Documentation
¶
Index ¶
- Constants
- Variables
- type BitwiseNot
- type Enum
- type Expression
- type ForIn
- type ForOf
- type FunctionCall
- type Group
- type HexBytes
- type HexJump
- type HexOr
- type HexString
- type HexToken
- type HexTokens
- type Identifier
- type Keyword
- type LiteralFloat
- type LiteralInteger
- type LiteralRegexp
- type LiteralString
- type MemberAccess
- type Meta
- type Minus
- type Node
- type Not
- type Of
- type Operation
- type OperatorType
- type Quantifier
- type Range
- type RegexpModifiers
- type RegexpString
- type Rule
- type RuleSet
- type String
- type StringCount
- type StringIdentifier
- type StringLength
- type StringOffset
- type Subscripting
- type TextString
Constants ¶
const OpMaxPrecedence = 11
OpMaxPrecedence is the maximum possible precedence. This is also the precedence for unary operators "not", "~" and "-".
Variables ¶
var OpPrecedence = map[OperatorType]int{ OpOr: 1, OpAnd: 2, OpEqual: 3, OpNotEqual: 3, OpLessThan: 4, OpLessOrEqual: 4, OpGreaterThan: 4, OpGreaterOrEqual: 4, OpContains: 4, OpMatches: 4, OpBitOr: 5, OpBitXor: 6, OpBitAnd: 7, OpShiftLeft: 8, OpShiftRight: 8, OpAdd: 9, OpSub: 9, OpMul: 10, OpDiv: 10, OpMod: 10, }
OpPrecedence is the operator precedence table.
Functions ¶
This section is empty.
Types ¶
type BitwiseNot ¶ added in v0.2.0
type BitwiseNot struct {
Expression
}
BitwiseNot is an Expression that represents the bitwise not operation.
func (*BitwiseNot) WriteSource ¶ added in v0.2.0
func (b *BitwiseNot) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type Enum ¶ added in v0.2.0
type Enum struct {
Values []Expression
}
Enum is a Node that represents an enumeration. Example: (1,2,3,4).
func (*Enum) AsProto ¶ added in v0.2.0
func (e *Enum) AsProto() *pb.IntegerEnumeration
AsProto returns the node serialized as pb.Range.
type Expression ¶ added in v0.1.1
type Expression interface {
Node
AsProto() *pb.Expression
}
Expression is the interface implemented by all expressions in the AST. Not all nodes are expressions, but all expressions are nodes. In general, an expression is a Node that can be used as an operand in some kind of operation.
type ForIn ¶ added in v0.2.0
type ForIn struct {
Quantifier *Quantifier
Variables []string
Iterator Node
Condition Expression
}
ForIn is an Expression representing a "for in" loop. Example:
for <quantifier> <variables> in <iterator> : ( <condition> )
func (*ForIn) AsProto ¶ added in v0.2.0
func (f *ForIn) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type ForOf ¶ added in v0.2.0
type ForOf struct {
Quantifier *Quantifier
Strings Node
Condition Expression
}
ForOf is an Expression representing a "for of" loop. Example:
for <quantifier> of <string_set> : ( <condition> )
func (*ForOf) AsProto ¶ added in v0.2.0
func (f *ForOf) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type FunctionCall ¶ added in v0.2.0
type FunctionCall struct {
Callable Expression
Arguments []Expression
}
FunctionCall is an Expression that represents a function call.
func (*FunctionCall) AsProto ¶ added in v0.2.0
func (f *FunctionCall) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*FunctionCall) Children ¶ added in v0.2.0
func (f *FunctionCall) Children() []Node
Children returns the Node's children.
func (*FunctionCall) WriteSource ¶ added in v0.2.0
func (f *FunctionCall) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type Group ¶ added in v0.2.0
type Group struct {
Expression
}
Group is an Expression that encloses another Expression in parenthesis.
type HexBytes ¶ added in v0.2.0
HexBytes is an HexToken that represents a byte sequence. The bytes are stored in Bytes, while Masks contains a nibble-wise mask for each of the bytes (both arrays have the same length). Possible masks are: 00 -> Full wildcard, the corresponding byte is ignored (??). 0F -> The higher nibble is ignored (?X) F0 -> The lower nibble is ignored (X?) FF -> No wildcard at all.
func (*HexBytes) AsProto ¶ added in v0.2.0
func (h *HexBytes) AsProto() *pb.BytesSequence
AsProto returns the Node serialized as pb.String.
type HexJump ¶ added in v0.2.0
HexJump is an HexToken that represents a jump in the hex string, like for example the [10-20] jump in {01 02 [10-20] 03 04}. If End is 0, it means infinite, the jump [20-] has Start=20 and End=0.
