yara-x-parser 1.3.0

A parsing library for YARA rules.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360

Begin { kind: SOURCE_FILE, span: Span(0..472) }
Begin { kind: RULE_DECL, span: Span(0..50) }
Token { kind: RULE_KW, span: Span(0..4) }
Token { kind: WHITESPACE, span: Span(4..5) }
Token { kind: IDENT, span: Span(5..11) }
Token { kind: WHITESPACE, span: Span(11..12) }
Token { kind: L_BRACE, span: Span(12..13) }
Token { kind: NEWLINE, span: Span(13..14) }
Token { kind: WHITESPACE, span: Span(14..15) }
Begin { kind: CONDITION_BLK, span: Span(15..48) }
Token { kind: CONDITION_KW, span: Span(15..24) }
Token { kind: COLON, span: Span(24..25) }
Token { kind: NEWLINE, span: Span(25..26) }
Token { kind: WHITESPACE, span: Span(26..28) }
Begin { kind: BOOLEAN_EXPR, span: Span(28..48) }
Begin { kind: BOOLEAN_TERM, span: Span(28..48) }
Begin { kind: EXPR, span: Span(28..33) }
Begin { kind: TERM, span: Span(28..33) }
Begin { kind: PRIMARY_EXPR, span: Span(28..33) }
Token { kind: STRING_LIT, span: Span(28..33) }
End { kind: PRIMARY_EXPR, span: Span(28..33) }
End { kind: TERM, span: Span(28..33) }
End { kind: EXPR, span: Span(28..33) }
Token { kind: WHITESPACE, span: Span(33..34) }
Token { kind: CONTAINS_KW, span: Span(34..42) }
Token { kind: WHITESPACE, span: Span(42..43) }
Begin { kind: EXPR, span: Span(43..48) }
Begin { kind: TERM, span: Span(43..48) }
Begin { kind: PRIMARY_EXPR, span: Span(43..48) }
Token { kind: STRING_LIT, span: Span(43..48) }
End { kind: PRIMARY_EXPR, span: Span(43..48) }
End { kind: TERM, span: Span(43..48) }
End { kind: EXPR, span: Span(43..48) }
End { kind: BOOLEAN_TERM, span: Span(28..48) }
End { kind: BOOLEAN_EXPR, span: Span(28..48) }
End { kind: CONDITION_BLK, span: Span(15..48) }
Token { kind: NEWLINE, span: Span(48..49) }
Token { kind: R_BRACE, span: Span(49..50) }
End { kind: RULE_DECL, span: Span(0..50) }
Token { kind: NEWLINE, span: Span(50..51) }
Token { kind: NEWLINE, span: Span(51..52) }
Begin { kind: RULE_DECL, span: Span(52..103) }
Token { kind: RULE_KW, span: Span(52..56) }
Token { kind: WHITESPACE, span: Span(56..57) }
Token { kind: IDENT, span: Span(57..63) }
Token { kind: WHITESPACE, span: Span(63..64) }
Token { kind: L_BRACE, span: Span(64..65) }
Token { kind: NEWLINE, span: Span(65..66) }
Token { kind: WHITESPACE, span: Span(66..67) }
Begin { kind: CONDITION_BLK, span: Span(67..101) }
Token { kind: CONDITION_KW, span: Span(67..76) }
Token { kind: COLON, span: Span(76..77) }
Token { kind: NEWLINE, span: Span(77..78) }
Token { kind: WHITESPACE, span: Span(78..80) }
Begin { kind: BOOLEAN_EXPR, span: Span(80..101) }
Begin { kind: BOOLEAN_TERM, span: Span(80..101) }
Begin { kind: EXPR, span: Span(80..85) }
Begin { kind: TERM, span: Span(80..85) }
Begin { kind: PRIMARY_EXPR, span: Span(80..85) }
Token { kind: STRING_LIT, span: Span(80..85) }
End { kind: PRIMARY_EXPR, span: Span(80..85) }
End { kind: TERM, span: Span(80..85) }
End { kind: EXPR, span: Span(80..85) }
Token { kind: WHITESPACE, span: Span(85..86) }
Token { kind: ICONTAINS_KW, span: Span(86..95) }
Token { kind: WHITESPACE, span: Span(95..96) }
Begin { kind: EXPR, span: Span(96..101) }
Begin { kind: TERM, span: Span(96..101) }
Begin { kind: PRIMARY_EXPR, span: Span(96..101) }
Token { kind: STRING_LIT, span: Span(96..101) }
End { kind: PRIMARY_EXPR, span: Span(96..101) }
End { kind: TERM, span: Span(96..101) }
