Lib.rs

Parser implementationsBoreal
#yara #parser #boreal

boreal-parser

A parser library for YARA files, intended for use with the boreal library

by Vincent Thiberville

6 releases (breaking)

0.6.0 Jun 9, 2024
0.5.0 Feb 16, 2024
0.4.0 Feb 11, 2024
0.3.0 Sep 12, 2023
0.1.0 Dec 4, 2022

#1118 in Parser implementations

50 downloads per month
Used in 2 crates (via boreal)

MIT/Apache

295KB
8K SLoC

boreal-parser

This crate provides a parser for YARA files.

Build status Crates.io Documentation

Overview

This crate is designed to be used by the boreal crate, which implements evaluation of YARA rules.

YARA version supported

All features available in the 4.5 version of YARA are handled.

lib.rs:

Parser for YARA rules.

This crate is designed to be used by the boreal crate.

It exposes a main entrypoint function, parse, which parses the contents of a YARA file.

use boreal_parser::*;
use boreal_parser::expression::*;
use boreal_parser::file::*;
use boreal_parser::rule::*;

let file = parse(r#"
import "pe"

private rule b : tag1 {
    meta:
        a = true
    strings:
        $b = "\\mspaint.exe" wide
    condition:
        pe.is_dll() and all of them
}"#)?;

assert_eq!(
    file.components[0],
    YaraFileComponent::Import(Import {
        name: "pe".to_owned(),
        span: 1..12,
    })
);
assert_eq!(
    file.components[1],
    YaraFileComponent::Rule(Box::new(Rule {
        name: "b".to_owned(),
        name_span: 27..28,
        tags: vec![RuleTag {
            tag: "tag1".to_owned(),
            span: 31..35
        }],
        metadatas: vec![Metadata {
            name: "a".to_owned(),
            value: MetadataValue::Boolean(true)
        }],
        variables: vec![VariableDeclaration {
            name: "b".to_owned(),
            value: VariableDeclarationValue::Bytes(b"\\mspaint.exe".to_vec()),
            modifiers: VariableModifiers {
                wide: true,
                ..Default::default()
            },
            span: 86..111,
        }],

        condition: Expression {
            expr: ExpressionKind::And(vec![
                Expression {
                    expr: ExpressionKind::Identifier(Identifier {
                        name: "pe".to_owned(),
                        name_span: 135..137,
                        operations: vec![
                            IdentifierOperation {
                                op: IdentifierOperationType::Subfield(
                                    "is_dll".to_owned()
                                ),
                                span: 137..144,
                            },
                            IdentifierOperation {
                                op: IdentifierOperationType::FunctionCall(vec![]),
                                span: 144..146,
                            }
                        ],
                    }),
                    span: 135..146,
                },
                Expression {
                    expr: ExpressionKind::For {
                        selection: ForSelection::All,
                        set: VariableSet { elements: vec![] },

                        body: None,
                    },
                    span: 151..162,
                }
            ]),
            span: 135..162
        },
        is_private: true,
        is_global: false,
    }))
);

Dependencies

~2–9MB
~76K SLoC