Creating ruleset¶
Creating of new YARA rulesets is available in yaramod through interface based on builder design pattern.
Note
Following list of functions is made for C++. Python alternatives follow the same naming but instead of CamelCase
they use snake_case
. Sometimes there is
keyword needed to be used as a function name (like xor
). In that case, it is followed by underscore character (so it would be xor_
).
The main goal of the yaramod interface is to make the creation of new YARA rules declarative. We wanted to avoid just concatenating strings together and we also wanted to end up with the same internal representation of YARA rules as if we parsed them. We also wanted to make it composable so that you can easily build for example part of your condition in one function, the other part in the second function and join them together.
File¶
It all starts with YaraFileBuilder
which is a main building block for creating new YARA ruleset. here is a short example on how to create new YARA file with import of pe
module and
some rule (will be explained later).
new_file = yaramod.YaraFileBuilder() \
yara_file = new_file \
.with_module('pe') \
.with_rule(rule) \
.get()
yaramod::YaraFileBuilder newFile;
auto yaraFile = newFile
.withModule("pe")
.withRule(std::move(rule))
.get();
Rules¶
In order to create a rule that we saw while creating new YARA file, we will need YaraRuleBuilder
.
rule = yaramod.YaraRuleBuilder() \
.with_tag('tag1') \
.with_tag('tag2') \
.with_string_meta('author', 'foo') \
.with_plain_string('$str', 'Hello World').ascii().wide().xor(1,255) \
.with_condition(condition) \
.get()
auto rule = yaramod::YaraRuleBuilder{}
.withTag("tag1")
.withTag("tag2")
.withStringMeta("author", "foo")
.withPlainString("$str", "Hello World").ascii().wide().xor_(1,255)
.withCondition(std::move(condition))
.get();
Hex strings¶
Creation of plain strings is really simple as shown in the code above. When it comes to hex strings, things get complicated. Hex strings in YARA have several features which make them more like weak regular expressions. Those features are:
Wildcarded nibbles
Jumps
Alternations
In order to fully unlock the whole potential of hex strings, they need to be created through YaraHexStringBuilder
.
# Simple hex string - { 10 20 30 }
yaramod.YaraHexStringBuilder([0x10, 0x20, 0x30]).get()
# Hex string with wildcard - { 10 ?? 30 }
yaramod.YaraHexStringBuilder() \
.add(yaramod.YaraHexStringBuilder(0x10)) \
.add(yaramod.wildcard()) \
.add(yaramod.YaraHexStringBuilder(0x30)) \
.get()
# Hex string with all features - { 10 ?? 30 [4] ( 40 | 50 ) }
yaramod.YaraHexStringBuilder() \
.add(yaramod.YaraHexStringBuilder(0x10)) \
.add(yaramod.wildcard()) \
.add(yaramod.YaraHexStringBuilder(0x30)) \
.add(yaramod.jump_fixed(4)) \
.add(yaramod.alt([
yaramod.YaraHexStringBuilder(0x40),
yaramod.YaraHexStringBuilder(0x50)
])) \
.get()
// Simple hex string - { 10 20 30 }
yaramod::YaraHexStringBuilder{std::vector<std::uint8_t>{0x10, 0x20, 0x30}}.get()
// Hex string with wildcard - { 10 ?? 30 }
yaramod::YaraHexStringBuilder{}
.add(yaramod::YaraHexStringBuilder(0x10))
.add(yaramod::wildcard())
.add(yaramod::YaraHexStringBuilder(0x30))
.get();
// Hex string with all features - { 10 ?? 30 [4] ( 40 | 50 ) }
yaramod::YaraHexStringBuilder{}
.add(yaramod::YaraHexStringBuilder(0x10))
.add(yaramod::wildcard())
.add(yaramod::YaraHexStringBuilder(0x30))
.add(yaramod::jumpFixed(4))
.add(yaramod::alt(
yaramod.YaraHexStringBuilder(0x40),
yaramod.YaraHexStringBuilder(0x50)
))
.get();
Regular expressions¶
Regular expressions are the same story as hex strings, they just have more expressive power so they also require much more builder methods. Unfortunately right now we don’t provide any kind of RegexpBuilder
which would help you with it. We expect you to provide regular expression as a plain string. Building of regular expression is however something which we would like to add in the future.
Conditions¶
Building of conditions is heavily based on YaraExpressionBuilder
which provides you with many functions that make it easy to express the condition. It makes use of operator overloading in both C++ and Python
to make your builder code readable as much as possible.