End { kind: EXPR, span: Span(96..101) }
End { kind: BOOLEAN_TERM, span: Span(80..101) }
End { kind: BOOLEAN_EXPR, span: Span(80..101) }
End { kind: CONDITION_BLK, span: Span(67..101) }
Token { kind: NEWLINE, span: Span(101..102) }
Token { kind: R_BRACE, span: Span(102..103) }
End { kind: RULE_DECL, span: Span(52..103) }
Token { kind: NEWLINE, span: Span(103..104) }
Token { kind: NEWLINE, span: Span(104..105) }
Begin { kind: RULE_DECL, span: Span(105..157) }
Token { kind: RULE_KW, span: Span(105..109) }
Token { kind: WHITESPACE, span: Span(109..110) }
Token { kind: IDENT, span: Span(110..116) }
Token { kind: WHITESPACE, span: Span(116..117) }
Token { kind: L_BRACE, span: Span(117..118) }
Token { kind: NEWLINE, span: Span(118..119) }
Token { kind: WHITESPACE, span: Span(119..120) }
Begin { kind: CONDITION_BLK, span: Span(120..155) }
Token { kind: CONDITION_KW, span: Span(120..129) }
Token { kind: COLON, span: Span(129..130) }
Token { kind: NEWLINE, span: Span(130..131) }
Token { kind: WHITESPACE, span: Span(131..133) }
Begin { kind: BOOLEAN_EXPR, span: Span(133..155) }
Begin { kind: BOOLEAN_TERM, span: Span(133..155) }
Begin { kind: EXPR, span: Span(133..138) }
Begin { kind: TERM, span: Span(133..138) }
Begin { kind: PRIMARY_EXPR, span: Span(133..138) }
Token { kind: STRING_LIT, span: Span(133..138) }
End { kind: PRIMARY_EXPR, span: Span(133..138) }
End { kind: TERM, span: Span(133..138) }
End { kind: EXPR, span: Span(133..138) }
Token { kind: WHITESPACE, span: Span(138..139) }
Token { kind: STARTSWITH_KW, span: Span(139..149) }
Token { kind: WHITESPACE, span: Span(149..150) }
Begin { kind: EXPR, span: Span(150..155) }
Begin { kind: TERM, span: Span(150..155) }
Begin { kind: PRIMARY_EXPR, span: Span(150..155) }
Token { kind: STRING_LIT, span: Span(150..155) }
End { kind: PRIMARY_EXPR, span: Span(150..155) }
End { kind: TERM, span: Span(150..155) }
End { kind: EXPR, span: Span(150..155) }
End { kind: BOOLEAN_TERM, span: Span(133..155) }
End { kind: BOOLEAN_EXPR, span: Span(133..155) }
End { kind: CONDITION_BLK, span: Span(120..155) }
Token { kind: NEWLINE, span: Span(155..156) }
Token { kind: R_BRACE, span: Span(156..157) }
End { kind: RULE_DECL, span: Span(105..157) }
Token { kind: NEWLINE, span: Span(157..158) }
Token { kind: NEWLINE, span: Span(158..159) }
Begin { kind: RULE_DECL, span: Span(159..212) }
Token { kind: RULE_KW, span: Span(159..163) }
Token { kind: WHITESPACE, span: Span(163..164) }
Token { kind: IDENT, span: Span(164..170) }
Token { kind: WHITESPACE, span: Span(170..171) }
Token { kind: L_BRACE, span: Span(171..172) }
Token { kind: NEWLINE, span: Span(172..173) }
Token { kind: WHITESPACE, span: Span(173..174) }
Begin { kind: CONDITION_BLK, span: Span(174..210) }
Token { kind: CONDITION_KW, span: Span(174..183) }
Token { kind: COLON, span: Span(183..184) }
Token { kind: NEWLINE, span: Span(184..185) }
Token { kind: WHITESPACE, span: Span(185..187) }
Begin { kind: BOOLEAN_EXPR, span: Span(187..210) }
Begin { kind: BOOLEAN_TERM, span: Span(187..210) }
Begin { kind: EXPR, span: Span(187..192) }
Begin { kind: TERM, span: Span(187..192) }
Begin { kind: PRIMARY_EXPR, span: Span(187..192) }
Token { kind: STRING_LIT, span: Span(187..192) }
End { kind: PRIMARY_EXPR, span: Span(187..192) }
End { kind: TERM, span: Span(187..192) }
End { kind: EXPR, span: Span(187..192) }
Token { kind: WHITESPACE, span: Span(192..193) }
