Enum boreal_parser::ExpressionKind

pub enum ExpressionKind {
    Filesize,
    Entrypoint,
    ReadInteger {
        ty: ReadIntegerType,
        addr: Box<Expression>,
    },
    Integer(i64),
    Double(f64),
    Count(String),
    CountInRange {
        variable_name: String,
        variable_name_span: Range<usize>,
        from: Box<Expression>,
        to: Box<Expression>,
    },
    Offset {
        variable_name: String,
        occurence_number: Box<Expression>,
    },
    Length {
        variable_name: String,
        occurence_number: Box<Expression>,
    },
    Neg(Box<Expression>),
    Add(Box<Expression>, Box<Expression>),
    Sub(Box<Expression>, Box<Expression>),
    Mul(Box<Expression>, Box<Expression>),
    Div(Box<Expression>, Box<Expression>),
    Mod(Box<Expression>, Box<Expression>),
    BitwiseXor(Box<Expression>, Box<Expression>),
    BitwiseAnd(Box<Expression>, Box<Expression>),
    BitwiseOr(Box<Expression>, Box<Expression>),
    BitwiseNot(Box<Expression>),
    ShiftLeft(Box<Expression>, Box<Expression>),
    ShiftRight(Box<Expression>, Box<Expression>),
    And(Vec<Expression>),
    Or(Vec<Expression>),
    Not(Box<Expression>),
    Cmp {
        left: Box<Expression>,
        right: Box<Expression>,
        less_than: bool,
        can_be_equal: bool,
    },
    Eq(Box<Expression>, Box<Expression>),
    NotEq(Box<Expression>, Box<Expression>),
    Contains {
        haystack: Box<Expression>,
        needle: Box<Expression>,
        case_insensitive: bool,
    },
    StartsWith {
        expr: Box<Expression>,
        prefix: Box<Expression>,
        case_insensitive: bool,
    },
    EndsWith {
        expr: Box<Expression>,
        suffix: Box<Expression>,
        case_insensitive: bool,
    },
    IEquals(Box<Expression>, Box<Expression>),
    Matches(Box<Expression>, Regex),
    Defined(Box<Expression>),
    Boolean(bool),
    Variable(String),
    VariableAt {
        variable_name: String,
        variable_name_span: Range<usize>,
        offset: Box<Expression>,
    },
    VariableIn {
        variable_name: String,
        variable_name_span: Range<usize>,
        from: Box<Expression>,
        to: Box<Expression>,
    },
    For {
        selection: ForSelection,
        set: VariableSet,
        body: Option<Box<Expression>>,
    },
    ForIn {
        selection: ForSelection,
        set: VariableSet,
        from: Box<Expression>,
        to: Box<Expression>,
    },
    ForIdentifiers {
        selection: ForSelection,
        identifiers: Vec<String>,
        identifiers_span: Range<usize>,
        iterator: ForIterator,
        iterator_span: Range<usize>,
        body: Box<Expression>,
    },
    ForRules {
        selection: ForSelection,
        set: RuleSet,
    },
    Identifier(Identifier),
    Bytes(Vec<u8>),
    Regex(Regex),
}

An expression parsed in a Rule.

Variants

Filesize

Size of the file being scanned.

Entrypoint

Entrypoint of the file being scanned, if it is a PE or ELF.

Deprecated, use the pe or elf module instead.

ReadInteger

Fields

ty: ReadIntegerType

Which size and endianness to read.

addr: Box<Expression>

Address/Offset of the input where to read.

An integer read at a given address.

See the yara documentation on int8, uint16be etc.

Integer(i64)

A i64 value.

Double(f64)

A f64 floating-point value.

Count(String)

Count number of matches on a given variable.

CountInRange

Fields

variable_name: String

Name of the variable being counted

variable_name_span: Range<usize>

Span for the name of the variable

from: Box<Expression>

Starting offset, included.

to: Box<Expression>

Ending offset, included.

Count number of matches on a given variable in a specific range of the input.

Offset

Fields

variable_name: String

Name of the variable

occurence_number: Box<Expression>

Occurrence number.

1 is the first match on the variable, 2 is the next one, etc.

Offset of a variable match

Length

Fields

variable_name: String

Name of the variable

occurence_number: Box<Expression>

Occurrence number.

1 is the first match on the variable, 2 is the next one, etc.

Length of a variable match

Neg(Box<Expression>)

Opposite value, for integers and floats.

Add(Box<Expression>, Box<Expression>)

Addition, for integers and floats.

Sub(Box<Expression>, Box<Expression>)

Substraction, for integers and floats.

Mul(Box<Expression>, Box<Expression>)

Multiplication, for integers and floats.

Div(Box<Expression>, Box<Expression>)

Division, for integers and floats.

Mod(Box<Expression>, Box<Expression>)

Modulo, for integers.

