# https://yara.readthedocs.io/en/latest/

# Keywords
"all"
"and"
"any"
"ascii"
"at"
"condition"
"contains"
"entrypoint"
"false"
"filesize"
"for"
"fullword"
"global"
"import"
"in"
"include"
"int16"
"int16be"
"int32"
"int32be"
"int8"
"int8be"
"matches"
"meta"
"nocase"
"not"
"of"
"or"
"private"
"rule"
"strings"
"them"
"true"
"uint16"
"uint16be"
"uint32"
"uint32be"
"uint8"
"uint8be"
"wide"
"xor"

# pe module
"\"pe\""
"pe.machine"
"pe.checksum"
"pe.calculate_checksum"
"pe.subsystem"
"pe.timestamp"
"pe.pointer_to_symbol_table"
"pe.number_of_sumbols"
"pe.size_of_optional_header"
"pe.pothdr_magic"
"pe.size_of_code"
"pe.size_of_initialized_data"
"pe.size_of_unnitialized_data"
"pe.entrypoint"
"pe.base_of_code"
"pe.base_of_data"
"pe.image_base"
"pe.section_alignment"
"pe.file_alignment"
"pe.win32_version_value"
"pe.size_of_image"
"pe.size_of_headers"
"pe.characteristics"
"pe.linker_version"
"pe.os_version"
"pe.image_version"
"pe.subsystem_version"
"pe.dll_characteristics"
"pe.size_of_stack_reserve"
"pe.size_of_stack_commit"
"pe.size_of_heap_reserve"
"pe.size_of_heap_commit"
"pe.loader_flags"
"pe.number_of_rva_and_sizes"
"pe.data_directories"
"pe.number_of_sections"
"pe.sections"
"pe.overlay"
"pe.number_of_resources"
"pe.resource_timestamp"
"pe.resource_version"
"pe.resources"
"pe.version_info"
"pe.number_of_signatures"
"pe.signatures"
"pe.rich_signature"
"pe.exports"
"pe.number_of_exports"
"pe.number_of_imports"
"pe.imports"
"pe.locale"
"pe.language"
"pe.imphash"
"pe.section_index"
"pe.is_dll()"
"pe.is_32bit()"
"pe.is_64bit()"
"pe.rva_to_offset"

# elf module
"\"elf\""
"elf.type"
"elf.machine"
"elf.entry_point"
"elf.number_of_sections"
"elf.sections"
"elf.number_of_segments"
"elf.segments"
"elf.dynamic_section_entires"
"elf.dynamic"
"elf.symtab_entries"
"elf.symtab"

# cuckoo module
"\"cuckoo\""
"cuckoo.network"
"cuckoo.registry"
"cuckoo.filesystem"
"cuckoo.sync"

# magic module
"\"magic\""
"magic.type()"
"magic.mime_type()"


# hash module
"\"hash\""
"hash.md5"
"hash.sha1"
"hash.sha256"
"hash.checksum32"
"hash.crc32"

# math module
"\"math\""
"math.entropuy"
"math.monte_carlo_pi"
"math.serial_correlation"
"math.mean"
"math.deviation"
"math.in_range"
"math.max"
"max.min"

# dotnet module
"\"dotnet\""
"dotnet.version"
"dotnet.module_name"
"dotnet.number_of_streams"
"dotnet.streams"
"dotnet.number_of_guid"
"dotnet.guids"
"dotnet.number_of_resources"
"dotnet.resources"
"dotnet.assembly"
"dotnet.number_of_modulerefs"
"dotnet.modulerefs"
"dotnet.typelib"
"dotnet.assembly_refs"
"dotnet.number_of_user_strings"
"dotnet.user_strings"
"dotnet.number_of_field_offsets"
"dotnet.field_offsets"

# time module
"\"time\""
"time.now()"


# misc
"/*"
"*/"
"//"
"$a="
"{a?}"
"[0-9]"
"{(0A|??)}"
"<<"
">>"
"#a"
"$a"
".."
"@a"

# regex
"*?"
"+?"
"??"
"{1,2}?"