identifier>$hex_string</Identifier><br/> 0056 <Symbol>}</Symbol><br/> 0057 <Normal Text></Normal Text><br/> 0058 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>AlternativesExample</Rule><br/> 0059 <Symbol>{</Symbol><br/> 0060 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0061 <Normal Text> </Normal Text><Identifier>$hex_string</Identifier><Normal Text> = </Normal Text><Symbol>{</Symbol><Hex String> F4 23 </Hex String><Normal Text>(</Normal Text><Hex String> 62 B4 </Hex String><Normal Text>|</Normal Text><Hex String> 56 </Hex String><Normal Text>|</Normal Text><Hex String> 45 ?? 67 </Hex String><Normal Text>)</Normal Text><Hex String> 45 </Hex String><Symbol>}</Symbol><br/> 0062 <Normal Text></Normal Text><br/> 0063 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0064 <Normal Text> </Normal Text><Identifier>$hex_string</Identifier><br/> 0065 <Symbol>}</Symbol><br/> 0066 <Normal Text></Normal Text><br/> 0067 <Comment>// Text strings</Comment><br/> 0068 <Normal Text></Normal Text><br/> 0069 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>CaseInsensitiveTextExample</Rule><br/> 0070 <Symbol>{</Symbol><br/> 0071 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0072 <Normal Text> </Normal Text><Identifier>$text_string</Identifier><Normal Text> = </Normal Text><String>"foobar"</String><Normal Text> </Normal Text><Keyword>nocase</Keyword><br/> 0073 <Normal Text></Normal Text><br/> 0074 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0075 <Normal Text> </Normal Text><Identifier>$text_string</Identifier><br/> 0076 <Symbol>}</Symbol><br/> 0077 <Normal Text></Normal Text><br/> 0078 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>WideCharTextExample</Rule><br/> 0079 <Symbol>{</Symbol><br/> 0080 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0081 <Normal Text> </Normal Text><Identifier>$wide_and_ascii_string</Identifier><Normal Text> = </Normal Text><String>"Borland"</String><Normal Text> </Normal Text><Keyword>wide</Keyword><Normal Text> </Normal Text><Keyword>ascii</Keyword><br/> 0082 <Normal Text></Normal Text><br/> 0083 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0084 <Normal Text> </Normal Text><Identifier>$wide_and_ascii_string</Identifier><br/> 0085 <Symbol>}</Symbol><br/> 0086 <Normal Text></Normal Text><br/> 0087 <Comment>// XOR strings</Comment><br/> 0088 <Normal Text></Normal Text><br/> 0089 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>XorExample1</Rule><br/> 0090 <Symbol>{</Symbol><br/> 0091 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0092 <Normal Text> </Normal Text><Identifier>$xor_string</Identifier><Normal Text> = </Normal Text><String>"This program cannot"</String><Normal Text> </Normal Text><Keyword>xor</Keyword><br/> 0093 <Normal Text></Normal Text><br/> 0094 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0095 <Normal Text> </Normal Text><Identifier>$xor_string</Identifier><br/> 0096 <Symbol>}</Symbol><br/> 0097 <Normal Text></Normal Text><br/> 0098 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>XorExample2</Rule><br/> 0099 <Symbol>{</Symbol><br/> 0100 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0101 <Normal Text> </Normal Text><Identifier>$xor_string_00</Identifier><Normal Text> = </Normal Text><String>"This program cannot"</String><br/> 0102 <Normal Text> </Normal Text><Identifier>$xor_string_01</Identifier><Normal Text> = </Normal Text><String>"Uihr!qsnfs`l!b`oonu"</String><br/> 0103 <Normal Text> </Normal Text><Identifier>$xor_string_02</Identifier><Normal Text> = </Normal Text><String>"Vjkq</String><String Char>\"</String Char><String>rpmepco</String><String Char>\"</String Char><String>acllmv"</String><br/> 0104 <Normal Text> </Normal Text><Comment>// Repeat for every single byte XOR</Comment><br/> 0105 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0106 <Normal Text> </Normal Text><Keyword>any</Keyword><Normal Text> </Normal Text><Keyword>of</Keyword><Normal