type HexOr ¶ added in v0.2.0
type HexOr struct {
Alternatives HexTokens
}
HexOr is an HexToken that represents an alternative in the hex string, like the (03 04 | 05 06) alternative in { 01 02 (03 04 | 05 06) 07 08 }. Each item in Alternatives corresponds to an alternative.
func (*HexOr) AsProto ¶ added in v0.2.0
func (h *HexOr) AsProto() *pb.HexAlternative
AsProto returns the Node serialized as pb.String.
type HexString ¶ added in v0.2.0
HexString describes a YARA hex string. Hex strings have an identifier and a sequence of tokens that conform the abstract syntax tree for the hex string. Each token can be any of the following types:
HexBytes: Represents a sequence of bytes, possibly masked, like: 01 02 03, 34 ?? A1 F? 03 ?3 HexJump: Represents a jump in the hex string, like: [21], [0-100] HexOr: Represents an alternative, like: (A|B), (A|B|C)
type HexToken ¶ added in v0.1.1
type HexToken interface {
Node
}
HexToken is the interface implemented by all types of token
type HexTokens ¶ added in v0.1.1
type HexTokens []HexToken
HexTokens is a sequence of tokens.
type Identifier ¶ added in v0.1.1
type Identifier struct {
Identifier string
}
Identifier is an Expression that represents an identifier.
func (*Identifier) AsProto ¶ added in v0.2.0
func (i *Identifier) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*Identifier) Children ¶ added in v0.2.0
func (i *Identifier) Children() []Node
Children returns the Node's children.
func (*Identifier) WriteSource ¶ added in v0.2.0
func (i *Identifier) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type Keyword ¶ added in v0.1.1
type Keyword string
Keyword is a Node that represents a keyword.
const ( KeywordAll Keyword = "all" KeywordAny Keyword = "any" KeywordEntrypoint Keyword = "entrypoint" KeywordFalse Keyword = "false" KeywordFilesize Keyword = "filesize" KeywordThem Keyword = "them" KeywordTrue Keyword = "true" )
Constants for existing keywords.
func (Keyword) AsProto ¶ added in v0.2.0
func (k Keyword) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type LiteralFloat ¶ added in v0.2.0
type LiteralFloat struct {
Value float64
}
LiteralFloat is an Expression that represents a literal float.
func (*LiteralFloat) AsProto ¶ added in v0.2.0
func (l *LiteralFloat) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*LiteralFloat) Children ¶ added in v0.2.0
func (l *LiteralFloat) Children() []Node
Children returns the Node's children.
func (*LiteralFloat) WriteSource ¶ added in v0.2.0
func (l *LiteralFloat) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type LiteralInteger ¶ added in v0.2.0
type LiteralInteger struct {
Value int64
}
LiteralInteger is an Expression that represents a literal integer.
func (*LiteralInteger) AsProto ¶ added in v0.2.0
func (l *LiteralInteger) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*LiteralInteger) Children ¶ added in v0.2.0
func (l *LiteralInteger) Children() []Node
Children returns the Node's children.
func (*LiteralInteger) WriteSource ¶ added in v0.2.0
func (l *LiteralInteger) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type LiteralRegexp ¶ added in v0.2.0
type LiteralRegexp struct {
Value string
Modifiers RegexpModifiers
}
LiteralRegexp is an Expression that represents a literal regular expression, like for example /ab.*cd/.
func (*LiteralRegexp) AsProto ¶ added in v0.2.0
func (l *LiteralRegexp) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*LiteralRegexp) Children ¶ added in v0.2.0
func (l *LiteralRegexp) Children() []Node
Children returns the Node's children.
func (*LiteralRegexp) String ¶ added in v0.2.0
func (l *LiteralRegexp) String() string
func (*LiteralRegexp) WriteSource ¶ added in v0.2.0
func (l *LiteralRegexp) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type LiteralString ¶ added in v0.2.0
type LiteralString struct {
Value string
}
LiteralString is an Expression that represents a literal string.
func (*LiteralString) AsProto ¶ added in v0.2.0
func (l *LiteralString) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*LiteralString) Children ¶ added in v0.2.0
func (l *LiteralString) Children() []Node
Children returns the Node's children.
func (*LiteralString) String ¶ added in v0.2.0
func (l *LiteralString) String() string
func (*LiteralString) WriteSource ¶ added in v0.2.0
func (l *LiteralString) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type MemberAccess ¶ added in v0.2.0
type MemberAccess struct {
Container Expression
Member string
}
MemberAccess is an Expression that represents a member access operation (.). For example, in "foo.bar" we have a MemberAccess operation where Node is the "foo" identifier and the member is "bar".
func (*MemberAccess) AsProto ¶ added in v0.2.0
func (m *MemberAccess) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*MemberAccess) Children ¶ added in v0.2.0
func (m *MemberAccess) Children() []Node
Children returns the node's child nodes.
func (*MemberAccess) WriteSource ¶ added in v0.2.0
func (m *MemberAccess) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type Meta ¶ added in v0.1.1
type Meta struct {
Key string
Value interface{}
}
Meta represents an entry in a rule's metadata section. Each entry is composed of a key and a value. The value can be either a string, an int64 or a bool.
type Minus ¶ added in v0.2.0
type Minus struct {
Expression
}
Minus is an Expression that represents the unary minus operation.
func (*Minus) AsProto ¶ added in v0.2.0
func (m *Minus) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type Node ¶ added in v0.2.0
type Node interface {
// Writes the source of the node to a writer.
