pub enum ExpressionKind {
Show 45 variants
Filesize,
Entrypoint,
ReadInteger {
ty: ReadIntegerType,
addr: Box<Expression>,
},
Integer(i64),
Double(f64),
Count(String),
CountInRange {
variable_name: String,
variable_name_span: Range<usize>,
from: Box<Expression>,
to: Box<Expression>,
},
Offset {
variable_name: String,
occurence_number: Box<Expression>,
},
Length {
variable_name: String,
occurence_number: Box<Expression>,
},
Neg(Box<Expression>),
Add(Box<Expression>, Box<Expression>),
Sub(Box<Expression>, Box<Expression>),
Mul(Box<Expression>, Box<Expression>),
Div(Box<Expression>, Box<Expression>),
Mod(Box<Expression>, Box<Expression>),
BitwiseXor(Box<Expression>, Box<Expression>),
BitwiseAnd(Box<Expression>, Box<Expression>),
BitwiseOr(Box<Expression>, Box<Expression>),
BitwiseNot(Box<Expression>),
ShiftLeft(Box<Expression>, Box<Expression>),
ShiftRight(Box<Expression>, Box<Expression>),
And(Vec<Expression>),
Or(Vec<Expression>),
Not(Box<Expression>),
Cmp {
left: Box<Expression>,
right: Box<Expression>,
less_than: bool,
can_be_equal: bool,
},
Eq(Box<Expression>, Box<Expression>),
NotEq(Box<Expression>, Box<Expression>),
Contains {
haystack: Box<Expression>,
needle: Box<Expression>,
case_insensitive: bool,
},
StartsWith {
expr: Box<Expression>,
prefix: Box<Expression>,
case_insensitive: bool,
},
EndsWith {
expr: Box<Expression>,
suffix: Box<Expression>,
case_insensitive: bool,
},
IEquals(Box<Expression>, Box<Expression>),
Matches(Box<Expression>, Regex),
Defined(Box<Expression>),
Boolean(bool),
Variable(String),
VariableAt {
variable_name: String,
variable_name_span: Range<usize>,
offset: Box<Expression>,
},
VariableIn {
variable_name: String,
variable_name_span: Range<usize>,
from: Box<Expression>,
to: Box<Expression>,
},
For {
selection: ForSelection,
set: VariableSet,
body: Option<Box<Expression>>,
},
ForIn {
selection: ForSelection,
set: VariableSet,
from: Box<Expression>,
to: Box<Expression>,
},
ForAt {
selection: ForSelection,
set: VariableSet,
offset: Box<Expression>,
},
ForIdentifiers {
selection: ForSelection,
identifiers: Vec<String>,
identifiers_span: Range<usize>,
iterator: ForIterator,
iterator_span: Range<usize>,
body: Box<Expression>,
},
ForRules {
selection: ForSelection,
set: RuleSet,
},
Identifier(Identifier),
Bytes(Vec<u8>),
Regex(Regex),
}Expand description
An expression parsed in a Rule.
Variants§
Filesize
Size of the file being scanned.
Entrypoint
Entrypoint of the file being scanned, if it is a PE or ELF.
Deprecated, use the pe or elf module instead.
ReadInteger
An integer read at a given address.
See the yara documentation on int8, uint16be etc.
Fields
ty: ReadIntegerTypeWhich size and endianness to read.
addr: Box<Expression>Address/Offset of the input where to read.
Integer(i64)
A i64 value.
Double(f64)
A f64 floating-point value.
Count(String)
Count number of matches on a given variable.
CountInRange
Count number of matches on a given variable in a specific range of the input.
Offset
Offset of a variable match
Fields
occurence_number: Box<Expression>Occurrence number.
1 is the first match on the variable, 2 is the next one, etc.
Length
Length of a variable match
Fields
occurence_number: Box<Expression>Occurrence number.
1 is the first match on the variable, 2 is the next one, etc.
Neg(Box<Expression>)
Opposite value, for integers and floats.
Add(Box<Expression>, Box<Expression>)
Addition, for integers and floats.
Sub(Box<Expression>, Box<Expression>)
Substraction, for integers and floats.