Text> </Normal Text><Keyword>them</Keyword><br/> 0107 <Symbol>}</Symbol><br/> 0108 <Normal Text></Normal Text><br/> 0109 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>XorExample3</Rule><br/> 0110 <Symbol>{</Symbol><br/> 0111 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0112 <Normal Text> </Normal Text><Identifier>$xor_string</Identifier><Normal Text> = </Normal Text><String>"This program cannot"</String><Normal Text> </Normal Text><Keyword>xor</Keyword><Normal Text> </Normal Text><Keyword>wide</Keyword><Normal Text> </Normal Text><Keyword>ascii</Keyword><br/> 0113 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0114 <Normal Text> </Normal Text><Identifier>$xor_string</Identifier><br/> 0115 <Symbol>}</Symbol><br/> 0116 <Normal Text></Normal Text><br/> 0117 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>XorExample4</Rule><br/> 0118 <Symbol>{</Symbol><br/> 0119 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0120 <Normal Text> </Normal Text><Identifier>$xor_string_00</Identifier><Normal Text> = </Normal Text><String>"T</String><String Char>\x00</String Char><String>h</String><String Char>\x00</String Char><String>i</String><String Char>\x00</String Char><String>s</String><String Char>\x00</String Char><String> </String><String Char>\x00</String Char><String>p</String><String Char>\x00</String Char><String>r</String><String Char>\x00</String Char><String>o</String><String Char>\x00</String Char><String>g</String><String Char>\x00</String Char><String>r</String><String Char>\x00</String Char><String>a</String><String Char>\x00</String Char><String>m</String><String Char>\x00</String Char><String> </String><String Char>\x00</String Char><String>c</String><String Char>\x00</String Char><String>a</String><String Char>\x00</String Char><String>n</String><String Char>\x00</String Char><String>n</String><String Char>\x00</String Char><String>o</String><String Char>\x00</String Char><String>t</String><String Char>\x00</String Char><String>"</String><br/> 0121 <Normal Text> </Normal Text><Identifier>$xor_string_01</Identifier><Normal Text> = </Normal Text><String>"U</String><String Char>\x01</String Char><String>i</String><String Char>\x01</String Char><String>h</String><String Char>\x01</String Char><String>r</String><String Char>\x01</String Char><String>!</String><String Char>\x01</String Char><String>q</String><String Char>\x01</String Char><String>s</String><String Char>\x01</String Char><String>n</String><String Char>\x01</String Char><String>f</String><String Char>\x01</String Char><String>s</String><String Char>\x01</String Char><String>`</String><String Char>\x01</String Char><String>l</String><String Char>\x01</String Char><String>!</String><String Char>\x01</String Char><String>b</String><String Char>\x01</String Char><String>`</String><String Char>\x01</String Char><String>o</String><String Char>\x01</String Char><String>o</String><String Char>\x01</String Char><String>n</String><String Char>\x01</String Char><String>u</String><String Char>\x01</String Char><String>"</String><br/> 0122 <Normal Text> </Normal Text><Identifier>$xor_string_02</Identifier><Normal Text> = </Normal Text><String>"V</String><String Char>\x02</String Char><String>j</String><String Char>\x02</String Char><String>k</String><String Char>\x02</String Char><String>q</String><String Char>\x02\"\x02</String Char><String>r</String><String Char>\x02</String Char><String>p</String><String Char>\x02</String Char><String>m</String><String Char>\x02</String Char><String>e</String><String Char>\x02</String Char><String>p</String><String Char>\x02</String Char><String>c</String><String Char>\x02</String Char><String>o</String><String Char>\x02\"\x02</String Char><String>a</String><String Char>\x02</String Char><String>c</String><String Char>\x02</String Char><String>l</String><String Char>\x02</String Char><String>l</String><String Char>\x02</String Char><String>m</String><String Char>\x02</String Char><String>v</String><String Char>\x02</String Char><String>"</String><br/> 0123 <Normal Text> </Normal Text><Comment>// Repeat for every single byte XOR operation.