WriteSource(io.Writer) error
// Returns the node's children. The children are returned left to right,
// if the node represents the operation A + B + C, the children will
// appear as A, B, C.
Children() []Node
}
Node is the interface implemented by all types of nodes in the AST.
type Not ¶ added in v0.2.0
type Not struct {
Expression
}
Not is an Expression that represents the "not" operation.
func (*Not) AsProto ¶ added in v0.2.0
func (n *Not) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type Of ¶ added in v0.2.0
type Of struct {
Quantifier *Quantifier
Strings Node
}
Of is an Expression representing a "of" operation. Example:
<quantifier> of <string_set>
func (*Of) AsProto ¶ added in v0.2.0
func (o *Of) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type Operation ¶ added in v0.2.0
type Operation struct {
Operator OperatorType
Operands []Expression
}
Operation is an Expression representing an operation with two or more operands, like "A or B", "A and B and C", "A + B + C", "A - B - C", etc. If there are more than two operands the operation is considered left-associative, it's ok to have a single operation for representing A - B - C, but for A - (B - C) we need two operations with two operands each.
func (*Operation) AsProto ¶ added in v0.2.0
func (o *Operation) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type OperatorType ¶ added in v0.2.0
type OperatorType string
OperatorType is the type of operators.
const ( OpUnknown OperatorType = "" OpOr OperatorType = "or" OpAnd OperatorType = "and" OpBitOr OperatorType = "|" OpBitXor OperatorType = "^" OpBitAnd OperatorType = "&" OpEqual OperatorType = "==" OpNotEqual OperatorType = "!=" OpLessThan OperatorType = "<" OpGreaterThan OperatorType = ">" OpLessOrEqual OperatorType = "<=" OpGreaterOrEqual OperatorType = ">=" OpAdd OperatorType = "+" OpSub OperatorType = "-" OpMul OperatorType = "*" OpDiv OperatorType = "\\" OpMod OperatorType = "%" OpShiftLeft OperatorType = "<<" OpShiftRight OperatorType = ">>" OpContains OperatorType = "contains" OpMatches OperatorType = "matches" )
Constants that represents operators.
type Quantifier ¶ added in v0.2.0
type Quantifier struct {
Expression
}
Quantifier is an Expression used in for loops, it can be either a numeric expression or the keywords "any" or "all".
func (*Quantifier) AsProto ¶ added in v0.2.0
func (q *Quantifier) AsProto() *pb.ForExpression
AsProto returns the Expression serialized as a pb.Expression.
type Range ¶ added in v0.1.1
type Range struct {
Start Expression
End Expression
}
Range is a Node that represents an integer range. Example: (1..10).
type RegexpModifiers ¶ added in v0.2.0
type RegexpModifiers int
RegexpModifiers are flags containing the modifiers for a LiteralRegexp.
const ( // RegexpCaseInsensitive is the flag corresponding to the /i modifier in a // regular expression literal. RegexpCaseInsensitive RegexpModifiers = 1 << iota // RegexpDotAll is the flag corresponding to the /s modifier in a regular // expression literal. RegexpDotAll )
type RegexpString ¶ added in v0.2.0
type RegexpString struct {
Identifier string
// Value contains the string exactly as it appears in the YARA rule. Escape
// sequences remain escaped. See the UnescapeValue function.
Regexp *LiteralRegexp
ASCII bool
Wide bool
Nocase bool
Fullword bool
Private bool
}
RegexpString describes a YARA regexp.
func (*RegexpString) AsProto ¶ added in v0.2.0
func (r *RegexpString) AsProto() *pb.String
AsProto returns the string serialized as pb.String.
func (*RegexpString) String ¶ added in v0.2.0
func (r *RegexpString) String() string
func (*RegexpString) WriteSource ¶ added in v0.2.0
func (r *RegexpString) WriteSource(w io.Writer) (err error)
WriteSource writes the node's source into the writer w.
type Rule ¶ added in v0.1.1
type Rule struct {
Global bool
Private bool
Identifier string
Tags []string
Meta []*Meta
Strings []String
Condition Expression
}
Rule describes a YARA rule.
