=======
Console
=======

import "console"

rule complex {
    condition:
        for all k in (1, 2, 3) : (
            (k == 1 and console.log("Hello")) or
            (k == 2 and console.log("world")) or
            (k == 3 and console.log("!"))
        )
}

---

(yara_file
    (import
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (for_int
                (all)
                (var_list
                    (identifier)
                )
                (enum
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
                (or
                    (or
                        (parentheses
                            (and
                                (equal
                                    (identifier)
                                    (uint_literal
                                        (dec_uint_literal_value)
                                    )
                                )
                                (function_call
                                    (structure_access
                                        (identifier)
                                        (identifier)
                                    )
                                    (argument_list
                                        (string_literal
                                            (string_literal_str)
                                        )
                                    )
                                )
                            )
                        )
                        (parentheses
                            (and
                                (equal
                                    (identifier)
                                    (uint_literal
                                        (dec_uint_literal_value)
                                    )
                                )
                                (function_call
                                    (structure_access
                                        (identifier)
                                        (identifier)
                                    )
                                    (argument_list
                                        (string_literal
                                            (string_literal_str)
                                        )
                                    )
                                )
                            )
                        )
                    )
                    (parentheses
                        (and
                            (equal
                                (identifier)
                                (uint_literal
                                    (dec_uint_literal_value)
                                )
                            )
                            (function_call
                                (structure_access
                                    (identifier)
                                    (identifier)
                                )
                                (argument_list
                                    (string_literal
                                        (string_literal_str)
                                    )
                                )
                            )
                        )
                    )
                )
            )
        )
    )
)


===================
Nested for iterator
===================

import "console"

rule main {
    condition:
        for all i in (1..10) : (
	    console.log("Mutliples of ", i) and
            for all j in (1..10) : (
                console.log(i*j)
            )
        ) 
}

---

(yara_file
    (import 
        (string_literal
            (string_literal_str)
        )
    )

    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (for_int
                (all)
                (var_list
                    (identifier)
                )
                (range
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
                (and
                    (function_call
                        (structure_access
                            (identifier)
                            (identifier)
                        )
                        (argument_list
                            (string_literal
                                (string_literal_str)
                            )
                            (identifier)
                        )
                    )
                    (for_int
                        (all)
                        (var_list
                            (identifier)
                        )
                        (range
                            (uint_literal
                                (dec_uint_literal_value)
                            )
                            (uint_literal
                                (dec_uint_literal_value)
                            )
                        )
                        (function_call
                            (structure_access
                                (identifier)
                                (identifier)
                            )
                            (argument_list
                                (multiplication
                                    (identifier)
                                    (identifier)
                                )
                            )
                        )
                    )
                )
            )
        )
    )
)


=============================
Complex #1 (ext. var, string)
=============================

rule complex1 : tag1 {
    strings:
        $sample = "Sample\x10"
    condition:
        $sample or ext_var and (ext_var != "Sample\x10")
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
            (tag_list
                (tag
                    (identifier)
                )
            )
        )
        (rule_body
            (strings_list
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str
                            (string_esc_seq)
                        )
                    )
                )
            )
            (or
                (string_identifier)
                (and
                    (identifier)
                    (parentheses
                        (not_equal
                            (identifier)
                            (string_literal
                                (string_literal_str
                                    (string_esc_seq)
                                )
                            )
                        )
                    )
                )
            )
        )
    )
)


=====================================
Complex #2 (of, for, string wildcars)
=====================================

rule complex2 {
    meta:
        meta_key = "VALUE"
    strings:
        $foo1 = "string"
        $foo2 = "String"
        $foo3 = "string"
        $bar1 = "string"
        $bar2 = "string"
    condition:
        4 of ($foo*, $bar*) and for any of them : (
            $ in (1..filesize-10)
        )
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (meta_list
                (meta
                    (identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
            )
            (strings_list
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
            )
            (and
                (of
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (string_set
                        (string_wildcard
                            (string_identifier)
                        )
                        (string_wildcard
                            (string_identifier)
                        )
                    )
                )
                (for
                    (any)
                    (them)
                    (in
                        (string_identifier)
                        (range
                            (uint_literal
                                (dec_uint_literal_value)
                            )
                            (subtraction
                                (identifier)
                                (uint_literal
                                    (dec_uint_literal_value)
                                )
                            )
                        )
                    )
                )
            )
        )
    )
)


==================================
Complex #3 (rule ref., string set)
==================================

rule r1 {
    condition:
        true
}

rule r2 {
    condition:
        true
}

rule r3 {
    condition:
        true
}

rule main {
    strings:
        $s1 = "string"
        $s2 = "string"
        $s3 = "string"
    condition:
        all of (r*) and 2 of ($s*) 
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (bool_literal)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (bool_literal)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (bool_literal)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (strings_list
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
            )
            (and
                (of
                    (all)
                    (rule_set
                        (rule_wildcard
                            (identifier)
                        )
                    )
                )
                (of
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (string_set
                        (string_wildcard
                            (string_identifier)
                        )
                    )
                )
            )
        )
    )
)


===============================================
Complex #4 (for over strings, of with rule set)
===============================================

rule r1 {
	condition: true
}

rule r2 {
	condition: false
}


rule main {
    strings:
        $a = "abc"
        $b = "def"
    condition:
	    for all of ($a, $b) : ( 
            any of (r*) and $ 
        )
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (bool_literal)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (bool_literal)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (strings_list
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
            )
            (for
                (all)
                (string_set
                    (string_identifier)
                    (string_identifier)
                )
                (and
                    (of
                        (any)
                        (rule_set
                            (rule_wildcard
                                (identifier)
                            )
                        )
                    )
                    (string_identifier)
                )
            )
        )
    )
)