</Comment><br/> 0124 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0125 <Normal Text> </Normal Text><Keyword>any</Keyword><Normal Text> </Normal Text><Keyword>of</Keyword><Normal Text> </Normal Text><Keyword>them</Keyword><br/> 0126 <Symbol>}</Symbol><br/> 0127 <Normal Text></Normal Text><br/> 0128 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>XorExample5</Rule><br/> 0129 <Symbol>{</Symbol><br/> 0130 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0131 <Normal Text> </Normal Text><Identifier>$xor_string</Identifier><Normal Text> = </Normal Text><String>"This program cannot"</String><Normal Text> </Normal Text><Keyword>xor</Keyword><Normal Text>(</Normal Text><Hex>0x01</Hex><Normal Text>-</Normal Text><Hex>0xff</Hex><Normal Text>)</Normal Text><br/> 0132 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0133 <Normal Text> </Normal Text><Identifier>$xor_string</Identifier><br/> 0134 <Symbol>}</Symbol><br/> 0135 <Normal Text></Normal Text><br/> 0136 <Comment>// Base64 strings</Comment><br/> 0137 <Normal Text></Normal Text><br/> 0138 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>Base64Example1</Rule><br/> 0139 <Symbol>{</Symbol><br/> 0140 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0141 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><String>"This program cannot"</String><Normal Text> </Normal Text><Keyword>base64</Keyword><br/> 0142 <Normal Text></Normal Text><br/> 0143 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0144 <Normal Text> </Normal Text><Identifier>$a</Identifier><br/> 0145 <Symbol>}</Symbol><br/> 0146 <Normal Text></Normal Text><br/> 0147 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>Base64Example2</Rule><br/> 0148 <Symbol>{</Symbol><br/> 0149 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0150 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><String>"This program cannot"</String><Normal Text> </Normal Text><Keyword>base64</Keyword><Normal Text>(</Normal Text><String>"!@#$%^&*(){}[].,|ABCDEFGHIJ</String><String Char>\x09</String Char><String>LMNOPQRSTUVWXYZabcdefghijklmnopqrstu"</String><Normal Text>)</Normal Text><br/> 0151 <Normal Text></Normal Text><br/> 0152 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0153 <Normal Text> </Normal Text><Identifier>$a</Identifier><br/> 0154 <Symbol>}</Symbol><br/> 0155 <Normal Text></Normal Text><br/> 0156 <Comment>// Regular expressions</Comment><br/> 0157 <Normal Text></Normal Text><br/> 0158 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>RegExpExample1</Rule><br/> 0159 <Symbol>{</Symbol><br/> 0160 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0161 <Normal Text> </Normal Text><Identifier>$re1</Identifier><Normal Text> = </Normal Text><Start Regular Expression>/</Start Regular Expression><Regular Expression>md5: </Regular Expression><Pattern Character Class>[0-9a-fA-F]</Pattern Character Class><Pattern Internal Operator>{32}</Pattern Internal Operator><Regular Expression>/</Regular Expression><br/> 0162 <Normal Text> </Normal Text><Identifier>$re2</Identifier><Normal Text> = </Normal Text><Start Regular Expression>/</Start Regular Expression><Regular Expression>state: </Regular Expression><Pattern Internal Operator>(</Pattern Internal Operator><Regular Expression>on</Regular Expression><Pattern Internal Operator>|</Pattern Internal Operator><Regular Expression>off</Regular Expression><Pattern Internal Operator>)</Pattern Internal Operator><Regular Expression>/</Regular Expression><br/> 0163 <Normal Text></Normal Text><br/> 0164 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0165 <Normal Text> </Normal Text><Identifier>$re1</Identifier><Normal Text> </Normal Text><Keyword>and</Keyword><Normal Text> </Normal