yara-x 1.15.0

A pure Rust implementation of YARA.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

use crate::modules::prelude::*;
use crate::modules::protos::string::*;


#[module_main]
fn main(_data: &[u8], _meta: Option<&[u8]>) -> Result<String, ModuleError> {
    // Nothing to do, but we have to return our protobuf
    Ok(String::new())
}

/// Converts a string to an integer.
#[module_export]
fn to_int(ctx: &ScanContext, string: RuntimeString) -> Option<i64> {
    let string = string.to_str(ctx).ok()?;
    string.parse::<i64>().ok()
}

/// Converts a string to an integer in the given base.
#[module_export(name = "to_int")]
fn to_int_base(
    ctx: &ScanContext,
    string: RuntimeString,
    base: i64,
) -> Option<i64> {
    let base: u32 = base.try_into().ok()?;
    if !(2..=36).contains(&base) {
        return None;
    }
    let string = string.to_str(ctx).ok()?;
    i64::from_str_radix(string, base).ok()
}

/// Returns the length of the string.
#[module_export]
fn length(ctx: &ScanContext, string: RuntimeString) -> Option<i64> {
    Some(string.as_bstr(ctx).len().try_into().unwrap())
}

#[cfg(test)]
mod tests {
    use crate::tests::rule_false;
    use crate::tests::rule_true;
    use crate::tests::test_rule;

    #[test]
    fn length() {
        rule_true!(
            r#"
            import "string"
            rule test { condition: string.length("AXsx00ERS") == 9 }"#,
            &[]
        );

        rule_false!(
            r#"
            import "string"
            rule test { condition: string.length("AXsx00ERS") > 9 }"#,
            &[]
        );

        rule_false!(
            r#"
            import "string"
            rule test { condition: string.length("AXsx00ERS") < 9 }"#,
            &[]
        );
    }

    #[test]
    fn to_int() {
        rule_true!(
            r#"
            import "string"
            rule test { condition: string.to_int("1234") == 1234 }"#,
            &[]
        );

        rule_true!(
            r#"
            import "string"
            rule test { condition: string.to_int("-10") == -10 }"#,
            &[]
        );

        rule_true!(
            r#"
            import "string"
            rule test { condition: string.to_int("A", 16) == 10 }"#,
            &[]
        );

        rule_true!(
            r#"
            import "string"
            rule test { condition: string.to_int("011", 8) == 9 }"#,
            &[]
        );

        rule_true!(
            r#"
            import "string"
            rule test { condition: string.to_int("-011", 8) == -9 }"#,
            &[]
        );
    }
}