1# https://yara.readthedocs.io/en/latest/ 2 3# Keywords 4"all" 5"and" 6"any" 7"ascii" 8"at" 9"condition" 10"contains" 11"entrypoint" 12"false" 13"filesize" 14"for" 15"fullword" 16"global" 17"import" 18"in" 19"include" 20"int16" 21"int16be" 22"int32" 23"int32be" 24"int8" 25"int8be" 26"matches" 27"meta" 28"nocase" 29"not" 30"of" 31"or" 32"private" 33"rule" 34"strings" 35"them" 36"true" 37"uint16" 38"uint16be" 39"uint32" 40"uint32be" 41"uint8" 42"uint8be" 43"wide" 44"xor" 45 46# pe module 47"\"pe\"" 48"pe.machine" 49"pe.checksum" 50"pe.calculate_checksum" 51"pe.subsystem" 52"pe.timestamp" 53"pe.pointer_to_symbol_table" 54"pe.number_of_sumbols" 55"pe.size_of_optional_header" 56"pe.pothdr_magic" 57"pe.size_of_code" 58"pe.size_of_initialized_data" 59"pe.size_of_unnitialized_data" 60"pe.entrypoint" 61"pe.base_of_code" 62"pe.base_of_data" 63"pe.image_base" 64"pe.section_alignment" 65"pe.file_alignment" 66"pe.win32_version_value" 67"pe.size_of_image" 68"pe.size_of_headers" 69"pe.characteristics" 70"pe.linker_version" 71"pe.os_version" 72"pe.image_version" 73"pe.subsystem_version" 74"pe.dll_characteristics" 75"pe.size_of_stack_reserve" 76"pe.size_of_stack_commit" 77"pe.size_of_heap_reserve" 78"pe.size_of_heap_commit" 79"pe.loader_flags" 80"pe.number_of_rva_and_sizes" 81"pe.data_directories" 82"pe.number_of_sections" 83"pe.sections" 84"pe.overlay" 85"pe.number_of_resources" 86"pe.resource_timestamp" 87"pe.resource_version" 88"pe.resources" 89"pe.version_info" 90"pe.number_of_signatures" 91"pe.signatures" 92"pe.rich_signature" 93"pe.exports" 94"pe.number_of_exports" 95"pe.number_of_imports" 96"pe.imports" 97"pe.locale" 98"pe.language" 99"pe.imphash" 100"pe.section_index" 101"pe.is_dll()" 102"pe.is_32bit()" 103"pe.is_64bit()" 104"pe.rva_to_offset" 105 106# elf module 107"\"elf\"" 108"elf.type" 109"elf.machine" 110"elf.entry_point" 111"elf.number_of_sections" 112"elf.sections" 113"elf.number_of_segments" 114"elf.segments" 115"elf.dynamic_section_entires" 116"elf.dynamic" 117"elf.symtab_entries" 118"elf.symtab" 119 120# cuckoo module 121"\"cuckoo\"" 122"cuckoo.network" 123"cuckoo.registry" 124"cuckoo.filesystem" 125"cuckoo.sync" 126 127# magic module 128"\"magic\"" 129"magic.type()" 130"magic.mime_type()" 131 132 133# hash module 134"\"hash\"" 135"hash.md5" 136"hash.sha1" 137"hash.sha256" 138"hash.checksum32" 139"hash.crc32" 140 141# math module 142"\"math\"" 143"math.entropuy" 144"math.monte_carlo_pi" 145"math.serial_correlation" 146"math.mean" 147"math.deviation" 148"math.in_range" 149"math.max" 150"max.min" 151 152# dotnet module 153"\"dotnet\"" 154"dotnet.version" 155"dotnet.module_name" 156"dotnet.number_of_streams" 157"dotnet.streams" 158"dotnet.number_of_guid" 159"dotnet.guids" 160"dotnet.number_of_resources" 161"dotnet.resources" 162"dotnet.assembly" 163"dotnet.number_of_modulerefs" 164"dotnet.modulerefs" 165"dotnet.typelib" 166"dotnet.assembly_refs" 167"dotnet.number_of_user_strings" 168"dotnet.user_strings" 169"dotnet.number_of_field_offsets" 170"dotnet.field_offsets" 171 172# time module 173"\"time\"" 174"time.now()" 175 176 177# misc 178"/*" 179"*/" 180"//" 181"$a=" 182"{a?}" 183"[0-9]" 184"{(0A|??)}" 185"<<" 186">>" 187"#a" 188"$a" 189".." 190"@a" 191 192# regex 193"*?" 194"+?" 195"??" 196"{1,2}?" 197