Text><Identifier>$re2</Identifier><br/> 0166 <Symbol>}</Symbol><br/> 0167 <Normal Text></Normal Text><br/> 0168 <Comment>// Conditions</Comment><br/> 0169 <Normal Text></Normal Text><br/> 0170 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>Example</Rule><br/> 0171 <Symbol>{</Symbol><br/> 0172 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0173 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><String>"text1"</String><br/> 0174 <Normal Text> </Normal Text><Identifier>$b</Identifier><Normal Text> = </Normal Text><String>"text2"</String><br/> 0175 <Normal Text> </Normal Text><Identifier>$c</Identifier><Normal Text> = </Normal Text><String>"text3"</String><br/> 0176 <Normal Text> </Normal Text><Identifier>$d</Identifier><Normal Text> = </Normal Text><String>"text4"</String><br/> 0177 <Normal Text></Normal Text><br/> 0178 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0179 <Normal Text> (</Normal Text><Identifier>$a</Identifier><Normal Text> </Normal Text><Keyword>or</Keyword><Normal Text> </Normal Text><Identifier>$b</Identifier><Normal Text>) </Normal Text><Keyword>and</Keyword><Normal Text> (</Normal Text><Identifier>$c</Identifier><Normal Text> </Normal Text><Keyword>or</Keyword><Normal Text> </Normal Text><Identifier>$d</Identifier><Normal Text>)</Normal Text><br/> 0180 <Symbol>}</Symbol><br/> 0181 <Normal Text></Normal Text><br/> 0182 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>CountExample</Rule><br/> 0183 <Symbol>{</Symbol><br/> 0184 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0185 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><String>"dummy1"</String><br/> 0186 <Normal Text> </Normal Text><Identifier>$b</Identifier><Normal Text> = </Normal Text><String>"dummy2"</String><br/> 0187 <Normal Text></Normal Text><br/> 0188 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0189 <Normal Text> #a == </Normal Text><Decimal>6</Decimal><Normal Text> </Normal Text><Keyword>and</Keyword><Normal Text> #b > </Normal Text><Decimal>10</Decimal><br/> 0190 <Symbol>}</Symbol><br/> 0191 <Normal Text></Normal Text><br/> 0192 <Normal Text></Normal Text><br/> 0193 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>AtExample</Rule><br/> 0194 <Symbol>{</Symbol><br/> 0195 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0196 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><String>"dummy1"</String><br/> 0197 <Normal Text> </Normal Text><Identifier>$b</Identifier><Normal Text> = </Normal Text><String>"dummy2"</String><br/> 0198 <Normal Text></Normal Text><br/> 0199 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0200 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> </Normal Text><Keyword>at</Keyword><Normal Text> </Normal Text><Decimal>100</Decimal><Normal Text> </Normal Text><Keyword>and</Keyword><Normal Text> </Normal Text><Identifier>$b</Identifier><Normal Text> </Normal Text><Keyword>at</Keyword><Normal Text> </Normal Text><Decimal>200</Decimal><br/> 0201 <Symbol>}</Symbol><br/> 0202 <Normal Text></Normal Text><br/> 0203 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>InExample</Rule><br/> 0204 <Symbol>{</Symbol><br/> 0205 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0206 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><String>"dummy1"</String><br/> 0207 <Normal Text> </Normal Text><Identifier>$b</Identifier><Normal Text> = </Normal Text><String>"dummy2"</String><br/> 0208 <Normal Text></Normal Text><br/> 0209 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0210 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> </Normal Text><Keyword>in</Keyword><Normal Text> (</Normal Text><Float>0..100</Float><Normal Text>) </Normal Text><Keyword>and</Keyword><Normal Text> </Normal Text><Identifier>$b</Identifier><Normal Text> </Normal Text><Keyword>in</Keyword><Normal Text> (</Normal Text><Float>100.</Float><Normal Text>.