Note
Python does not allow to override logical operators such as and
, or
or not
therefore there are special function which you can used instead which are conjunction
, disjunction
and not_
.
# all of them
of(all(), them()).get()
# $1 and ($2 or $3)
(conjunction([
string_ref('$1'),
paren(disjunction([
string_ref('$2'),
string_ref('$3')
]))
])).get()
# pe.sections[0].name matches /\.(text|data)/i
(id('pe').access('sections')[int_val(0)].access('name').matches(regexp(r'(/\.(text|data)/)', 'i'))).get()
# filesize <= 1MB
(filesize() <= int_val(1, IntMultiplier.Megabytes)).get()
using namespace yaramod;
// all of them
of(all(), them()).get();
// $1 and ($2 or $3)
(stringRef("$1") && paren(stringRef("$2") || stringRef("$3"))).get();
// pe.sections[0].name matches /\.(text|data)/i
(id("pe").access("sections")[intVal(0)].access("name").matches(regexp(R"(/\.(text|data)/)", "i"))).get();
// filesize <= 1MB
(filesize() <= intVal(1, IntMultiplier::Megabytes)).get();
List¶
Here is a list of everything available in builder and how it maps to YARA language. Functions listed as basic are basic building block for YARA expressions. You always want to start from these expressions and build upon them to form complex expressions. Each of these functions returns you an object of type YaraExpressionBuilder. Those functions with parameters also mostly accept object of these types, so whenever you are not sure what kind of expression to put there, just look at the list of all basic expressions and find the most suitable one.
Basic expression functions
filesize()
- representsfilesize
keywordentrypoint()
- representsentrypoint
keywordall()
- representsall
keywordany()
- representsany
keywordthem()
- representsthem
keywordint_val(val, [mult])
- represents signed integer with multiplier (default:IntMultiplier.Empty
) (int_val(10)
,int_val(10, IntMultiplier.Kilobytes)
,int_val(10, IntMultiplier.Megabytes)
)uint_val(val, [mult])
- represents unsigned integer with multiplier (default:IntMultiplier.Empty
) (int_val(10)
,int_val(10, IntMultiplier.Kilobytes)
,int_val(10, IntMultiplier.Megabytes)
)hex_int_val(val)
- represents hexadecimal integer (hex_int_val(0x10)
)double_val(val)
- represents double floating-point value (double_val(3.14)
)string_val(str)
- represents string literal (string_val("Hello World!")
)bool_val(bool)
- represents boolean literal (bool_val(True)
)id(id)
- represents single identifier with nameid
(id("pe")
)string_ref(ref)
- represents reference to string identifierref
(string_ref("$1")
)set(elements)
- represents(item1, item2, ...)
(set([string_ref("$1"), string_ref("$2")])
)range(low, high)
- represents(low .. high)
(range(int_val(100), int_val(200))
)match_count(ref)
- represents match count of string identifierref
(match_count("$1")
)match_length(ref, [n])
- representn``th match (default: 0) length of string identifier ``ref
(match_length("$1", int_val(1))
)match_offset(ref, [n])
- representsn``th match (default: 0) offset of string identifier ``ref
(match_offset("$1", int_val(1))
)match_at(ref, expr)
- represents<ref> at <expr>
(match_at("$1", int_val(100))
)match_in_range(ref, range)
- represents<ref> in <range>
(match_in_range("$1", range(int_val(100), int_val(200)))
)regexp(regexp, mods) - represents regular expression in form ``/<regexp>/<mods>
(regexp("^a.*b$", "i")
)for_loop(spec, var, set, body)
- representsfor
loop over array or set of integers (for_loop(any(), "i", range(int_val(100), int_val(200)), match_at("$1", id("i")))
)for_loop(spec, var1, var2, set, body)
- representsfor
loop over dictionary (for_loop(any(), "k", "v", id("pe").access("version_info"), True)
)for_loop(spec, set, body)
- representsfor
loop over set of string references (for_loop(any(), set({string_ref("$*")}), match_at("$", int_val(100))
)of(spec, set)
- represents<spec> of <set>
(of(all(), them())
)of_in_range(spec, set, range)
