Documentation
¶
Index ¶
- Constants
- Variables
- func DepthFirstSearch(node Node, v Visitor)
- func Escape(s string) string
- type BaseString
- type BitwiseNot
- type Defined
- type Enum
- type Expression
- type ForIn
- type ForOf
- type FunctionCall
- type Group
- type HexBytes
- type HexJump
- type HexOr
- type HexString
- type HexToken
- type HexTokens
- type Identifier
- type Keyword
- type LiteralFloat
- type LiteralInteger
- type LiteralRegexp
- type LiteralString
- type MemberAccess
- type Meta
- type Minus
- type Node
- type Not
- type Of
- type Operation
- type OperatorType
- type Percentage
- type PostOrderVisitor
- type PreOrderVisitor
- type Range
- type RegexpModifiers
- type RegexpString
- type Rule
- type RuleSet
- type String
- type StringCount
- type StringIdentifier
- type StringLength
- type StringOffset
- type Subscripting
- type TextString
- type Visitor
Constants ¶
const OpMaxPrecedence = 11
OpMaxPrecedence is the maximum possible precedence. This is also the precedence for unary operators "~" and "-".
Variables ¶
var OpPrecedence = map[OperatorType]int{ OpOr: 0, OpAnd: 1, OpNot: 2, OpEqual: 3, OpNotEqual: 3, OpLessThan: 4, OpLessOrEqual: 4, OpGreaterThan: 4, OpGreaterOrEqual: 4, OpContains: 4, OpIContains: 4, OpStartsWith: 4, OpIStartsWith: 4, OpEndsWith: 4, OpIEndsWith: 4, OpIEquals: 4, OpMatches: 4, OpBitOr: 5, OpBitXor: 6, OpBitAnd: 7, OpShiftLeft: 8, OpShiftRight: 8, OpAdd: 9, OpSub: 9, OpMul: 10, OpDiv: 10, OpMod: 10, }
OpPrecedence is the operator precedence table.
Functions ¶
func DepthFirstSearch ¶ added in v0.6.1
DepthFirstSearch performs a depth-first traversal of the given node's syntax tree. It receives a Visitor that must implement PreOrderVisitor, PostOrderVisitor or both.
func Escape ¶ added in v0.5.4
Escape replaces any character outside the printable ASCII range by their corresponding escape sequence (\n, \\, \", etc). Characters that don't have their own escape sequence are replaced by \xHH, where HH is the hex value for the character. Printable ASCII characters remain the same.
Types ¶
type BaseString ¶ added in v0.4.0
type BaseString struct {
// Identifier for the string, without the $ prefix.
Identifier string
// Line number where the string was defined.
LineNo int
}
BaseString is a structure that contains the fields that are common to all types of strings. This structure is embedded in TextString, HexString and RegexpString.
func (*BaseString) GetIdentifier ¶ added in v0.4.0
func (s *BaseString) GetIdentifier() string
func (*BaseString) GetLineNo ¶ added in v0.4.0
func (s *BaseString) GetLineNo() int
type BitwiseNot ¶ added in v0.2.0
type BitwiseNot struct {
Expression Expression
}
BitwiseNot is an Expression that represents the bitwise not operation.
func (*BitwiseNot) AsProto ¶ added in v0.8.0
func (b *BitwiseNot) AsProto() *pb.Expression
func (*BitwiseNot) Children ¶ added in v0.8.0
func (b *BitwiseNot) Children() []Node
func (*BitwiseNot) WriteSource ¶ added in v0.2.0
func (b *BitwiseNot) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type Defined ¶ added in v0.7.0
type Defined struct {
Expression Expression
}
Defined is an Expression that represents the "defined" operation.
func (*Defined) AsProto ¶ added in v0.7.0
func (d *Defined) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type Enum ¶ added in v0.2.0
type Enum struct {
Values []Expression
}
Enum is a Node that represents an enumeration. Example: (1,2,3,4).
func (*Enum) AsProto ¶ added in v0.2.0
func (e *Enum) AsProto() *pb.IntegerEnumeration
AsProto returns the node serialized as pb.Range.
type Expression ¶ added in v0.1.1
type Expression interface {
Node
AsProto() *pb.Expression
}
Expression is the interface implemented by all expressions in the AST. Not all nodes are expressions, but all expressions are nodes. In general, an expression is a Node that can be used as an operand in some kind of operation.
