// Sample YARA file for Syntax Highlighting
// Obtained from: https://yara.readthedocs.io/en/stable/writingrules.html

/*
This is a multi-line comment ...
*/

rule silent_banker : banker
{
meta:
description = "This is just an example"
threat_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}

rule dummy
{
condition:
false
}

rule ExampleRule
{
strings:
$my_text_string = "text here"
$my_hex_string = { E2 34 A1 C8 23 FB }

condition:
$my_text_string or $my_hex_string
}

// Hexadecimal strings

rule WildcardExample
{
strings:
$hex_string = { E2 34 ?? C8 A? FB }

condition:
$hex_string
}

rule JumpExample
{
strings:
$hex_string = { F4 23 [4-6] 62 B4 }

condition:
$hex_string
}

rule AlternativesExample
{
strings:
$hex_string = { F4 23 ( 62 B4 | 56 | 45 ?? 67 ) 45 }

condition:
$hex_string
}

// Text strings

rule CaseInsensitiveTextExample
{
strings:
$text_string = "foobar" nocase

condition:
$text_string
}

rule WideCharTextExample
{
strings:
$wide_and_ascii_string = "Borland" wide ascii

condition:
$wide_and_ascii_string
}

// XOR strings

rule XorExample1
{
strings:
$xor_string = "This program cannot" xor

condition:
$xor_string
}

rule XorExample2
{
strings:
$xor_string_00 = "This program cannot"
$xor_string_01 = "Uihr!qsnfs`l!b`oonu"
$xor_string_02 = "Vjkq\"rpmepco\"acllmv"
// Repeat for every single byte XOR
condition:
any of them
}

rule XorExample3
{
strings:
$xor_string = "This program cannot" xor wide ascii
condition:
$xor_string
}

rule XorExample4
{
strings:
$xor_string_00 = "T\x00h\x00i\x00s\x00 \x00p\x00r\x00o\x00g\x00r\x00a\x00m\x00 \x00c\x00a\x00n\x00n\x00o\x00t\x00"
$xor_string_01 = "U\x01i\x01h\x01r\x01!\x01q\x01s\x01n\x01f\x01s\x01`\x01l\x01!\x01b\x01`\x01o\x01o\x01n\x01u\x01"
$xor_string_02 = "V\x02j\x02k\x02q\x02\"\x02r\x02p\x02m\x02e\x02p\x02c\x02o\x02\"\x02a\x02c\x02l\x02l\x02m\x02v\x02"
// Repeat for every single byte XOR operation.
condition:
any of them
}

rule XorExample5
{
strings:
$xor_string = "This program cannot" xor(0x01-0xff)
condition:
$xor_string
}

// Base64 strings

rule Base64Example1
{
strings:
$a = "This program cannot" base64

condition:
$a
}

rule Base64Example2
{
strings:
$a = "This program cannot" base64("!@#$%^&*(){}[].,|ABCDEFGHIJ\x09LMNOPQRSTUVWXYZabcdefghijklmnopqrstu")

condition:
$a
}

// Regular expressions

rule RegExpExample1
{
strings:
$re1 = /md5: [0-9a-fA-F]{32}/
$re2 = /state: (on|off)/

condition:
$re1 and $re2
}

// Conditions

rule Example
{
strings:
$a = "text1"
$b = "text2"
$c = "text3"
$d = "text4"

condition:
($a or $b) and ($c or $d)
}

rule CountExample
{
strings:
$a = "dummy1"
$b = "dummy2"

condition:
#a == 6 and #b > 10
}


rule AtExample
{
strings:
$a = "dummy1"
$b = "dummy2"

condition:
$a at 100 and $b at 200
}

rule InExample
{
strings:
$a = "dummy1"
$b = "dummy2"

condition:
$a in (0..100) and $b in (100..filesize)
}

// File size

rule FileSizeExample
{
condition:
filesize > 200KB
}

// Executable entry point

rule EntryPointExample
{
strings:
$a = { 9C 50 66 A1 ?? ?? ?? 00 66 A9 ?? ?? 58 0F 85 }

condition:
$a in (entrypoint..entrypoint + 10)
}


// Accessing data at a given position

rule IsPE
{
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}

// Sets of strings

rule OfExample1
{
strings:
$a = "dummy1"
$b = "dummy2"
$c = "dummy3"

condition:
2 of ($a,$b,$c)
}

rule OfExample2
{
strings:
$foo1 = "foo1"
$foo2 = "foo2"
$foo3 = "foo3"

condition:
2 of ($foo*) // equivalent to 2 of ($foo1,$foo2,$foo3)
}

rule OfExample3
{
strings:
$a = "dummy1"
$b = "dummy2"
$c = "dummy3"

condition:
1 of them // equivalent to 1 of ($*)
}

// Iterating over string occurrences

rule Occurrences
{
strings:
$a = "dummy1"
$b = "dummy2"

condition:
for all i in (1,2,3) : ( @a[i] + 10 == @b[i] )
}

// Referencing other rules

rule Rule1
{
strings:
$a = "dummy1"

condition:
$a
}

rule Rule2
{
strings:
$a = "dummy2"

condition:
$a and Rule1
}

// Metadata

rule MetadataExample
{
meta:
my_identifier_1 = "Some string data"
my_identifier_2 = 24
my_identifier_3 = true

strings:
$my_text_string = "text here"
$my_hex_string = { E2 34 A1 C8 23 FB }

condition:
$my_text_string or $my_hex_string
}

// External variables

rule ExternalVariableExample1
{
condition:
ext_var == 10
}

rule ExternalVariableExample2
{
condition:
bool_ext_var or filesize < int_ext_var
}

rule ExternalVariableExample3
{
condition:
string_ext_var contains "text"
}

rule ExternalVariableExample4
{
condition:
string_ext_var matches /[a-z]+/
}

rule ExternalVariableExample5
{
condition:
/* case insensitive single-line mode */
string_ext_var matches /[a-z]+/is
}

// Including files

include "other.yar"
include "./includes/other.yar"
include "../includes/other.yar"