Token { kind: ISTARTSWITH_KW, span: Span(193..204) }
Token { kind: WHITESPACE, span: Span(204..205) }
Begin { kind: EXPR, span: Span(205..210) }
Begin { kind: TERM, span: Span(205..210) }
Begin { kind: PRIMARY_EXPR, span: Span(205..210) }
Token { kind: STRING_LIT, span: Span(205..210) }
End { kind: PRIMARY_EXPR, span: Span(205..210) }
End { kind: TERM, span: Span(205..210) }
End { kind: EXPR, span: Span(205..210) }
End { kind: BOOLEAN_TERM, span: Span(187..210) }
End { kind: BOOLEAN_EXPR, span: Span(187..210) }
End { kind: CONDITION_BLK, span: Span(174..210) }
Token { kind: NEWLINE, span: Span(210..211) }
Token { kind: R_BRACE, span: Span(211..212) }
End { kind: RULE_DECL, span: Span(159..212) }
Token { kind: NEWLINE, span: Span(212..213) }
Token { kind: NEWLINE, span: Span(213..214) }
Begin { kind: RULE_DECL, span: Span(214..264) }
Token { kind: RULE_KW, span: Span(214..218) }
Token { kind: WHITESPACE, span: Span(218..219) }
Token { kind: IDENT, span: Span(219..225) }
Token { kind: WHITESPACE, span: Span(225..226) }
Token { kind: L_BRACE, span: Span(226..227) }
Token { kind: NEWLINE, span: Span(227..228) }
Token { kind: WHITESPACE, span: Span(228..229) }
Begin { kind: CONDITION_BLK, span: Span(229..262) }
Token { kind: CONDITION_KW, span: Span(229..238) }
Token { kind: COLON, span: Span(238..239) }
Token { kind: NEWLINE, span: Span(239..240) }
Token { kind: WHITESPACE, span: Span(240..242) }
Begin { kind: BOOLEAN_EXPR, span: Span(242..262) }
Begin { kind: BOOLEAN_TERM, span: Span(242..262) }
Begin { kind: EXPR, span: Span(242..247) }
Begin { kind: TERM, span: Span(242..247) }
Begin { kind: PRIMARY_EXPR, span: Span(242..247) }
Token { kind: STRING_LIT, span: Span(242..247) }
End { kind: PRIMARY_EXPR, span: Span(242..247) }
End { kind: TERM, span: Span(242..247) }
End { kind: EXPR, span: Span(242..247) }
Token { kind: WHITESPACE, span: Span(247..248) }
Token { kind: ENDSWITH_KW, span: Span(248..256) }
Token { kind: WHITESPACE, span: Span(256..257) }
Begin { kind: EXPR, span: Span(257..262) }
Begin { kind: TERM, span: Span(257..262) }
Begin { kind: PRIMARY_EXPR, span: Span(257..262) }
Token { kind: STRING_LIT, span: Span(257..262) }
End { kind: PRIMARY_EXPR, span: Span(257..262) }
End { kind: TERM, span: Span(257..262) }
End { kind: EXPR, span: Span(257..262) }
End { kind: BOOLEAN_TERM, span: Span(242..262) }
End { kind: BOOLEAN_EXPR, span: Span(242..262) }
End { kind: CONDITION_BLK, span: Span(229..262) }
Token { kind: NEWLINE, span: Span(262..263) }
Token { kind: R_BRACE, span: Span(263..264) }
End { kind: RULE_DECL, span: Span(214..264) }
Token { kind: NEWLINE, span: Span(264..265) }
Token { kind: NEWLINE, span: Span(265..266) }
Begin { kind: RULE_DECL, span: Span(266..317) }
Token { kind: RULE_KW, span: Span(266..270) }
Token { kind: WHITESPACE, span: Span(270..271) }
Token { kind: IDENT, span: Span(271..277) }
Token { kind: WHITESPACE, span: Span(277..278) }
Token { kind: L_BRACE, span: Span(278..279) }
Token { kind: NEWLINE, span: Span(279..280) }
Token { kind: WHITESPACE, span: Span(280..281) }
Begin { kind: CONDITION_BLK, span: Span(281..315) }
Token { kind: CONDITION_KW, span: Span(281..290) }
Token { kind: COLON, span: Span(290..291) }
Token { kind: NEWLINE, span: Span(291..292) }
Token { kind: WHITESPACE, span: Span(292..294) }
Begin { kind: BOOLEAN_EXPR, span: Span(294..315) }
Begin { kind: BOOLEAN_TERM, span: Span(294..315) }