type ForIn ¶ added in v0.2.0
type ForIn struct {
Quantifier Expression
Variables []string
Iterator Node
Condition Expression
}
ForIn is an Expression representing a "for in" loop. Example:
for <quantifier> <variables> in <iterator> : ( <condition> )
func (*ForIn) AsProto ¶ added in v0.2.0
func (f *ForIn) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type ForOf ¶ added in v0.2.0
type ForOf struct {
Quantifier Expression
Strings Node
Condition Expression
}
ForOf is an Expression representing a "for of" loop. Example:
for <quantifier> of <string_set> : ( <condition> )
func (*ForOf) AsProto ¶ added in v0.2.0
func (f *ForOf) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type FunctionCall ¶ added in v0.2.0
type FunctionCall struct {
Callable Expression
Arguments []Expression
Builtin bool
}
FunctionCall is an Expression that represents a function call.
func (*FunctionCall) AsProto ¶ added in v0.2.0
func (f *FunctionCall) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*FunctionCall) Children ¶ added in v0.2.0
func (f *FunctionCall) Children() []Node
Children returns the Node's children.
func (*FunctionCall) WriteSource ¶ added in v0.2.0
func (f *FunctionCall) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type Group ¶ added in v0.2.0
type Group struct {
Expression Expression
}
Group is an Expression that encloses another Expression in parentheses.
func (*Group) AsProto ¶ added in v0.8.0
func (g *Group) AsProto() *pb.Expression
type HexBytes ¶ added in v0.2.0
HexBytes is an HexToken that represents a byte sequence. The bytes are stored in Bytes, while Masks contains a nibble-wise mask for each of the bytes (both arrays have the same length). Possible masks are: 00 -> Full wildcard, the corresponding byte is ignored (??). 0F -> The higher nibble is ignored (?X) F0 -> The lower nibble is ignored (X?) FF -> No wildcard at all. The Nots array is an array of boolean values that indicate which of the bytes are prefixed with a ~ indicating they should NOT be the given value.
func (*HexBytes) AsProto ¶ added in v0.2.0
func (h *HexBytes) AsProto() *pb.BytesSequence
AsProto returns the Node serialized as pb.String.
type HexJump ¶ added in v0.2.0
HexJump is an HexToken that represents a jump in the hex string, like for example the [10-20] jump in {01 02 [10-20] 03 04}. If End is 0, it means infinite, the jump [20-] has Start=20 and End=0.
type HexOr ¶ added in v0.2.0
type HexOr struct {
Alternatives HexTokens
}
HexOr is an HexToken that represents an alternative in the hex string, like the (03 04 | 05 06) alternative in { 01 02 (03 04 | 05 06) 07 08 }. Each item in Alternatives corresponds to an alternative.
func (*HexOr) AsProto ¶ added in v0.2.0
func (h *HexOr) AsProto() *pb.HexAlternative
AsProto returns the Node serialized as pb.String.
type HexString ¶ added in v0.2.0
type HexString struct {
BaseString
Tokens HexTokens
Private bool
}
HexString describes a YARA hex string. Hex strings have an identifier and a sequence of tokens that conform the abstract syntax tree for the hex string. Each token can be any of the following types:
HexBytes: Represents a sequence of bytes, possibly masked, like: 01 02 03, 34 ?? A1 F? 03 ?3 HexJump: Represents a jump in the hex string, like: [21], [0-100] HexOr: Represents an alternative, like: (A|B), (A|B|C)
type HexToken ¶ added in v0.1.1
type HexToken interface {
Node
}
HexToken is the interface implemented by all types of token
type HexTokens ¶ added in v0.1.1
type HexTokens []HexToken
HexTokens is a sequence of tokens.
type Identifier ¶ added in v0.1.1
type Identifier struct {
Identifier string
}
Identifier is an Expression that represents an identifier.
func (*Identifier) AsProto ¶ added in v0.2.0
func (i *Identifier) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*Identifier) Children ¶ added in v0.2.0
func (i *Identifier) Children() []Node
Children returns the Node's children.
func (*Identifier) WriteSource ¶ added in v0.2.0
func (i *Identifier) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type Keyword ¶ added in v0.1.1
type Keyword string
Keyword is a Node that represents a keyword.
const ( KeywordAll Keyword = "all" KeywordAny Keyword = "any" KeywordNone Keyword = "none" KeywordEntrypoint Keyword = "entrypoint" KeywordFalse Keyword = "false" KeywordFilesize Keyword = "filesize" KeywordThem Keyword = "them" KeywordTrue Keyword = "true" )
Constants for existing keywords.
func (Keyword) AsProto ¶ added in v0.2.0
func (k Keyword) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type LiteralFloat ¶ added in v0.2.0
type LiteralFloat struct {
Value float64
}
LiteralFloat is an Expression that represents a literal float.
