====================
Bitwise operators #1
====================

rule rule123 {
    condition:
        0xf & 0x0 | 0xf & 0xe ^~0xaa
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (bitwise_or
                (bitwise_and
                    (uint_literal
                        (hex_uint_literal_value)
                    )
                    (uint_literal
                        (hex_uint_literal_value)
                    )
                )
                (bitwise_xor
                    (bitwise_and
                        (uint_literal
                            (hex_uint_literal_value)
                        )
                        (uint_literal
                            (hex_uint_literal_value)
                        )
                    )
                    (bitwise_not
                        (uint_literal
                            (hex_uint_literal_value)
                        )                    
                    )
                )
            )
        )
    )
)


====================
Bitwise operators #2
====================

rule rule123 {
    condition:
        2 >> 0 and 2 << 0
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (and
                (right_shift
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
                (left_shift
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
            )
        )
    )
)


==============
Parentheses #1
==============

rule rule123 {
    condition:
        (2 * (1 + 2) + 2) * 3
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (multiplication
                (primary_parentheses
                    (addition
                        (multiplication
                            (uint_literal
                                (dec_uint_literal_value)
                            )
                            (primary_parentheses
                                (addition
                                    (uint_literal
                                        (dec_uint_literal_value)
                                    )
                                    (uint_literal
                                        (dec_uint_literal_value)
                                    )
                                )
                            )
                        )
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                    )
                )
                (uint_literal
                    (dec_uint_literal_value)
                )
            )
        )
    )
)


==============
Parentheses #2
==============

rule rule123 {
    condition:
        (true or false) and true
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (and
                (parentheses
                    (or
                        (bool_literal)
                        (bool_literal)
                    )
                )
                (bool_literal)
            )
        )
    )
)


=====
At #1
=====

rule rule123 {
    strings:
        $str = "a"
    condition:
        $str at 100 + 1
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (strings_list
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
            )
            (at
                (string_identifier)
                (addition
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
            )
        )
    )
)


=====
At #2
=====

rule rule123 {
    strings:
        $str = "a"
    condition:
        not $str at 1
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (strings_list
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
            )
            (not
                (at
                    (string_identifier)
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
            )
        )
    )
)


=====
In #1
=====

rule rule123 {
    strings:
        $str = "a"
    condition:
        $str in (10..20)
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (strings_list
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
            )
            (in
                (string_identifier)
                (range
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
            )
        )
    )
)


=====
In #2
=====

rule rule123 {
    strings:
        $str = "a"
    condition:
        $str in (10..20+20)
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (strings_list
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
            )
            (in
                (string_identifier)
                (range
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (addition
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                    )
                )
            )
        )
    )
)


====================
Offset with indexing
====================

rule _rule_123 {
    strings:
        $str = "C++"
    condition:
        @str[2] == 100  
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (strings_list
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
            )
            (equal
                (indexed_offset
                    (string_offset)
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
                (uint_literal
                    (dec_uint_literal_value)
                )
            )
        )
    )
)


==========================
Match length with indexing
==========================

rule _rule_123 {
    strings:
        $str = /C\++/
    condition:
        !str[1+1] == 3  
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (strings_list
                (string
                    (string_identifier)
                    (regexp
                        (regexp_body
                            (regexp_cat
                                (regexp_char)
                                (regexp_rep
                                    (regexp_esc_seq)
                                    (regexp_rep_quantifier)
                                )
                            )
                        )
                    )
                )
            )
            (equal
                (indexed_match_length
                    (string_match_length)
                    (addition
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                    )
                )
                (uint_literal
                    (dec_uint_literal_value)
                )
            )
        )
    )
)


===========
Filesize #1
===========

rule filesize_test {
    condition:
        filesize > 3KB  
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (greater_than
                (identifier)
                (size_literal
                    (dec_uint_literal_value)
                    (filesize_unit)
                )
            )
        )
    )
)


===========
Filesize #2
===========

rule filesize_test {
    condition:
        filesize < 1000MB  
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (less_than
                (identifier)
                (size_literal
                    (dec_uint_literal_value)
                    (filesize_unit)
                )
            )
        )
    )
)



