============================
Strings with one text string
============================

rule my_rule {
    strings:
        $str = "abc"
    condition:
        true
}

---

(yara_file
    (rule
        head: (rule_head
            id: (identifier)
        )
        body: (rule_body
            strings: (strings_list
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str)
                    )
                )
            )
            
            condition: (bool_literal)
        )
    )
)


==================================
Strings with multiple text strings
==================================

rule my_rule {
    strings:
        $str = "    abc     "
        $str2 = "áýřů$"
        $str3 = "Hello world!"
    condition:
        true
}

---

(yara_file
    (rule
        head: (rule_head
            id: (identifier)
        )
        body: (rule_body
            strings: (strings_list
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str)
                    )
                )
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str)
                    )
                )    
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str)
                    )
                )        
            )
            
            condition: (bool_literal)
        )
    )
)


=============================
Strings with escape sequences
=============================

rule my_rule {
    strings:
        $str = "\n\r\t"
        $str2 = "\"\x12"
        $str3 = "\\"
    condition:
        true
}

---

(yara_file
    (rule
        head: (rule_head
            id: (identifier)
        )
        body: (rule_body
            strings: (strings_list
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str
                            (string_esc_seq)
                            (string_esc_seq)
                            (string_esc_seq)
                        )
                    )
                )
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str
                            (string_esc_seq)
                            (string_esc_seq)
                        )
                    )
                )    
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str
                            (string_esc_seq)
                        )
                    )
                )        
            )
            
            condition: (bool_literal)
        )
    )
)


===========================
Text strings with modifiers
===========================

rule my_rule {
    strings:
        $str = "ABC" ascii nocase 
    condition:
        true
}

---

(yara_file
    (rule
        head: (rule_head
            id: (identifier)
        )
        body: (rule_body
            strings: (strings_list
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str)
                    )
                    mods: (str_mod_list
                        (str_mod)
                        (str_mod)
                    )
                )
            )
            
            condition: (bool_literal)
        )
    )
)


===============================
Text strings with ranged xor #1 
===============================

rule my_rule {
    strings:
        $str = "ABC" xor(0x00-0x01) nocase 
    condition:
        true
}

---

(yara_file
    (rule
        head: (rule_head
            id: (identifier)
        )
        body: (rule_body
            strings: (strings_list
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str)
                    )
                    mods: (str_mod_list
                        (str_mod
                            range: (byte_range
                                lower: (uint_literal
                                    (hex_uint_literal_value)
                                )
                                upper: (uint_literal
                                    (hex_uint_literal_value)
                                )
                            )
                        )
                        (str_mod)
                    )
                )
            )
            
            condition: (bool_literal)
        )
    )
)


===============================
Text strings with ranged xor #2 
===============================

rule my_rule {
    strings:
        $str = "ABC" xor(1-2) wide 
    condition:
        true
}

---

(yara_file
    (rule
        head: (rule_head
            id: (identifier)
        )
        body: (rule_body
            strings: (strings_list
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str)
                    )
                    mods: (str_mod_list
                        (str_mod
                            range: (byte_range
                                lower: (uint_literal
                                    (dec_uint_literal_value)
                                )
                                upper: (uint_literal
                                    (dec_uint_literal_value)
                                )
                            )
                        )
                        (str_mod)
                    )
                )
            )
            
            condition: (bool_literal)
        )
    )
)


===============================
Text strings with ranged xor #3 
===============================

rule my_rule {
    strings:
        $str = "ABC" xor(1-0x2) 
    condition:
        true
}

---

(yara_file
    (rule
        head: (rule_head
            id: (identifier)
        )
        body: (rule_body
            strings: (strings_list
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str)
                    )
                    mods: (str_mod_list
                        (str_mod
                            range: (byte_range
                                lower: (uint_literal
                                    (dec_uint_literal_value)
                                )
                                upper: (uint_literal
                                    (hex_uint_literal_value)
                                )
                            )
                        )
                    )
                )
            )
            
            condition: (bool_literal)
        )
    )
)


=====================================
Text strings with xor with single key 
=====================================

rule my_rule {
    strings:
        $str = "123" xor(2) 
    condition:
        true
}

---

(yara_file
    (rule
        head: (rule_head
            id: (identifier)
        )
        body: (rule_body
            strings: (strings_list
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str)
                    )
                    mods: (str_mod_list
                        (str_mod
                            range: (byte_range
                                key: (uint_literal
                                    (dec_uint_literal_value)
                                )
                            )
                        )
                    )
                )
            )
            
            condition: (bool_literal)
        )
    )
)


======================================
Text strings with base64 with alphabet
======================================

rule my_rule {
    strings:
        $str = "a" base64("0123456789012345678901234567890123456789012345678901234567890123") 
    condition:
        true
}

---

(yara_file
    (rule
        head: (rule_head
            id: (identifier)
        )
        body: (rule_body
            strings: (strings_list
                (string
                    id: (string_identifier)
                    value: (string_literal
                        str: (string_literal_str)
                    )
                    mods: (str_mod_list
                        (str_mod
                            alphabet: (string_literal
                                str: (string_literal_str)
                            )
                        )
                    )
                )
            )
            
            condition: (bool_literal)
        )
    )
)


==================
Empty strings body
==================

rule my_rule {
    strings:

    condition:
        true
}

---

(yara_file
    (ERROR 
        (rule_head
            (identifier)
        )
        (identifier)
        (bool_literal)
    )
)