Begin { kind: EXPR, span: Span(294..299) }
Begin { kind: TERM, span: Span(294..299) }
Begin { kind: PRIMARY_EXPR, span: Span(294..299) }
Token { kind: STRING_LIT, span: Span(294..299) }
End { kind: PRIMARY_EXPR, span: Span(294..299) }
End { kind: TERM, span: Span(294..299) }
End { kind: EXPR, span: Span(294..299) }
Token { kind: WHITESPACE, span: Span(299..300) }
Token { kind: IENDSWITH_KW, span: Span(300..309) }
Token { kind: WHITESPACE, span: Span(309..310) }
Begin { kind: EXPR, span: Span(310..315) }
Begin { kind: TERM, span: Span(310..315) }
Begin { kind: PRIMARY_EXPR, span: Span(310..315) }
Token { kind: STRING_LIT, span: Span(310..315) }
End { kind: PRIMARY_EXPR, span: Span(310..315) }
End { kind: TERM, span: Span(310..315) }
End { kind: EXPR, span: Span(310..315) }
End { kind: BOOLEAN_TERM, span: Span(294..315) }
End { kind: BOOLEAN_EXPR, span: Span(294..315) }
End { kind: CONDITION_BLK, span: Span(281..315) }
Token { kind: NEWLINE, span: Span(315..316) }
Token { kind: R_BRACE, span: Span(316..317) }
End { kind: RULE_DECL, span: Span(266..317) }
Token { kind: NEWLINE, span: Span(317..318) }
Token { kind: NEWLINE, span: Span(318..319) }
Begin { kind: RULE_DECL, span: Span(319..368) }
Token { kind: RULE_KW, span: Span(319..323) }
Token { kind: WHITESPACE, span: Span(323..324) }
Token { kind: IDENT, span: Span(324..330) }
Token { kind: WHITESPACE, span: Span(330..331) }
Token { kind: L_BRACE, span: Span(331..332) }
Token { kind: NEWLINE, span: Span(332..333) }
Token { kind: WHITESPACE, span: Span(333..334) }
Begin { kind: CONDITION_BLK, span: Span(334..366) }
Token { kind: CONDITION_KW, span: Span(334..343) }
Token { kind: COLON, span: Span(343..344) }
Token { kind: NEWLINE, span: Span(344..345) }
Token { kind: WHITESPACE, span: Span(345..347) }
Begin { kind: BOOLEAN_EXPR, span: Span(347..366) }
Begin { kind: BOOLEAN_TERM, span: Span(347..366) }
Begin { kind: EXPR, span: Span(347..352) }
Begin { kind: TERM, span: Span(347..352) }
Begin { kind: PRIMARY_EXPR, span: Span(347..352) }
Token { kind: STRING_LIT, span: Span(347..352) }
End { kind: PRIMARY_EXPR, span: Span(347..352) }
End { kind: TERM, span: Span(347..352) }
End { kind: EXPR, span: Span(347..352) }
Token { kind: WHITESPACE, span: Span(352..353) }
Token { kind: MATCHES_KW, span: Span(353..360) }
Token { kind: WHITESPACE, span: Span(360..361) }
Begin { kind: EXPR, span: Span(361..366) }
Begin { kind: TERM, span: Span(361..366) }
Begin { kind: PRIMARY_EXPR, span: Span(361..366) }
Token { kind: REGEXP, span: Span(361..366) }
End { kind: PRIMARY_EXPR, span: Span(361..366) }
End { kind: TERM, span: Span(361..366) }
End { kind: EXPR, span: Span(361..366) }
End { kind: BOOLEAN_TERM, span: Span(347..366) }
End { kind: BOOLEAN_EXPR, span: Span(347..366) }
End { kind: CONDITION_BLK, span: Span(334..366) }
Token { kind: NEWLINE, span: Span(366..367) }
Token { kind: R_BRACE, span: Span(367..368) }
End { kind: RULE_DECL, span: Span(319..368) }
Token { kind: NEWLINE, span: Span(368..369) }
Token { kind: NEWLINE, span: Span(369..370) }
Begin { kind: RULE_DECL, span: Span(370..421) }
Token { kind: RULE_KW, span: Span(370..374) }
Token { kind: WHITESPACE, span: Span(374..375) }
Token { kind: IDENT, span: Span(375..381) }
Token { kind: WHITESPACE, span: Span(381..382) }
Token { kind: L_BRACE, span: Span(382..383) }
Token { kind: NEWLINE, span: Span(383..384) }