========================
Entry point (deprecated)
========================

rule filesize_test {
    condition:
        entrypoint == 0x100
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (equal
                (identifier)
                (uint_literal
                    (hex_uint_literal_value)
                )
            )
        )
    )
)




======
For #1
======

rule forTest {
    strings:
        $a = "a"
        $b = "b"
        $c = "c"
    condition:
        for all of ($a, $b, $c) : ( # == 2 )
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (strings_list
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
            )
            (for
                (all)
                (string_set
                    (string_identifier)
                    (string_identifier)
                    (string_identifier)
                )
                (equal
                    (string_count)
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
            )
        )
    )
)


======
For #2
======

rule forTest {
    strings:
        $a = "a"
        $b = "b"
        $c = "c"
    condition:
        for 1+0 of them : ( $ )
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (strings_list
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
                (string
                    (string_identifier)
                    (string_literal
                        (string_literal_str)
                    )
                )
            )
            (for
                (addition
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
                (them)
                (string_identifier)
            )
        )
    )
)


=======================
For iterator #1 (range)
=======================

rule forTest {
    condition:
        for all i in (1..10) : ( i < 11 )
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (for_int
                (all)
                (var_list
                    (identifier)
                )
                (range
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
                (less_than
                    (identifier)
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
            )
        )
    )
)

======================
For iterator #2 (enum)
======================

rule forTest {
    condition:
        for any i in (1, 2, 3, 3+1) : ( i )
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (for_int
                (any)
                (var_list
                    (identifier)
                )
                (enum
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (addition
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                    )
                )
                (identifier)
            )
        )
    )
)


=======
Include
=======

include "rules.yar"

rule my_rule_ {
    condition: true
}

---

(yara_file
    (include
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (bool_literal)
        )
    )
)


======
Import
======

import "pe"

rule my_rule_ {
    condition: true
}

---

(yara_file
    (import
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (bool_literal)
        )
    )
)


===================
Structure access #1
===================

import "my_module"

rule my_rule_ {
    condition: my_module.fsize == filesize
}

---

(yara_file
    (import
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (equal
                (structure_access
                    (identifier)
                    (identifier)
                )
                (identifier)
            )
        )
    )
)


===================
Structure access #2
===================

import "my_module"

rule my_rule_ {
    condition: my_module.fsize.first == filesize
}

---

(yara_file
    (import
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (equal
                (structure_access
                    (structure_access
                        (identifier)
                        (identifier)
                    )
                    (identifier)
                )
                (identifier)
            )
        )
    )
)


===================
Structure access #3
===================

import "my_module"

rule my_rule_ {
    condition: my_module.fsize.a.b.c == filesize
}

---

(yara_file
    (import
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (equal
                (structure_access
                    (structure_access
                        (structure_access
                            (structure_access
                                (identifier)
                                (identifier)
                            )
                            (identifier)
                        )
                        (identifier)
                    )
                    (identifier)
                )
                (identifier)
            )
        )
    )
)


========================
Array #1 (one dimension)
========================

import "my_module"

rule my_rule_ {
    condition: my_module.fsize[1] == filesize
}

---

(yara_file
    (import
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (equal
                (array_access
                    (structure_access
                        (identifier)
                        (identifier)
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
                (identifier)
            )            
        )
    )
)


==============================
Array #2 (multiple dimensions)
==============================

import "my_module"

rule my_rule_ {
    condition: my_module.fsize[1][2][3] == filesize
}

---

(yara_file
    (import
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (equal
                (array_access
                    (array_access
                        (array_access
                            (structure_access
                                (identifier)
                                (identifier)
                            )
                            (uint_literal
                                (dec_uint_literal_value)
                            )
                        )
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                    )
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
                (identifier)
            )
        )
    )
)


==========================
Array #3 (with expression)
==========================

import "my_module"

rule my_rule_ {
    condition: my_module.fsize[1+k*v] == filesize
}

---

(yara_file
    (import
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (equal
                (array_access
                    (structure_access
                        (identifier)
                        (identifier)
                    )
                    (addition
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                        (multiplication
                            (identifier)
                            (identifier)
                        )
                    )
                )
                (identifier)
            )
        )
    )
)


