yara-x 1.17.0

A pure Rust implementation of YARA.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

RULE test_1
  15: WITH -- hash: 0xbde03d097f7ede1
    14: FIELD_ACCESS -- hash: 0xb93ff31706b0e381
      2: SYMBOL Field { index: 0, is_root: true, type_value: struct, acl: None, deprecation_notice: None }
      3: SYMBOL Field { index: 49, is_root: false, type_value: array, acl: None, deprecation_notice: None }
    13: FOR_IN -- hash: 0xc64e600939c50740
          n: Var { frame_id: 1, ty: integer, index: 1 }
          i: Var { frame_id: 1, ty: integer, index: 2 }
          max_count: Var { frame_id: 1, ty: integer, index: 3 }
          count: Var { frame_id: 1, ty: integer, index: 4 }
          item: Var { frame_id: 1, ty: unknown, index: 5 }
      0: CONST integer(0)
      1: CONST integer(1)
      12: EQ -- hash: 0xa8c03d82477d27bd
        10: FIELD_ACCESS -- hash: 0x8ec5c4d884e08cef
          6: LOOKUP -- hash: 0x6902899869d87c84
            4: SYMBOL Var { var: Var { frame_id: 0, ty: array, index: 0 }, type_value: array }
            5: SYMBOL Var { var: Var { frame_id: 1, ty: integer, index: 6 }, type_value: integer(unknown) }
          9: LOOKUP -- hash: 0x8cb8293be3610855
            7: SYMBOL Field { index: 6, is_root: false, type_value: array, acl: None, deprecation_notice: None }
            8: CONST integer(0)
        11: CONST integer(0)

RULE test_2
  7: DEFINED -- hash: 0xcb28b3121bed9db
    9: WITH -- hash: 0x2cdfa770a16582a3
      8: FN_CALL test_proto2.undef_i64@@iu -- hash: 0x27b4fb38ce4fcd4d
      11: WITH -- hash: 0xc33384ebfd4dca39
        10: EQ -- hash: 0xdda4166d98e5fb3
          3: SYMBOL Var { var: Var { frame_id: 0, ty: integer, index: 0 }, type_value: integer(unknown) }
          4: CONST integer(0)
        6: FOR_IN -- hash: 0xf1259fea1ea134ba
              n: Var { frame_id: 1, ty: integer, index: 2 }
              i: Var { frame_id: 1, ty: integer, index: 3 }
              max_count: Var { frame_id: 1, ty: integer, index: 4 }
              count: Var { frame_id: 1, ty: integer, index: 5 }
              item: Var { frame_id: 1, ty: unknown, index: 6 }
          0: CONST integer(0)
          1: CONST integer(10)
          5: SYMBOL Var { var: Var { frame_id: 0, ty: boolean, index: 1 }, type_value: boolean(unknown) }

RULE test_3
  18: OR -- hash: 0x296ac0215c519821
    5: CONTAINS -- hash: 0xe79cb207bd3992e5
      3: FIELD_ACCESS -- hash: 0x63bc9bc95d660aee
        0: SYMBOL Field { index: 0, is_root: true, type_value: struct, acl: None, deprecation_notice: None }
        1: SYMBOL Field { index: 44, is_root: false, type_value: struct, acl: None, deprecation_notice: None }
        2: SYMBOL Field { index: 5, is_root: false, type_value: string(unknown), acl: None, deprecation_notice: None }
      4: CONST string("foo")
    11: CONTAINS -- hash: 0xe79cb207bd3992e5
      9: FIELD_ACCESS -- hash: 0x63bc9bc95d660aee
        6: SYMBOL Field { index: 0, is_root: true, type_value: struct, acl: None, deprecation_notice: None }
        7: SYMBOL Field { index: 44, is_root: false, type_value: struct, acl: None, deprecation_notice: None }
        8: SYMBOL Field { index: 5, is_root: false, type_value: string(unknown), acl: None, deprecation_notice: None }
      10: CONST string("foo")
    17: CONTAINS -- hash: 0x721aded6408bbea
      15: FIELD_ACCESS -- hash: 0x63bc9bc95d660aee
        12: SYMBOL Field { index: 0, is_root: true, type_value: struct, acl: None, deprecation_notice: None }
        13: SYMBOL Field { index: 44, is_root: false, type_value: struct, acl: None, deprecation_notice: None }
        14: SYMBOL Field { index: 5, is_root: false, type_value: string(unknown), acl: None, deprecation_notice: None }
      16: CONST string("bar")