Enum boreal_parser::ExpressionKind

source · 
pub enum ExpressionKind {

Show 44 variants    Filesize,
    Entrypoint,
    ReadInteger {
        ty: ReadIntegerType,
        addr: Box<Expression>,
    },
    Integer(i64),
    Double(f64),
    Count(String),
    CountInRange {
        variable_name: String,
        variable_name_span: Range<usize>,
        from: Box<Expression>,
        to: Box<Expression>,
    },
    Offset {
        variable_name: String,
        occurence_number: Box<Expression>,
    },
    Length {
        variable_name: String,
        occurence_number: Box<Expression>,
    },
    Neg(Box<Expression>),
    Add(Box<Expression>, Box<Expression>),
    Sub(Box<Expression>, Box<Expression>),
    Mul(Box<Expression>, Box<Expression>),
    Div(Box<Expression>, Box<Expression>),
    Mod(Box<Expression>, Box<Expression>),
    BitwiseXor(Box<Expression>, Box<Expression>),
    BitwiseAnd(Box<Expression>, Box<Expression>),
    BitwiseOr(Box<Expression>, Box<Expression>),
    BitwiseNot(Box<Expression>),
    ShiftLeft(Box<Expression>, Box<Expression>),
    ShiftRight(Box<Expression>, Box<Expression>),
    And(Vec<Expression>),
    Or(Vec<Expression>),
    Not(Box<Expression>),
    Cmp {
        left: Box<Expression>,
        right: Box<Expression>,
        less_than: bool,
        can_be_equal: bool,
    },
    Eq(Box<Expression>, Box<Expression>),
    NotEq(Box<Expression>, Box<Expression>),
    Contains {
        haystack: Box<Expression>,
        needle: Box<Expression>,
        case_insensitive: bool,
    },
    StartsWith {
        expr: Box<Expression>,
        prefix: Box<Expression>,
        case_insensitive: bool,
    },
    EndsWith {
        expr: Box<Expression>,
        suffix: Box<Expression>,
        case_insensitive: bool,
    },
    IEquals(Box<Expression>, Box<Expression>),
    Matches(Box<Expression>, Regex),
    Defined(Box<Expression>),
    Boolean(bool),
    Variable(String),
    VariableAt {
        variable_name: String,
        variable_name_span: Range<usize>,
        offset: Box<Expression>,
    },
    VariableIn {
        variable_name: String,
        variable_name_span: Range<usize>,
        from: Box<Expression>,
        to: Box<Expression>,
    },
    For {
        selection: ForSelection,
        set: VariableSet,
        body: Option<Box<Expression>>,
    },
    ForIn {
        selection: ForSelection,
        set: VariableSet,
        from: Box<Expression>,
        to: Box<Expression>,
    },
    ForIdentifiers {
        selection: ForSelection,
        identifiers: Vec<String>,
        identifiers_span: Range<usize>,
        iterator: ForIterator,
        iterator_span: Range<usize>,
        body: Box<Expression>,
    },
    ForRules {
        selection: ForSelection,
        set: RuleSet,
    },
    Identifier(Identifier),
    Bytes(Vec<u8>),
    Regex(Regex),

}
Expand description

An expression parsed in a Rule.

Variants§

§

Filesize

Size of the file being scanned.

§

Entrypoint

Entrypoint of the file being scanned, if it is a PE or ELF.

Deprecated, use the pe or elf module instead.

§

ReadInteger

Fields

§ty: ReadIntegerType

Which size and endianness to read.

§addr: Box<Expression>

Address/Offset of the input where to read.

An integer read at a given address.

See the yara documentation on int8, uint16be etc.

§

Integer(i64)

A i64 value.

§

Double(f64)

A f64 floating-point value.

§

Count(String)

Count number of matches on a given variable.

§

CountInRange

Fields

§variable_name: String

Name of the variable being counted

§variable_name_span: Range<usize>

Span for the name of the variable

§from: Box<Expression>

Starting offset, included.

§to: Box<Expression>

Ending offset, included.

Count number of matches on a given variable in a specific range of the input.

§

Offset

Fields

§variable_name: String

Name of the variable

§occurence_number: Box<Expression>

Occurrence number.

1 is the first match on the variable, 2 is the next one, etc.

Offset of a variable match

§

Length

Fields

§variable_name: String

Name of the variable

§occurence_number: Box<Expression>

Occurrence number.

1 is the first match on the variable, 2 is the next one, etc.

Length of a variable match

§

Neg(Box<Expression>)

Opposite value, for integers and floats.

§

Add(Box<Expression>, Box<Expression>)

Addition, for integers and floats.

§

Sub(Box<Expression>, Box<Expression>)

Substraction, for integers and floats.

§

Mul(Box<Expression>, Box<Expression>)

Multiplication, for integers and floats.

§

Div(Box<Expression>, Box<Expression>)

Division, for integers and floats.

§

Mod(Box<Expression>, Box<Expression>)

Modulo, for integers.

§

BitwiseXor(Box<Expression>, Box<Expression>)

Bitwise xor, for integers.

§

BitwiseAnd(Box<Expression>, Box<Expression>)

Bitwise and, for integers.