BitwiseXor(Box<Expression>, Box<Expression>)

Bitwise xor, for integers.

BitwiseAnd(Box<Expression>, Box<Expression>)

Bitwise and, for integers.

BitwiseOr(Box<Expression>, Box<Expression>)

Bitwise or, for integers.

BitwiseNot(Box<Expression>)

Bitwise negation, for integers.

ShiftLeft(Box<Expression>, Box<Expression>)

Shift left, both elements must be integers.

ShiftRight(Box<Expression>, Box<Expression>)

Shift right, both elements must be integers.

And(Vec<Expression>)

Boolean and operation.

Or(Vec<Expression>)

Boolean or operation.

Not(Box<Expression>)

Boolean negation.

Cmp

Fields

left: Box<Expression>

Left operand.

right: Box<Expression>

Right operand.

less_than: bool

If true this is ‘<’, otherwise ‘>’

can_be_equal: bool

If true, left == right returns true.

Comparison.

Integers and floats can be compared to integers and floats. Strings can be compared to strings.

Eq(Box<Expression>, Box<Expression>)

Equal

NotEq(Box<Expression>, Box<Expression>)

Not equal

Contains

Fields

haystack: Box<Expression>

String to search in

needle: Box<Expression>

String to search

case_insensitive: bool

If true, the search is case insensitive.

Does a string contains another string

StartsWith

Fields

expr: Box<Expression>

String to search in

prefix: Box<Expression>

Prefix to search

case_insensitive: bool

If true, the search is case insensitive.

Does a string starts with another string

EndsWith

Fields

expr: Box<Expression>

String to search in

suffix: Box<Expression>

Prefix to search

case_insensitive: bool

If true, the search is case insensitive.

Does a string ends with another string

IEquals(Box<Expression>, Box<Expression>)

Case insensitive equality test. Both elements must be strings.

Matches(Box<Expression>, Regex)

Does a string matches a regex.

Defined(Box<Expression>)

Is a given value defined.

For example, defined filesize will be true when scanning a file, false otherwise.

Boolean(bool)

A boolean value.

Variable(String)

Does a variable matches

VariableAt

Fields

variable_name: String

Name of the variable

variable_name_span: Range<usize>

Span for the name of the variable

offset: Box<Expression>

Offset

Does a variable matches at a given offset.

VariableIn

Fields

variable_name: String

Name of the variable.

variable_name_span: Range<usize>

Span for the name of the variable

from: Box<Expression>

Starting offset, included.

to: Box<Expression>

Ending offset, included.

Does a variable matches in a given offset range.

For

Fields

selection: ForSelection

How many variables must match for this expression to be true.

set: VariableSet

Which variables to select.

body: Option<Box<Expression>>

ParsedExpr to evaluate for each variable.

The body can contain $, #, @ or ! to refer to the currently selected variable.

If unset, this is equivalent to $, i.e. true if the selected variable matches.

Evaluate multiple variables on a given expression.

For each variable in set, evaluate body. Then, if the number of evaluations returning true matches the selection, then this expression returns true.

ForIn

Fields

selection: ForSelection

How many variables must match for this expresion to be true.

set: VariableSet

Which variables to select.

from: Box<Expression>

Starting offset, included.

to: Box<Expression>

Ending offset, included.

Evaluate multiple variables on a given range.

This is equivalent to a Self::For value, with a body set to $ in (from..to).

ForIdentifiers

Fields

selection: ForSelection

How many times the body must evaluate to true for this expresion to be true.

identifiers: Vec<String>

List of identifiers to bind.

This is a list because the values bounded can be complex, ie arrays or dictionaries. This list is the same length as the cardinality of the values in the iterator.

identifiers_span: Range<usize>

Span covering the identifiers declaration

iterator: ForIterator

Values to bind to the identifiers.

iterator_span: Range<usize>

Span covering the iterator

body: Box<Expression>

Body to evaluate for each binding.

Evaluate an identifier with multiple values on a given expression.

Same as Self::For, but instead of binding a variable, an identifier is bounded to multiple values.

For example: for all i in (0..#a): ( @a[i] < 100 )

ForRules

Fields

selection: ForSelection

How many variables must match for this expression to be true.

set: RuleSet

Which rules are selected.

Depend on multiple rules already declared in the namespace.

If the number of matching rules in the set matches the selection, this expression returns true.

Identifier(Identifier)

An identifier.

Bytes(Vec<u8>)

A byte string.

Regex(Regex)

A regex.

Trait Implementations

impl Clone for ExpressionKind

fn clone(&self) -> ExpressionKind

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for ExpressionKind

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq<ExpressionKind> for ExpressionKind

fn eq(&self, other: &ExpressionKind) -> bool

This method tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl StructuralPartialEq for ExpressionKind