Mul(Box<Expression>, Box<Expression>)
Multiplication, for integers and floats.
Div(Box<Expression>, Box<Expression>)
Division, for integers and floats.
Mod(Box<Expression>, Box<Expression>)
Modulo, for integers.
BitwiseXor(Box<Expression>, Box<Expression>)
Bitwise xor, for integers.
BitwiseAnd(Box<Expression>, Box<Expression>)
Bitwise and, for integers.
BitwiseOr(Box<Expression>, Box<Expression>)
Bitwise or, for integers.
BitwiseNot(Box<Expression>)
Bitwise negation, for integers.
ShiftLeft(Box<Expression>, Box<Expression>)
Shift left, both elements must be integers.
ShiftRight(Box<Expression>, Box<Expression>)
Shift right, both elements must be integers.
And(Vec<Expression>)
Boolean and operation.
Or(Vec<Expression>)
Boolean or operation.
Not(Box<Expression>)
Boolean negation.
Cmp
Comparison.
Integers and floats can be compared to integers and floats. Strings can be compared to strings.
Eq(Box<Expression>, Box<Expression>)
Equal
NotEq(Box<Expression>, Box<Expression>)
Not equal
Contains
Does a string contains another string
StartsWith
Does a string starts with another string
EndsWith
Does a string ends with another string
IEquals(Box<Expression>, Box<Expression>)
Case insensitive equality test. Both elements must be strings.
Matches(Box<Expression>, Regex)
Does a string matches a regex.
Defined(Box<Expression>)
Is a given value defined.
For example, defined filesize will be true when scanning a file,
false otherwise.
Boolean(bool)
A boolean value.
Variable(String)
Does a variable matches
VariableAt
Does a variable matches at a given offset.
Fields
offset: Box<Expression>Offset
VariableIn
Does a variable matches in a given offset range.
For
Evaluate multiple variables on a given expression.
For each variable in set, evaluate body.
Then, if the number of evaluations returning true
matches the selection, then this expression returns true.
Fields
selection: ForSelectionHow many variables must match for this expression to be true.
set: VariableSetWhich variables to select.
body: Option<Box<Expression>>ParsedExpr to evaluate for each variable.
The body can contain $, #, @ or ! to refer to the
currently selected variable.
If unset, this is equivalent to $, i.e. true if the selected
variable matches.
ForIn
Evaluate the presence of multiple variables in a given range.
This is equivalent to a Self::For value, with a body
set to $ in (from..to).
Fields
selection: ForSelectionHow many variables must match for this expresion to be true.
set: VariableSetWhich variables to select.
from: Box<Expression>Starting offset, included.
to: Box<Expression>Ending offset, included.
ForAt
Evaluate the presence of multiple variables at a given offset.
This is equivalent to a Self::For value, with a body
set to $ at expr.
Fields
selection: ForSelectionHow many variables must match for this expresion to be true.
set: VariableSetWhich variables to select.
offset: Box<Expression>Offset of the variable match.
ForIdentifiers
Evaluate an identifier with multiple values on a given expression.
Same as Self::For, but instead of binding a variable,
an identifier is bounded to multiple values.
For example: for all i in (0..#a): ( @a[i] < 100 )
Fields
selection: ForSelectionHow many times the body must evaluate to true for this expresion to be true.
identifiers: Vec<String>List of identifiers to bind.
This is a list because the values bounded can be complex, ie arrays or dictionaries. This list is the same length as the cardinality of the values in the iterator.
iterator: ForIteratorValues to bind to the identifiers.
body: Box<Expression>Body to evaluate for each binding.
ForRules
Depend on multiple rules already declared in the namespace.
If the number of matching rules in the set matches the selection,
this expression returns true.
Fields
selection: ForSelectionHow many variables must match for this expression to be true.
Identifier(Identifier)
An identifier.
Bytes(Vec<u8>)
A byte string.
Regex(Regex)
A regex.
Trait Implementations§
Source§impl Clone for ExpressionKind
impl Clone for ExpressionKind
Source§fn clone(&self) -> ExpressionKind
fn clone(&self) -> ExpressionKind
1.0.0 · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more