- represents<spec> of <set> in <range>
(of(all(), them(), range(int_val(100), int_val(200)))
)of_at(spec, set, offset)
- represents<spec> of <set> at <offset>
(of(all(), them(), int_val(200))
)of(spec, iterable)
- represents<spec> of <iterable>
(of(any(), iterable([bool_val(False), bool_val(True)]))
)paren(expr, [newline])
- represents parentheses around expressions andnewline
indicator for putting enclosed expression on its own line (paren(int_val(10))
)conjunction(terms, [newline])
- represents conjunction ofterms
and optionally puts them on each separate line ifnewline
is set (conjunction({id("rule1"), id("rule2")})
)disjunction(terms, [newline])
- represents disjunction ofterms
and optionally puts them on each separate line ifnewline
is set (disjunction({id("rule1"), id("rule2")})
)
Complex expression methods
__invert__
- represents bitwise not (~hex_int_val(0x100)
)__neg__
- represents unary operator-
(-id("i")
)__lt__
- represents operator<
(match_offset("$1") < int_val(100)
)__gt__
- represents operator>
(match_offset("$1") > int_val(100)
)__le__
- represents operator<=
(match_offset("$1") <= int_val(100)
)__ge__
- represents operator>=
(match_offset("$1") >= int_val(100)
)__add__
- represents operator+
(match_offset("$1") + int_val(100)
)__sub__
- represents operator-
(match_offset("$1") - int_val(100)
)__mul__
- represents operator*
(match_offset("$1") * int_val(100)
)__truediv__
- represents operator/
(match_offset("$1") / int_val(100)
)__mod__
- represents operator%
(match_offset("$1") % int_val(100)
)__xor__
- represents bitwise xor (match_offset("$1") ^ int_val(100)
)__and__
- represents bitwise and (match_offset("$1") & int_val(100)
)__or__
- represents bitwise or (match_offset("$1") | int_val(100)
)__lshift__
- represents bitwise shift left (match_offset("$1") << int_val(10)
)__rshift__
- represents bitwise shift right (match_offset("$1") >> int_val(10)
)__call__
- represent call to function (id("func")(int_val(100), int_val(200))
)call(args)
- represents call to function (id("func").call({int_val(100), int_val(200)})
)contains(rhs)
- represents operatorcontains
(id("signature").contains(string_val("hello"))
)matches(rhs)
- represents operatormatches
(id("signature").matches(regexp("^a.*b$", "i"))
)iequals(rhs)
- represents operatoriequals
(id("signature").iequals(string_val("hello"))
)icontains(rhs)
- represents operatoricontains
(id("signature").icontains(string_val("hello"))
)endswith(rhs)
- represents operatorendswith
(id("signature").endswith(string_val("hello"))
)iendswith(rhs)
- represents operatoriendswith
(id("signature").iendswith(string_val("hello"))
)startswith(rhs)
- represents operatorstartswith
(id("signature").startswith(string_val("hello"))
)istartswith(rhs)
- represents operatoristartswith
(id("signature").istartswith(string_val("hello"))
)access(rhs)
- represents operator.
as access to structure (id("pe").access("numer_of_sections")
)__getitem__
- represents operator[]
as access to array (id("pe").access("sections")[int_val(0)]
)read_int8(be)
- represents call to special functionint8(be)
(int_val(100).read_int8()
)read_int16(be)
- represents call to special functionint16(be)
(int_val(100).read_int16()
)read_int32(be)
- represents call to special functionint32(be)
(int_val(100).read_int32()
)read_uint8(be)
- represents call to special functionuint8(be)
(int_val(100).read_uint8()
)read_uint16(be)
- represents call to special functionuint16(be)
(int_val(100).read_uint16()
)read_uint32(be)
- represents call to special functionuint32(be)
(int_val(100).read_uint32()
)
Hex strings
YaraHexStringBuilder(byte)
- creates two nibbles out of byte value.wildcard()
- creates??
wildcard_low(nibble)
-<nibble>?
wildcard_high(nibble)
-?<nibble>
jump_varying()
-[-]
jump_fixed(offset)
-[<offset>]
jump_varyingRange(low)
-[<low>-]
jump_range(low, high)
-[<low>-<high>]
alt([units])
-(unit1|unit2|...)