==========
Dictionary
==========

import "my_module"

rule my_rule_ {
    condition: my_module.fsize["key"] == filesize
}

---

(yara_file
    (import
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (equal
                (array_access
                    (structure_access
                        (identifier)
                        (identifier)
                    )
                    (string_literal
                        (string_literal_str)
                    )
                )
                (identifier)
            )
        )
    )
)


================
Function call #1
================

import "my_module"

rule f_call {
    condition:
        my_module.my_function(1)
}

---

(yara_file
    (import
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (function_call
                (structure_access
                    (identifier)
                    (identifier)
                )
                (argument_list
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                )
            )
        )
    )
)


================
Function call #2
================

import "my_module"

rule f_call {
    condition:
        my_module.my_struct.my_function(1, "abc", 4.2, /i/, 4.2*2)
}

---

(yara_file
    (import
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (function_call
                (structure_access
                    (structure_access
                        (identifier)
                        (identifier)
                    )
                    (identifier)
                )
                (argument_list
                    (uint_literal
                        (dec_uint_literal_value)
                    )
                    (string_literal
                        (string_literal_str)
                    )
                    (float_literal)
                    (regexp
                        (regexp_body
                            (regexp_char)
                        )
                    )
                    (multiplication
                        (float_literal)
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                    )
                )
            )
        )
    )
)


=========================================
n of [...] - trivial  #1 (avast specific)
=========================================


rule of_rule {
    condition:
        3 of [true, false, true, true, false]

}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (of
                (uint_literal
                    (dec_uint_literal_value)
                )
                (expression_enum
                    (bool_literal)
                    (bool_literal)
                    (bool_literal)
                    (bool_literal)
                    (bool_literal)
                )
            )
        )
    )
)


==========================================
n of [...] - any, all  #2 (avast specific)
==========================================

rule of_rule {
    condition:
        any of [0, 1] and all of [1, 1, 2]

}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (and
                (of
                    (any)
                    (expression_enum
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                    )
                )
                (of
                    (all)
                    (expression_enum
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                        (uint_literal
                            (dec_uint_literal_value)
                        )
                    )
                )
            )
        )
    )
)


=====================================================
n of [...] - with cuckoo function #3 (avast specific)
=====================================================

import "cuckoo"

rule of_rule {
    condition:
        2 of [
            cuckoo.registry.key_access(/^abc$/), 
            cuckoo.registry.key_access(/^def$/), 
            cuckoo.registry.key_access(/^ghi$/)
            ]

}


---

(yara_file
    (import
        (string_literal
            (string_literal_str)
        )
    )
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (of
                (uint_literal
                    (dec_uint_literal_value)
                )
                (expression_enum
                    (function_call
                        (structure_access
                            (structure_access
                                (identifier)
                                (identifier)
                            )
                            (identifier)
                        )
                        (argument_list
                            (regexp
                                (regexp_body
                                    (regexp_cat
                                        (regexp_cat
                                            (regexp_cat
                                                (regexp_cat
                                                    (regexp_char_beg)
                                                    (regexp_char)
                                                )
                                                (regexp_char)
                                            )
                                            (regexp_char)
                                        )
                                        (regexp_char_eof)
                                    )
                                )
                            )
                        )
                    )
                    (function_call
                        (structure_access
                            (structure_access
                                (identifier)
                                (identifier)
                            )
                            (identifier)
                        )
                        (argument_list
                            (regexp
                                (regexp_body
                                    (regexp_cat
                                        (regexp_cat
                                            (regexp_cat
                                                (regexp_cat
                                                    (regexp_char_beg)
                                                    (regexp_char)
                                                )
                                                (regexp_char)
                                            )
                                            (regexp_char)
                                        )
                                        (regexp_char_eof)
                                    )
                                )
                            )
                        )
                    )
                    (function_call
                        (structure_access
                            (structure_access
                                (identifier)
                                (identifier)
                            )
                            (identifier)
                        )
                        (argument_list
                            (regexp
                                (regexp_body
                                    (regexp_cat
                                        (regexp_cat
                                            (regexp_cat
                                                (regexp_cat
                                                    (regexp_char_beg)
                                                    (regexp_char)
                                                )
                                                (regexp_char)
                                            )
                                            (regexp_char)
                                        )
                                        (regexp_char_eof)
                                    )
                                )
                            )
                        )
                    )
                )
            )      
        )
    )
)