</Normal Text><Keyword>filesize</Keyword><Normal Text>)</Normal Text><br/> 0211 <Symbol>}</Symbol><br/> 0212 <Normal Text></Normal Text><br/> 0213 <Comment>// File size</Comment><br/> 0214 <Normal Text></Normal Text><br/> 0215 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>FileSizeExample</Rule><br/> 0216 <Symbol>{</Symbol><br/> 0217 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0218 <Normal Text> </Normal Text><Keyword>filesize</Keyword><Normal Text> > </Normal Text><Decimal>200</Decimal><Normal Text>KB</Normal Text><br/> 0219 <Symbol>}</Symbol><br/> 0220 <Normal Text></Normal Text><br/> 0221 <Comment>// Executable entry point</Comment><br/> 0222 <Normal Text></Normal Text><br/> 0223 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>EntryPointExample</Rule><br/> 0224 <Symbol>{</Symbol><br/> 0225 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0226 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><Symbol>{</Symbol><Hex String> 9C 50 66 A1 ?? ?? ?? 00 66 A9 ?? ?? 58 0F 85 </Hex String><Symbol>}</Symbol><br/> 0227 <Normal Text></Normal Text><br/> 0228 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0229 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> </Normal Text><Keyword>in</Keyword><Normal Text> (</Normal Text><Keyword>entrypoint</Keyword><Normal Text>..</Normal Text><Keyword>entrypoint</Keyword><Normal Text> + </Normal Text><Decimal>10</Decimal><Normal Text>)</Normal Text><br/> 0230 <Symbol>}</Symbol><br/> 0231 <Normal Text></Normal Text><br/> 0232 <Normal Text></Normal Text><br/> 0233 <Comment>// Accessing data at a given position</Comment><br/> 0234 <Normal Text></Normal Text><br/> 0235 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>IsPE</Rule><br/> 0236 <Symbol>{</Symbol><br/> 0237 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0238 <Normal Text> </Normal Text><Comment>// MZ signature at offset 0 and ...</Comment><br/> 0239 <Normal Text> </Normal Text><Keyword>uint16</Keyword><Normal Text>(</Normal Text><Decimal>0</Decimal><Normal Text>) == </Normal Text><Hex>0x5A4D</Hex><Normal Text> </Normal Text><Keyword>and</Keyword><br/> 0240 <Normal Text> </Normal Text><Comment>// ... PE signature at offset stored in MZ header at 0x3C</Comment><br/> 0241 <Normal Text> </Normal Text><Keyword>uint32</Keyword><Normal Text>(</Normal Text><Keyword>uint32</Keyword><Normal Text>(</Normal Text><Hex>0x3C</Hex><Normal Text>)) == </Normal Text><Hex>0x00004550</Hex><br/> 0242 <Symbol>}</Symbol><br/> 0243 <Normal Text></Normal Text><br/> 0244 <Comment>// Sets of strings</Comment><br/> 0245 <Normal Text></Normal Text><br/> 0246 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>OfExample1</Rule><br/> 0247 <Symbol>{</Symbol><br/> 0248 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0249 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><String>"dummy1"</String><br/> 0250 <Normal Text> </Normal Text><Identifier>$b</Identifier><Normal Text> = </Normal Text><String>"dummy2"</String><br/> 0251 <Normal Text> </Normal Text><Identifier>$c</Identifier><Normal Text> = </Normal Text><String>"dummy3"</String><br/> 0252 <Normal Text></Normal Text><br/> 0253 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0254 <Normal Text> </Normal Text><Decimal>2</Decimal><Normal Text> </Normal Text><Keyword>of</Keyword><Normal Text> (</Normal Text><Identifier>$a</Identifier><Normal Text>,</Normal Text><Identifier>$b</Identifier><Normal Text>,</Normal Text><Identifier>$c</Identifier><Normal Text>)</Normal Text><br/> 0255 <Symbol>}</Symbol><br/> 0256 <Normal Text></Normal Text><br/> 0257 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>OfExample2</Rule><br/> 0258 <Symbol>{</Symbol><br/> 0259 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0260 <Normal Text> </Normal Text><Identifier>$foo1</Identifier><Normal Text> = </Normal Text><String>"foo1"</String><br/> 0261 <Normal Text> </Normal Text><Identifier>$foo2</Identifier><Normal Text> = </Normal Text><String>"foo2"</String><br/> 0262 <Normal