Rule
with_name(name)
- specify rule namewith_modifier(mod)
- specify whether rule is private or public (Rule::Modifier::Private
orRule::Modifier::Public
)with_tag(tag)
- specify rule tagwith_string_meta(key, value)
- specify string metawith_int_meta(key, value)
- specify integer metawith_uint_meta(key, value)
- specify unsigned integer metawith_hex_int_meta(key, value)
- specify hexadecimal integer metawith_bool_meta(key, value)
- specify boolean metawith_plain_string(id, value)
- specify plain string with identifierid
and contentvalue
with_hex_string(id, str)
- specify hex string (str
is of typeHexString
)with_regexp(id, value, mod)
- specify regular expression with identifierid
and contentvalue with modifiers ``mod
(These modifiers are tied to the regular expression and come after last/
.)with_condition(cond)
- specify conditionascii()
- ties to the latest definedwith_plain_string()
,with_hex_string()
orwith_regexp()
and addsascii
modifier to the list of its modifierswide()
- ties to the latest definedwith_plain_string()
,with_hex_string()
orwith_regexp()
and addswide
modifier to the list of its modifiersnocase()
- ties to the latest definedwith_plain_string()
,with_hex_string()
orwith_regexp()
and addsnocase
modifier to the list of its modifiersfullword()
- ties to the latest definedwith_plain_string()
,with_hex_string()
orwith_regexp()
and addsfullword
modifier to the list of its modifiersprivate()
- ties to the latest definedwith_plain_string()
,with_hex_string()
orwith_regexp()
and addsprivate
modifier to the list of its modifiersxor()
- ties to the latest definedwith_plain_string()
,with_hex_string()
orwith_regexp()
and addsxor
modifier to the list of its modifiersxor(key)
- ties to the latest definedwith_plain_string()
,with_hex_string()
orwith_regexp()
and addsxor(key)
modifier to the list of its modifiersxor(low, high)
- ties to the latest definedwith_plain_string()
,with_hex_string()
orwith_regexp()
and addsxor(low-high)
modifier to the list of its modifiersbase64
- ties to the latest definedwith_plain_string()
,with_hex_string()
orwith_regexp()
and addsbase64
modifier to the list of its modifiersbase64(alphabet)
- ties to the latest definedwith_plain_string()
,with_hex_string()
orwith_regexp()
and addsbase64(alphabet)
modifier to the list of its modifiersbase64wide
- ties to the latest definedwith_plain_string()
,with_hex_string()
orwith_regexp()
and addsbase64wide
modifier to the list of its modifiersbase64wide(alphabet)
- ties to the latest definedwith_plain_string()
,with_hex_string()
orwith_regexp()
and addsbase64wide(alphabet)
modifier to the list of its modifiers
YARA file
with_module(name)
- specifiesimport
of module namedname
with_rule(rule)
- adds the rule into file
Basic expression functions
filesize()
- representsfilesize
keywordentrypoint()
- representsentrypoint
keywordall()
- representsall
keywordany()
- representsany
keywordthem()
- representsthem
keywordintVal(val, [mult])
- represents signed integer with multiplier (default:IntMultiplier::None
) (intVal(10)
,intVal(10, IntMultiplier::Kilobytes)
,intVal(10, IntMultiplier::Megabytes)
)uintVal(val, [mult])
- represents unsigned integer with multiplier (default:IntMultiplier::None
) (intVal(10)
,intVal(10, IntMultiplier::Kilobytes)
,intVal(10, IntMultiplier::Megabytes)
)hexIntVal(val)
- represents hexadecimal integer (hexIntVal(0x10)
)doubleVal(val)
- represents double floating-point value (doubleVal(3.14)
)stringVal(str)
- represents string literal (stringVal("Hello World!")
)boolVal(bool)
- represents boolean literal (boolVal(true)
)id(id)
- represents single identifier with nameid
(id("pe")
)stringRef(ref)
- represents reference to string identifierref
(stringRef("$1")
)set(elements)
- represents(item1, item2, ...)