func (*LiteralFloat) AsProto ¶ added in v0.2.0
func (l *LiteralFloat) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*LiteralFloat) Children ¶ added in v0.2.0
func (l *LiteralFloat) Children() []Node
Children returns the Node's children.
func (*LiteralFloat) WriteSource ¶ added in v0.2.0
func (l *LiteralFloat) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type LiteralInteger ¶ added in v0.2.0
type LiteralInteger struct {
Value int64
}
LiteralInteger is an Expression that represents a literal integer.
func (*LiteralInteger) AsProto ¶ added in v0.2.0
func (l *LiteralInteger) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*LiteralInteger) Children ¶ added in v0.2.0
func (l *LiteralInteger) Children() []Node
Children returns the Node's children.
func (*LiteralInteger) WriteSource ¶ added in v0.2.0
func (l *LiteralInteger) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type LiteralRegexp ¶ added in v0.2.0
type LiteralRegexp struct {
Value string
Modifiers RegexpModifiers
}
LiteralRegexp is an Expression that represents a literal regular expression, like for example /ab.*cd/.
func (*LiteralRegexp) AsProto ¶ added in v0.2.0
func (l *LiteralRegexp) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*LiteralRegexp) Children ¶ added in v0.2.0
func (l *LiteralRegexp) Children() []Node
Children returns the Node's children.
func (*LiteralRegexp) String ¶ added in v0.2.0
func (l *LiteralRegexp) String() string
func (*LiteralRegexp) WriteSource ¶ added in v0.2.0
func (l *LiteralRegexp) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type LiteralString ¶ added in v0.2.0
type LiteralString struct {
Value string
}
LiteralString is an Expression that represents a literal string.
func (*LiteralString) AsProto ¶ added in v0.2.0
func (l *LiteralString) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*LiteralString) Children ¶ added in v0.2.0
func (l *LiteralString) Children() []Node
Children returns the Node's children.
func (*LiteralString) String ¶ added in v0.2.0
func (l *LiteralString) String() string
func (*LiteralString) WriteSource ¶ added in v0.2.0
func (l *LiteralString) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type MemberAccess ¶ added in v0.2.0
type MemberAccess struct {
Container Expression
Member string
}
MemberAccess is an Expression that represents a member access operation (.). For example, in "foo.bar" we have a MemberAccess operation where Node is the "foo" identifier and the member is "bar".
func (*MemberAccess) AsProto ¶ added in v0.2.0
func (m *MemberAccess) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*MemberAccess) Children ¶ added in v0.2.0
func (m *MemberAccess) Children() []Node
Children returns the node's child nodes.
func (*MemberAccess) WriteSource ¶ added in v0.2.0
func (m *MemberAccess) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type Meta ¶ added in v0.1.1
type Meta struct {
Key string
Value interface{}
}
Meta represents an entry in a rule's metadata section. Each entry is composed of a key and a value. The value can be either a string, an int64 or a bool. When value is a string it appears exactly as in the source code, escaped characters remain escaped.
func (*Meta) UnescapedValue ¶ added in v0.5.4
UnescapedValue returns the metadata Value with any escape sequence replaced by the actual character that it represents.
type Minus ¶ added in v0.2.0
type Minus struct {
Expression Expression
}
Minus is an Expression that represents the unary minus operation.
func (*Minus) AsProto ¶ added in v0.2.0
func (m *Minus) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type Node ¶ added in v0.2.0
type Node interface {
// WriteSource writes the source of the node to a writer.
WriteSource(io.Writer) error
// Children returns the node's children. The children are returned left to
// right, if the node represents the operation A + B + C, the children will
// appear as A, B, C. The result can be nil if the Node does not have
// children.
Children() []Node
}
Node is the interface implemented by all types of nodes in the AST.
type Not ¶ added in v0.2.0
type Not struct {
Expression Expression
}
Not is an Expression that represents the "not" operation.
func (*Not) AsProto ¶ added in v0.2.0
func (n *Not) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type Of ¶ added in v0.2.0
type Of struct {
Quantifier Expression
Strings Node
Rules Node
TextStrings []string
In *Range
At Expression
}
Of is an Expression representing a "of" operation. Example:
<quantifier> of <string_set> <quantifier> of <string_set> in <range>
If "In" is non-nil there is an "in" condition: 3 of them in (0..100) If "At" is non-nil there is an "at" condition: 1 of them at 0
func (*Of) AsProto ¶ added in v0.2.0
func (o *Of) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type Operation ¶ added in v0.2.0
type Operation struct {
Operator OperatorType
Operands []Expression
}
Operation is an Expression representing an operation with two or more operands, like "A or B", "A and B and C", "A + B + C", "A - B - C", etc. If there are more than two operands the operation is considered left-associative, it's ok to have a single operation for representing A - B - C, but for A - (B - C) we need two operations with two operands each.
