Crate boreal_parser
source ·Expand description
Parser for YARA rules.
This crate is designed to be used by the boreal
crate.
It exposes a main entrypoint function, parse
, which parses the contents of a YARA file.
use boreal_parser::*;
use boreal_parser::expression::*;
use boreal_parser::file::*;
use boreal_parser::rule::*;
let file = parse(r#"
import "pe"
private rule b : tag1 {
meta:
a = true
strings:
$b = "\\mspaint.exe" wide
condition:
pe.is_dll() and all of them
}"#)?;
assert_eq!(
file.components[0],
YaraFileComponent::Import(Import {
name: "pe".to_owned(),
span: 1..12,
})
);
assert_eq!(
file.components[1],
YaraFileComponent::Rule(Box::new(Rule {
name: "b".to_owned(),
name_span: 27..28,
tags: vec![RuleTag {
tag: "tag1".to_owned(),
span: 31..35
}],
metadatas: vec![Metadata {
name: "a".to_owned(),
value: MetadataValue::Boolean(true)
}],
variables: vec![VariableDeclaration {
name: "b".to_owned(),
value: VariableDeclarationValue::Bytes(b"\\mspaint.exe".to_vec()),
modifiers: VariableModifiers {
wide: true,
..Default::default()
},
span: 86..111,
}],
condition: Expression {
expr: ExpressionKind::And(vec![
Expression {
expr: ExpressionKind::Identifier(Identifier {
name: "pe".to_owned(),
name_span: 135..137,
operations: vec![
IdentifierOperation {
op: IdentifierOperationType::Subfield(
"is_dll".to_owned()
),
span: 137..144,
},
IdentifierOperation {
op: IdentifierOperationType::FunctionCall(vec![]),
span: 144..146,
}
],
}),
span: 135..146,
},
Expression {
expr: ExpressionKind::For {
selection: ForSelection::All,
set: VariableSet { elements: vec![] },
body: None,
},
span: 151..162,
}
]),
span: 135..162
},
is_private: true,
is_global: false,
}))
);
Modules§
- Parsing error types.
- Types related to the condition part of YARA rules.
- Types related to YARA files.
- AST objects related to hex strings.
- AST elements related to YARA regexes.
- Parse yara rules.
Functions§
- Parse a YARA file.