(set({stringRef("$1"), stringRef("$2")})
)range(low, high)
- represents(low .. high)
(range(intVal(100), intVal(200))
)matchCount(ref)
- represents match count of string identifierref
(matchCount("$1")
)matchLength(ref, [n])
- representn``th match (default: 0) length of string identifier ``ref
(matchLength("$1", intVal(1))
)matchOffset(ref, [n])
- representsn``th match (default: 0) offset of string identifier ``ref
(matchOffset("$1", intVal(1))
)matchAt(ref, expr)
- represents<ref> at <expr>
(matchAt("$1", intVal(100))
)matchInRange(ref, range)
- represents<ref> in <range>
(matchInRange("$1", range(intVal(100), intVal(200)))
)regexp(regexp, mods) - represents regular expression in form ``/<regexp>/<mods>
(regexp("^a.*b$", "i")
)forLoop(spec, var, set, body)
- representsfor
loop over array or set of integers (forLoop(any(), "i", range(intVal(100), intVal(200)), matchAt("$1", id("i")))
)forLoop(spec, var1, var2, set, body)
- representsfor
loop over dictionary (for_loop(any(), "k", "v", id("pe").access("version_info"), true)
)forLoop(spec, set, body)
- representsfor
loop over set of string references (forLoop(any(), set({stringRef("$*")}), matchAt("$", intVal(100))
)of(spec, set)
- represents<spec> of <set>
(of(all(), them())
)ofInRange(spec, set, range)
- represents<spec> of <set> in <range>
(of(all(), them(), range(intVal(100), intVal(200)))
)ofAt(spec, set, offset)
- represents<spec> of <set> at <offset>
(of(all(), them(), intVal(200))
)paren(expr, [newline])
- represents parentheses around expressions andnewline
indicator for putting enclosed expression on its own line (paren(intVal(10))
)conjunction(terms, [newline])
- represents conjunction ofterms
and optionally puts them on each separate line ifnewline
is set (conjunction({id("rule1"), id("rule2")})
). Theterms
parameter can be an array containing other expressions to be put together in the conjunction. But alsoterms
can be an array of pairs, where each pair contains a term to be put in the conjunction and a comment, which will be associated with the term and printed on the same linedisjunction(terms, [newline])
- represents disjunction ofterms
and optionally puts them on each separate line ifnewline
is set (disjunction({id("rule1"), id("rule2")})
). Theterms
parameter can be an array containing other expressions to be put together in the disjunction. But alsoterms
can be an array of pairs, where each pair contains a term to be put in the disjunction and a comment, which will be associated with the term and printed on the same line
Complex expression methods
operator!
- represents logicalnot
(!boolVal(true)
)operator~
- represents bitwise not (~hexIntVal(0x100)
)operator-
- represents unary operator-
(-id("i")
)operator&&
- represents logicaland
(id("rule1") && id("rule2")
)operator||
- represents logicalor
(id("rule1") || id("rule2")
)operator<
- represents operator<
(matchOffset("$1") < intVal(100)
)operator>
- represents operator>
(matchOffset("$1") > intVal(100)
)operator<=
- represents operator<=
(matchOffset("$1") <= intVal(100)
)operator>=
- represents operator>=
(matchOffset("$1") >= intVal(100)
)operator+
- represents operator+
(matchOffset("$1") + intVal(100)
)operator-
- represents operator-
(matchOffset("$1") - intVal(100)
)operator*
- represents operator*
(matchOffset("$1") * intVal(100)
)operator/
- represents operator/
(matchOffset("$1") / intVal(100)
)operator%
- represents operator%
(matchOffset("$1") % intVal(100)
)operator^
- represents bitwise xor (matchOffset("$1") ^ intVal(100)
)operator&
- represents bitwise and (matchOffset("$1") & intVal(100)
)operator|
- represents bitwise or (matchOffset("$1") | intVal(100)
)operator<<
- represents bitwise shift left (matchOffset("$1") << intVal(10)
)operator>>
- represents bitwise shift right (matchOffset("$1") >> intVal(10)
)operator()
- represent call to function (id("func")(intVal(100), intVal(200))
)call(args)
- represents call to function (id("func").call({intVal(100), intVal(200)})
)contains(rhs)
- represents operatorcontains
(id("signature").contains(stringVal("hello"))
)matches(rhs)
- represents operatormatches
(id("signature").matches(regexp("^a.*b$", "i"))
)iequals(rhs)
- represents operatoriequals
(id("signature").iequals(stringVal("hello"))
)icontains(rhs)
- represents operatoricontains
(id("signature").icontains(stringVal("hello"))
)endswith(rhs)
- represents operatorendswith
(id("signature").endswith(stringVal("hello"))
)iendswith(rhs)
- represents operatoriendswith
(id("signature").iendswith(stringVal("hello"))
)startswith(rhs)
- represents operatorstartswith
(id("signature").startswith(stringVal("hello"))
)istartswith(rhs)
- represents operatoristartswith
(id("signature").istartswith(stringVal("hello"))
)access(rhs)
- represents operator.