func RuleFromProto ¶ added in v0.2.0
RuleFromProto creates a Rule from its corresponding protobuf.
func (*Rule) AsProto ¶ added in v0.2.0
AsProto returns the rule serialized as a Rule protobuf message.
type RuleSet ¶ added in v0.1.1
RuleSet describes a set of YARA rules.
func RuleSetFromProto ¶ added in v0.2.0
RuleSetFromProto creates a RuleSet from its corresponding protobuf.
type String ¶ added in v0.1.1
String is the interface implemented by the different types of strings that are supported by YARA (i.e: text strings, hex strings and regexps).
type StringCount ¶ added in v0.2.0
type StringCount struct {
Identifier string
}
StringCount is an Expression that represents a string count operation, like "#a". Notice that the Identifier field doesn't contain the # prefix.
func (*StringCount) AsProto ¶ added in v0.2.0
func (s *StringCount) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*StringCount) Children ¶ added in v0.2.0
func (s *StringCount) Children() []Node
Children returns the Node's children.
func (*StringCount) WriteSource ¶ added in v0.2.0
func (s *StringCount) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type StringIdentifier ¶ added in v0.2.0
type StringIdentifier struct {
Identifier string
At Expression
In *Range
}
StringIdentifier is an Expression that represents a string identifier in the condition, like "$a". The "At" field is non-nil if the identifier comes accompanied by an "at" condition, like "$a at 100". Similarly, "In" is non-nil if the identifier is accompanied by an "in" condition, like "$a in (0..100)". Notice that the Identifier field doesn't contain the $ prefix.
func (*StringIdentifier) AsProto ¶ added in v0.2.0
func (s *StringIdentifier) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*StringIdentifier) Children ¶ added in v0.2.0
func (s *StringIdentifier) Children() []Node
Children returns the Node's children.
func (*StringIdentifier) WriteSource ¶ added in v0.2.0
func (s *StringIdentifier) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type StringLength ¶ added in v0.1.1
type StringLength struct {
Identifier string
Index Expression
}
StringLength is an Expression that represents a string length operation, like "!a". The "Index" field is non-nil if the count operation is indexed, like in "!a[1]". Notice that the Identifier field doesn't contain the ! prefix.
func (*StringLength) AsProto ¶ added in v0.2.0
func (s *StringLength) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*StringLength) Children ¶ added in v0.2.0
func (s *StringLength) Children() []Node
Children returns the Node's children.
func (*StringLength) WriteSource ¶ added in v0.2.0
func (s *StringLength) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type StringOffset ¶ added in v0.1.1
type StringOffset struct {
Identifier string
Index Expression
}
StringOffset is an Expression that represents a string offset operation, like "@a". The "Index" field is non-nil if the count operation is indexed, like in "@a[1]". Notice that the Identifier field doesn't contain the @ prefix.
func (*StringOffset) AsProto ¶ added in v0.2.0
func (s *StringOffset) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*StringOffset) Children ¶ added in v0.2.0
func (s *StringOffset) Children() []Node
Children returns the Node's children.
func (*StringOffset) WriteSource ¶ added in v0.2.0
func (s *StringOffset) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type Subscripting ¶ added in v0.2.0
type Subscripting struct {
Array Expression
Index Expression
}
Subscripting is an Expression that represents an array subscripting operation ([]). For example, in "foo[1+2]" we have a Subscripting operation where Array is a Node representing the "foo" identifier and Index is another Node that represents the expression "1+2".
func (*Subscripting) AsProto ¶ added in v0.2.0
func (s *Subscripting) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*Subscripting) Children ¶ added in v0.2.0
func (s *Subscripting) Children() []Node
Children returns the node's child nodes.
func (*Subscripting) WriteSource ¶ added in v0.2.0
func (s *Subscripting) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type TextString ¶ added in v0.1.1
type TextString struct {
Identifier string
// Value contains the string exactly as it appears in the YARA rule. Escape
// sequences remain escaped. See the UnescapeValue function.
Value string
ASCII bool
Wide bool
Nocase bool
Fullword bool
Private bool
Xor bool
XorMin int32
XorMax int32
}
TextString describes a YARA text string.
func (*TextString) AsProto ¶ added in v0.2.0
func (t *TextString) AsProto() *pb.String
AsProto returns the string serialized as pb.String.
func (*TextString) String ¶ added in v0.1.1
func (t *TextString) String() string
func (*TextString) UnescapedValue ¶ added in v0.2.0
func (t *TextString) UnescapedValue() string
UnescapedValue retuns the string's Value with any escape sequence replaced by the actual character that it represents.
func (*TextString) WriteSource ¶ added in v0.2.0
func (t *TextString) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
Source Files