§

BitwiseOr(Box<Expression>, Box<Expression>)

Bitwise or, for integers.

§

BitwiseNot(Box<Expression>)

Bitwise negation, for integers.

§

ShiftLeft(Box<Expression>, Box<Expression>)

Shift left, both elements must be integers.

§

ShiftRight(Box<Expression>, Box<Expression>)

Shift right, both elements must be integers.

§

And(Vec<Expression>)

Boolean and operation.

§

Or(Vec<Expression>)

Boolean or operation.

§

Not(Box<Expression>)

Boolean negation.

§

Cmp

Fields

§left: Box<Expression>

Left operand.

§right: Box<Expression>

Right operand.

§less_than: bool

If true this is ‘<’, otherwise ‘>’

§can_be_equal: bool

If true, left == right returns true.

Comparison.

Integers and floats can be compared to integers and floats. Strings can be compared to strings.

§

Eq(Box<Expression>, Box<Expression>)

Equal

§

NotEq(Box<Expression>, Box<Expression>)

Not equal

§

Contains

Fields

§haystack: Box<Expression>

String to search in

§needle: Box<Expression>

String to search

§case_insensitive: bool

If true, the search is case insensitive.

Does a string contains another string

§

StartsWith

Fields

§expr: Box<Expression>

String to search in

§prefix: Box<Expression>

Prefix to search

§case_insensitive: bool

If true, the search is case insensitive.

Does a string starts with another string

§

EndsWith

Fields

§expr: Box<Expression>

String to search in

§suffix: Box<Expression>

Prefix to search

§case_insensitive: bool

If true, the search is case insensitive.

Does a string ends with another string

§

IEquals(Box<Expression>, Box<Expression>)

Case insensitive equality test. Both elements must be strings.

§

Matches(Box<Expression>, Regex)

Does a string matches a regex.

§

Defined(Box<Expression>)

Is a given value defined.

For example, defined filesize will be true when scanning a file, false otherwise.

§

Boolean(bool)

A boolean value.

§

Variable(String)

Does a variable matches

§

VariableAt

Fields

§variable_name: String

Name of the variable

§variable_name_span: Range<usize>

Span for the name of the variable

§offset: Box<Expression>

Offset

Does a variable matches at a given offset.

§

VariableIn

Fields

§variable_name: String

Name of the variable.

§variable_name_span: Range<usize>

Span for the name of the variable

§from: Box<Expression>

Starting offset, included.

§to: Box<Expression>

Ending offset, included.

Does a variable matches in a given offset range.

§

For

Fields

§selection: ForSelection

How many variables must match for this expression to be true.

§set: VariableSet

Which variables to select.

§body: Option<Box<Expression>>

ParsedExpr to evaluate for each variable.

The body can contain $, #, @ or ! to refer to the currently selected variable.

If unset, this is equivalent to $, i.e. true if the selected variable matches.

Evaluate multiple variables on a given expression.

For each variable in set, evaluate body. Then, if the number of evaluations returning true matches the selection, then this expression returns true.

§

ForIn

Fields

§selection: ForSelection

How many variables must match for this expresion to be true.

§set: VariableSet

Which variables to select.

§from: Box<Expression>

Starting offset, included.

§to: Box<Expression>

Ending offset, included.

Evaluate multiple variables on a given range.

This is equivalent to a Self::For value, with a body set to $ in (from..to).

§

ForIdentifiers

Fields

§selection: ForSelection

How many times the body must evaluate to true for this expresion to be true.

§identifiers: Vec<String>

List of identifiers to bind.

This is a list because the values bounded can be complex, ie arrays or dictionaries. This list is the same length as the cardinality of the values in the iterator.

§identifiers_span: Range<usize>

Span covering the identifiers declaration

§iterator: ForIterator

Values to bind to the identifiers.

§iterator_span: Range<usize>

Span covering the iterator

§body: Box<Expression>

Body to evaluate for each binding.

Evaluate an identifier with multiple values on a given expression.

Same as Self::For, but instead of binding a variable, an identifier is bounded to multiple values.

For example: for all i in (0..#a): ( @a[i] < 100 )

§

ForRules

Fields

§selection: ForSelection

How many variables must match for this expression to be true.

§set: RuleSet

Which rules are selected.

Depend on multiple rules already declared in the namespace.

If the number of matching rules in the set matches the selection, this expression returns true.

§

Identifier(Identifier)

An identifier.

§

Bytes(Vec<u8>)

A byte string.

§

Regex(Regex)

A regex.

Trait Implementations§

source§

impl Clone for ExpressionKind

source§

fn clone(&self) -> ExpressionKind

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for ExpressionKind

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl PartialEq<ExpressionKind> for ExpressionKind

source§

fn eq(&self, other: &ExpressionKind) -> bool

This method tests for self and other values to be equal, and is used by ==.
1.0.0 · source§

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
source§

impl StructuralPartialEq for ExpressionKind

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for Twhere T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for Twhere T: ?Sized,

const: unstable · source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for Twhere T: ?Sized,

const: unstable · source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

const: unstable · source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for Twhere U: From<T>,

const: unstable · source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for Twhere T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
const: unstable · source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
const: unstable · source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.