as access to structure (id("pe").access("numer_of_sections")
)operator[]
- represents operator[]
as access to array (id("pe").access("sections")[intVal(0)]
)readInt8(be)
- represents call to special functionint8(be)
(intVal(100).readInt8()
)readInt16(be)
- represents call to special functionint16(be)
(intVal(100).readInt16()
)readInt32(be)
- represents call to special functionint32(be)
(intVal(100).readInt32()
)readUInt8(be)
- represents call to special functionuint8(be)
(intVal(100).readUInt8()
)readUInt16(be)
- represents call to special functionuint16(be)
(intVal(100).readUInt16()
)readUInt32(be)
- represents call to special functionuint32(be)
(intVal(100).readUInt32()
)comment(message, [multiline], [indent], [linebreak])
- adds a commentmessage
to the expression which then appears in the formatted text before the expression. Only themessage
parameter is required, themultiline
(defaultfalse
),indent
(default “”) andlinebreak
(defaulttrue
) parameters are optionalcommentBehind(message, [multiline], [indent], [linebreak])
- adds a commentmessage
to the expression which then appears in the formatted text after the expression. Only themessage
parameter is required, themultiline
(defaultfalse
),indent
(default “”) andlinebreak
(defaulttrue
) parameters are optional
Hex strings
YaraHexStringBuilder(byte)
- creates two nibbles out of byte value.wildcard()
- creates??
wildcardLow(nibble)
-<nibble>?
wildcardHigh(nibble)
-?<nibble>
jumpVarying()
-[-]
jumpFixed(offset)
-[<offset>]
jumpVaryingRange(low)
-[<low>-]
jumpRange(low, high)
-[<low>-<high>]
alt(units)
-(unit1|unit2|...)
Rule
withName(name)
- specify rule namewithModifier(mod)
- specify whether rule is private or public (Rule::Modifier::Private
orRule::Modifier::Public
)withTag(tag)
- specify rule tagwithStringMeta(key, value)
- specify string metawithIntMeta(key, value)
- specify integer metawithUIntMeta(key, value)
- specify unsigned integer metawithHexIntMeta(key, value)
- specify hexadecimal integer metawithBoolMeta(key, value)
- specify boolean metawithPlainString(id, value, mod)
- specify plain string with identifierid
and contentvalue
with modifiersmod
(String::Modifiers::Ascii
,String::Modifiers::Wide
,String::Modifiers::Nocase
,String::Modifiers::Fullword
)withHexString(id, str)
- specify hex string (str
is of typestd::shared_ptr<HexString>
)withRegexp(id, value, mod)
- specify regular expression with identifierid
and contentvalue with modifiers ``mod
(Modifiers here are different than modifiers in plain string. These modifiers are tied to the regular expression and come after last/
.)withCondition(cond)
- specify conditionascii()
- ties to the latest definedwithPlainString()
,withHexString()
orwithRegexp()
and addsascii
modifier to the list of its modifierswide()
- ties to the latest definedwithPlainString()
,withHexString()
orwithRegexp()
and addswide
modifier to the list of its modifiersnocase()
- ties to the latest definedwithPlainString()
,withHexString()
orwithRegexp()
and addsnocase
modifier to the list of its modifiersfullword()
- ties to the latest definedwithPlainString()
,withHexString()
orwithRegexp()
and addsfullword
modifier to the list of its modifiersprivate()
- ties to the latest definedwithPlainString()
,withHexString()
orwithRegexp()
and addsprivate
modifier to the list of its modifiersxor()
- ties to the latest definedwithPlainString()
,withHexString()
orwithRegexp()
and addsxor
modifier to the list of its modifiersxor(key)
- ties to the latest definedwithPlainString()
,withHexString()
orwithRegexp()
and addsxor(key)
modifier to the list of its modifiersxor(low, high)
- ties to the latest definedwithPlainString()
,withHexString()
orwithRegexp()
and addsxor(low-high)
modifier to the list of its modifiersbase64
- ties to the latest definedwithPlainString()
,withHexString()
orwithRegexp()
and addsbase64
modifier to the list of its modifiersbase64(alphabet)
- ties to the latest definedwithPlainString()
,withHexString()
orwithRegexp()
and addsbase64(alphabet)
modifier to the list of its modifiersbase64wide
- ties to the latest definedwithPlainString()
,withHexString()
orwithRegexp()
and addsbase64wide
modifier to the list of its modifiersbase64wide(alphabet)
- ties to the latest definedwithPlainString()
,withHexString()
orwithRegexp()
and addsbase64wide(alphabet)
modifier to the list of its modifiers
YARA file
withModule(name)
- specifiesimport
of module namedname
withRule(rule)
- adds the rule into file