Token { kind: WHITESPACE, span: Span(384..385) }
Begin { kind: CONDITION_BLK, span: Span(385..419) }
Token { kind: CONDITION_KW, span: Span(385..394) }
Token { kind: COLON, span: Span(394..395) }
Token { kind: NEWLINE, span: Span(395..396) }
Token { kind: WHITESPACE, span: Span(396..398) }
Begin { kind: BOOLEAN_EXPR, span: Span(398..419) }
Begin { kind: BOOLEAN_TERM, span: Span(398..419) }
Begin { kind: EXPR, span: Span(398..403) }
Begin { kind: TERM, span: Span(398..403) }
Begin { kind: PRIMARY_EXPR, span: Span(398..403) }
Token { kind: STRING_LIT, span: Span(398..403) }
End { kind: PRIMARY_EXPR, span: Span(398..403) }
End { kind: TERM, span: Span(398..403) }
End { kind: EXPR, span: Span(398..403) }
Token { kind: WHITESPACE, span: Span(403..404) }
Token { kind: MATCHES_KW, span: Span(404..411) }
Token { kind: WHITESPACE, span: Span(411..412) }
Begin { kind: EXPR, span: Span(412..419) }
Begin { kind: TERM, span: Span(412..419) }
Begin { kind: PRIMARY_EXPR, span: Span(412..419) }
Token { kind: REGEXP, span: Span(412..419) }
End { kind: PRIMARY_EXPR, span: Span(412..419) }
End { kind: TERM, span: Span(412..419) }
End { kind: EXPR, span: Span(412..419) }
End { kind: BOOLEAN_TERM, span: Span(398..419) }
End { kind: BOOLEAN_EXPR, span: Span(398..419) }
End { kind: CONDITION_BLK, span: Span(385..419) }
Token { kind: NEWLINE, span: Span(419..420) }
Token { kind: R_BRACE, span: Span(420..421) }
End { kind: RULE_DECL, span: Span(370..421) }
Token { kind: NEWLINE, span: Span(421..422) }
Token { kind: NEWLINE, span: Span(422..423) }
Begin { kind: RULE_DECL, span: Span(423..472) }
Token { kind: RULE_KW, span: Span(423..427) }
Token { kind: WHITESPACE, span: Span(427..428) }
Token { kind: IDENT, span: Span(428..434) }
Token { kind: WHITESPACE, span: Span(434..435) }
Token { kind: L_BRACE, span: Span(435..436) }
Token { kind: NEWLINE, span: Span(436..437) }
Token { kind: WHITESPACE, span: Span(437..438) }
Begin { kind: CONDITION_BLK, span: Span(438..470) }
Token { kind: CONDITION_KW, span: Span(438..447) }
Token { kind: COLON, span: Span(447..448) }
Token { kind: NEWLINE, span: Span(448..449) }
Token { kind: WHITESPACE, span: Span(449..451) }
Begin { kind: BOOLEAN_EXPR, span: Span(451..470) }
Begin { kind: BOOLEAN_TERM, span: Span(451..470) }
Begin { kind: EXPR, span: Span(451..456) }
Begin { kind: TERM, span: Span(451..456) }
Begin { kind: PRIMARY_EXPR, span: Span(451..456) }
Token { kind: STRING_LIT, span: Span(451..456) }
End { kind: PRIMARY_EXPR, span: Span(451..456) }
End { kind: TERM, span: Span(451..456) }
End { kind: EXPR, span: Span(451..456) }
Token { kind: WHITESPACE, span: Span(456..457) }
Token { kind: IEQUALS_KW, span: Span(457..464) }
Token { kind: WHITESPACE, span: Span(464..465) }
Begin { kind: EXPR, span: Span(465..470) }
Begin { kind: TERM, span: Span(465..470) }
Begin { kind: PRIMARY_EXPR, span: Span(465..470) }
Token { kind: STRING_LIT, span: Span(465..470) }
End { kind: PRIMARY_EXPR, span: Span(465..470) }
End { kind: TERM, span: Span(465..470) }
End { kind: EXPR, span: Span(465..470) }
End { kind: BOOLEAN_TERM, span: Span(451..470) }
End { kind: BOOLEAN_EXPR, span: Span(451..470) }
End { kind: CONDITION_BLK, span: Span(438..470) }
Token { kind: NEWLINE, span: Span(470..471) }
Token { kind: R_BRACE, span: Span(471..472) }
End { kind: RULE_DECL, span: Span(423..472) }
End { kind: SOURCE_FILE, span: Span(0..472) }