func (*Operation) AsProto ¶ added in v0.2.0
func (o *Operation) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
type OperatorType ¶ added in v0.2.0
type OperatorType string
OperatorType is the type of operators.
const ( OpUnknown OperatorType = "" OpOr OperatorType = "or" OpAnd OperatorType = "and" OpNot OperatorType = "not" OpDefined OperatorType = "defined" OpBitOr OperatorType = "|" OpBitXor OperatorType = "^" OpBitAnd OperatorType = "&" OpEqual OperatorType = "==" OpNotEqual OperatorType = "!=" OpLessThan OperatorType = "<" OpGreaterThan OperatorType = ">" OpLessOrEqual OperatorType = "<=" OpGreaterOrEqual OperatorType = ">=" OpAdd OperatorType = "+" OpSub OperatorType = "-" OpMul OperatorType = "*" OpDiv OperatorType = "\\" OpMod OperatorType = "%" OpShiftLeft OperatorType = "<<" OpShiftRight OperatorType = ">>" OpContains OperatorType = "contains" OpIContains OperatorType = "icontains" OpStartsWith OperatorType = "startswith" OpIStartsWith OperatorType = "istartswith" OpEndsWith OperatorType = "endswith" OpIEndsWith OperatorType = "iendswith" OpIEquals OperatorType = "iequals" OpMatches OperatorType = "matches" )
Constants that represents operators.
type Percentage ¶ added in v0.7.0
type Percentage struct {
Expression Expression
}
Percentage is an Expression used in evaluating string sets. Example:
<expression>% of <string set>
func (*Percentage) AsProto ¶ added in v0.7.0
func (p *Percentage) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*Percentage) Children ¶ added in v0.8.0
func (p *Percentage) Children() []Node
func (*Percentage) WriteSource ¶ added in v0.7.0
func (p *Percentage) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type PostOrderVisitor ¶
PostOrderVisitor is the interface that must be implemented by a visitor that wants to be notified about expressions after all of the expression's sub expressions are visited.
type PreOrderVisitor ¶
PreOrderVisitor is the interface that must be implemented by a visitor that wants to be notified about expressions before any of the expression's sub expressions is visited.
type Range ¶ added in v0.1.1
type Range struct {
Start Expression
End Expression
}
Range is a Node that represents an integer range. Example: (1..10).
type RegexpModifiers ¶ added in v0.2.0
type RegexpModifiers int
RegexpModifiers are flags containing the modifiers for a LiteralRegexp.
const ( // RegexpCaseInsensitive is the flag corresponding to the /i modifier in a // regular expression literal. RegexpCaseInsensitive RegexpModifiers = 1 << iota // RegexpDotAll is the flag corresponding to the /s modifier in a regular // expression literal. RegexpDotAll )
type RegexpString ¶ added in v0.2.0
type RegexpString struct {
BaseString
// Value contains the string exactly as it appears in the YARA rule. Escape
// sequences remain escaped. See the UnescapeValue function.
Regexp *LiteralRegexp
ASCII bool
Wide bool
Nocase bool
Fullword bool
Private bool
}
RegexpString describes a YARA regexp.
func (*RegexpString) AsProto ¶ added in v0.2.0
func (r *RegexpString) AsProto() *pb.String
AsProto returns the string serialized as pb.String.
func (*RegexpString) String ¶ added in v0.2.0
func (r *RegexpString) String() string
func (*RegexpString) WriteSource ¶ added in v0.2.0
func (r *RegexpString) WriteSource(w io.Writer) (err error)
WriteSource writes the node's source into the writer w.
type Rule ¶ added in v0.1.1
type Rule struct {
// Line number where the rule starts
LineNo int
Global bool
Private bool
Identifier string
Tags []string
Meta []*Meta
Strings []String
Condition Expression
}
Rule describes a YARA rule.
func RuleFromProto ¶ added in v0.2.0
RuleFromProto creates a Rule from its corresponding protobuf.
func (*Rule) AsProto ¶ added in v0.2.0
AsProto returns the rule serialized as a Rule protobuf message.
type RuleSet ¶ added in v0.1.1
RuleSet describes a set of YARA rules.
func RuleSetFromProto ¶ added in v0.2.0
RuleSetFromProto creates a RuleSet from its corresponding protobuf.