Text> </Normal Text><Identifier>$foo3</Identifier><Normal Text> = </Normal Text><String>"foo3"</String><br/> 0263 <Normal Text></Normal Text><br/> 0264 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0265 <Normal Text> </Normal Text><Decimal>2</Decimal><Normal Text> </Normal Text><Keyword>of</Keyword><Normal Text> (</Normal Text><Identifier>$foo</Identifier><Normal Text>*) </Normal Text><Comment>// equivalent to 2 of ($foo1,$foo2,$foo3)</Comment><br/> 0266 <Symbol>}</Symbol><br/> 0267 <Normal Text></Normal Text><br/> 0268 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>OfExample3</Rule><br/> 0269 <Symbol>{</Symbol><br/> 0270 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0271 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><String>"dummy1"</String><br/> 0272 <Normal Text> </Normal Text><Identifier>$b</Identifier><Normal Text> = </Normal Text><String>"dummy2"</String><br/> 0273 <Normal Text> </Normal Text><Identifier>$c</Identifier><Normal Text> = </Normal Text><String>"dummy3"</String><br/> 0274 <Normal Text></Normal Text><br/> 0275 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0276 <Normal Text> </Normal Text><Decimal>1</Decimal><Normal Text> </Normal Text><Keyword>of</Keyword><Normal Text> </Normal Text><Keyword>them</Keyword><Normal Text> </Normal Text><Comment>// equivalent to 1 of ($*)</Comment><br/> 0277 <Symbol>}</Symbol><br/> 0278 <Normal Text></Normal Text><br/> 0279 <Comment>// Iterating over string occurrences</Comment><br/> 0280 <Normal Text></Normal Text><br/> 0281 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>Occurrences</Rule><br/> 0282 <Symbol>{</Symbol><br/> 0283 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0284 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><String>"dummy1"</String><br/> 0285 <Normal Text> </Normal Text><Identifier>$b</Identifier><Normal Text> = </Normal Text><String>"dummy2"</String><br/> 0286 <Normal Text></Normal Text><br/> 0287 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0288 <Normal Text> </Normal Text><Keyword>for</Keyword><Normal Text> </Normal Text><Keyword>all</Keyword><Normal Text> i </Normal Text><Keyword>in</Keyword><Normal Text> (</Normal Text><Decimal>1</Decimal><Normal Text>,</Normal Text><Decimal>2</Decimal><Normal Text>,</Normal Text><Decimal>3</Decimal><Normal Text>) : ( @a[i] + </Normal Text><Decimal>10</Decimal><Normal Text> == @b[i] )</Normal Text><br/> 0289 <Symbol>}</Symbol><br/> 0290 <Normal Text></Normal Text><br/> 0291 <Comment>// Referencing other rules</Comment><br/> 0292 <Normal Text></Normal Text><br/> 0293 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>Rule1</Rule><br/> 0294 <Symbol>{</Symbol><br/> 0295 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0296 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><String>"dummy1"</String><br/> 0297 <Normal Text></Normal Text><br/> 0298 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0299 <Normal Text> </Normal Text><Identifier>$a</Identifier><br/> 0300 <Symbol>}</Symbol><br/> 0301 <Normal Text></Normal Text><br/> 0302 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>Rule2</Rule><br/> 0303 <Symbol>{</Symbol><br/> 0304 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0305 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> = </Normal Text><String>"dummy2"</String><br/> 0306 <Normal Text></Normal Text><br/> 0307 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0308 <Normal Text> </Normal Text><Identifier>$a</Identifier><Normal Text> </Normal Text><Keyword>and</Keyword><Normal Text> Rule1</Normal Text><br/> 0309 <Symbol>}</Symbol><br/> 0310 <Normal Text></Normal Text><br/> 0311 <Comment>// Metadata</Comment><br/> 0312 <Normal Text></Normal Text><br/> 0313 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>MetadataExample</Rule><br/> 0314 <Symbol>{</Symbol><br/> 0315 <Normal Text> </Normal Text><Keyword>meta</Keyword><Normal Text>:</Normal Text><br/> 0316 <Normal Text> my_identifier_1 = </Normal Text><String>"Some string data"</String><br/> 0317 <Normal Text> my_identifier_2 = </Normal Text><Decimal>24</Decimal><br/> 0318 <Normal Text> my_identifier_3 = </Normal Text><Boolean>true</Boolean><br/> 0319 <Normal Text></Normal Text><br/> 0320 <Normal Text> </Normal Text><Keyword>strings</Keyword><Normal Text>:</Normal Text><br/> 0321 <Normal Text> </Normal Text><Identifier>$my_text_string</Identifier><Normal Text> = </Normal Text><String>"text here"</String><br/> 0322 <Normal Text> </Normal Text><Identifier>$my_hex_string</Identifier><Normal Text> = </Normal Text><Symbol>{</Symbol><Hex String> E2 34 A1 C8 23 FB </Hex String><Symbol>}</Symbol><br/> 0323 <Normal Text></Normal Text><br/> 0324 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0325 <Normal Text> </Normal Text><Identifier>$my_text_string</Identifier><Normal Text> </Normal Text><Keyword>or</Keyword><Normal Text> </Normal Text><Identifier>$my_hex_string</Identifier><br/> 0326 <Symbol>}</Symbol><br/> 0327 <Normal Text></Normal Text><br/> 0328 <Comment>// External variables</Comment><br/> 0329 <Normal Text></Normal Text><br/> 0330 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>ExternalVariableExample1</Rule><br/> 0331 <Symbol>{</Symbol><br/> 0332 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0333 <Normal Text> ext_var == </Normal Text><Decimal>10</Decimal><br/> 0334 <Symbol>}</Symbol><br/> 0335 <Normal Text></Normal Text><br/> 0336 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>ExternalVariableExample2</Rule><br/> 0337 <Symbol>{</Symbol><br/> 0338 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0339 <Normal Text> bool_ext_var </Normal Text><Keyword>or</Keyword><Normal Text> </Normal Text><Keyword>filesize</Keyword><Normal Text> < int_ext_var</Normal Text><br/> 0340 <Symbol>}</Symbol><br/> 0341 <Normal Text></Normal Text><br/> 0342 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>ExternalVariableExample3</Rule><br/> 0343 <Symbol>{</Symbol><br/> 0344 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0345 <Normal Text> string_ext_var </Normal Text><Keyword>contains</Keyword><Normal Text> </Normal Text><String>"text"</String><br/> 0346 <Symbol>}</Symbol><br/> 0347 <Normal Text></Normal Text><br/> 0348 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>ExternalVariableExample4</Rule><br/> 0349 <Symbol>{</Symbol><br/> 0350 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0351 <Normal Text> string_ext_var </Normal Text><Keyword>matches</Keyword><Normal Text> </Normal Text><Start Regular Expression>/</Start Regular Expression><Pattern Character Class>[a-z]</Pattern Character Class><Pattern Internal Operator>+</Pattern Internal Operator><Regular Expression>/</Regular Expression><br/> 0352 <Symbol>}</Symbol><br/> 0353 <Normal Text></Normal Text><br/> 0354 <Keyword>rule</Keyword><Normal Text> </Normal Text><Rule>ExternalVariableExample5</Rule><br/> 0355 <Symbol>{</Symbol><br/> 0356 <Normal Text> </Normal Text><Keyword>condition</Keyword><Normal Text>:</Normal Text><br/> 0357 <Normal Text> </Normal Text><Comment>/* case insensitive single-line mode */</Comment><br/> 0358 <Normal Text> string_ext_var </Normal Text><Keyword>matches</Keyword><Normal Text> </Normal Text><Start Regular Expression>/</Start Regular Expression><Pattern Character Class>[a-z]</Pattern Character Class><Pattern Internal Operator>+</Pattern Internal Operator><Regular Expression>/is</Regular Expression><br/> 0359 <Symbol>}</Symbol><br/> 0360 <Normal Text></Normal Text><br/> 0361 <Comment>// Including files</Comment><br/> 0362 <Normal Text></Normal Text><br/> 0363 <Keyword>include</Keyword><Normal Text> </Normal Text><String>"other.yar"</String><br/> 0364 <Keyword>include</Keyword><Normal Text> </Normal Text><String>"./includes/other.yar"</String><br/> 0365 <Keyword>include</Keyword><Normal Text> </Normal Text><String>"../includes/other.yar"</String><br/>