type String ¶ added in v0.1.1
String is the interface implemented by the different types of strings that are supported by YARA (i.e: text strings, hex strings and regexps).
type StringCount ¶ added in v0.2.0
StringCount is an Expression that represents a string count operation, like "#a". Notice that the Identifier field doesn't contain the # prefix. "In" is non-nil if the identifier is accompanied by an "in" condition, like "#a in (0..100) == 2".
func (*StringCount) AsProto ¶ added in v0.2.0
func (s *StringCount) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*StringCount) Children ¶ added in v0.2.0
func (s *StringCount) Children() []Node
Children returns the Node's children.
func (*StringCount) WriteSource ¶ added in v0.2.0
func (s *StringCount) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type StringIdentifier ¶ added in v0.2.0
type StringIdentifier struct {
Identifier string
At Expression
In *Range
}
StringIdentifier is an Expression that represents a string identifier in the condition, like "$a". The "At" field is non-nil if the identifier comes accompanied by an "at" condition, like "$a at 100". Similarly, "In" is non-nil if the identifier is accompanied by an "in" condition, like "$a in (0..100)". Notice that the Identifier field doesn't contain the $ prefix.
func (*StringIdentifier) AsProto ¶ added in v0.2.0
func (s *StringIdentifier) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*StringIdentifier) Children ¶ added in v0.2.0
func (s *StringIdentifier) Children() []Node
Children returns the Node's children.
func (*StringIdentifier) WriteSource ¶ added in v0.2.0
func (s *StringIdentifier) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type StringLength ¶ added in v0.1.1
type StringLength struct {
Identifier string
Index Expression
}
StringLength is an Expression that represents a string length operation, like "!a". The "Index" field is non-nil if the count operation is indexed, like in "!a[1]". Notice that the Identifier field doesn't contain the ! prefix.
func (*StringLength) AsProto ¶ added in v0.2.0
func (s *StringLength) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*StringLength) Children ¶ added in v0.2.0
func (s *StringLength) Children() []Node
Children returns the Node's children.
func (*StringLength) WriteSource ¶ added in v0.2.0
func (s *StringLength) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type StringOffset ¶ added in v0.1.1
type StringOffset struct {
Identifier string
Index Expression
}
StringOffset is an Expression that represents a string offset operation, like "@a". The "Index" field is non-nil if the count operation is indexed, like in "@a[1]". Notice that the Identifier field doesn't contain the @ prefix.
func (*StringOffset) AsProto ¶ added in v0.2.0
func (s *StringOffset) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*StringOffset) Children ¶ added in v0.2.0
func (s *StringOffset) Children() []Node
Children returns the Node's children.
func (*StringOffset) WriteSource ¶ added in v0.2.0
func (s *StringOffset) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type Subscripting ¶ added in v0.2.0
type Subscripting struct {
Array Expression
Index Expression
}
Subscripting is an Expression that represents an array subscripting operation ([]). For example, in "foo[1+2]" we have a Subscripting operation where Array is a Node representing the "foo" identifier and Index is another Node that represents the expression "1+2".
func (*Subscripting) AsProto ¶ added in v0.2.0
func (s *Subscripting) AsProto() *pb.Expression
AsProto returns the Expression serialized as a pb.Expression.
func (*Subscripting) Children ¶ added in v0.2.0
func (s *Subscripting) Children() []Node
Children returns the node's child nodes.
func (*Subscripting) WriteSource ¶ added in v0.2.0
func (s *Subscripting) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
type TextString ¶ added in v0.1.1
type TextString struct {
BaseString
// Value contains the string exactly as it appears in the YARA rule. Escape
// sequences remain escaped. See the UnescapedValue function.
Value string
ASCII bool
Wide bool
Nocase bool
Fullword bool
Private bool
Base64 bool
Base64Wide bool
Base64Alphabet string
Xor bool
XorMin int32
XorMax int32
}
TextString describes a YARA text string.
func (*TextString) AsProto ¶ added in v0.2.0
func (t *TextString) AsProto() *pb.String
AsProto returns the string serialized as pb.String.
func (*TextString) String ¶ added in v0.1.1
func (t *TextString) String() string
func (*TextString) UnescapedValue ¶ added in v0.2.0
func (t *TextString) UnescapedValue() string
UnescapedValue returns the string's Value with any escape sequence replaced by the actual character that it represents.
func (*TextString) WriteSource ¶ added in v0.2.0
func (t *TextString) WriteSource(w io.Writer) error
WriteSource writes the node's source into the writer w.
Source Files