diff options
Diffstat (limited to 'dictionaries/yara.dict')
| -rw-r--r-- | dictionaries/yara.dict | 196 |
1 files changed, 196 insertions, 0 deletions
diff --git a/dictionaries/yara.dict b/dictionaries/yara.dict new file mode 100644 index 00000000..844d3e58 --- /dev/null +++ b/dictionaries/yara.dict @@ -0,0 +1,196 @@ +# https://yara.readthedocs.io/en/latest/ + +# Keywords +"all" +"and" +"any" +"ascii" +"at" +"condition" +"contains" +"entrypoint" +"false" +"filesize" +"for" +"fullword" +"global" +"import" +"in" +"include" +"int16" +"int16be" +"int32" +"int32be" +"int8" +"int8be" +"matches" +"meta" +"nocase" +"not" +"of" +"or" +"private" +"rule" +"strings" +"them" +"true" +"uint16" +"uint16be" +"uint32" +"uint32be" +"uint8" +"uint8be" +"wide" +"xor" + +# pe module +"\"pe\"" +"pe.machine" +"pe.checksum" +"pe.calculate_checksum" +"pe.subsystem" +"pe.timestamp" +"pe.pointer_to_symbol_table" +"pe.number_of_sumbols" +"pe.size_of_optional_header" +"pe.pothdr_magic" +"pe.size_of_code" +"pe.size_of_initialized_data" +"pe.size_of_unnitialized_data" +"pe.entrypoint" +"pe.base_of_code" +"pe.base_of_data" +"pe.image_base" +"pe.section_alignment" +"pe.file_alignment" +"pe.win32_version_value" +"pe.size_of_image" +"pe.size_of_headers" +"pe.characteristics" +"pe.linker_version" +"pe.os_version" +"pe.image_version" +"pe.subsystem_version" +"pe.dll_characteristics" +"pe.size_of_stack_reserve" +"pe.size_of_stack_commit" +"pe.size_of_heap_reserve" +"pe.size_of_heap_commit" +"pe.loader_flags" +"pe.number_of_rva_and_sizes" +"pe.data_directories" +"pe.number_of_sections" +"pe.sections" +"pe.overlay" +"pe.number_of_resources" +"pe.resource_timestamp" +"pe.resource_version" +"pe.resources" +"pe.version_info" +"pe.number_of_signatures" +"pe.signatures" +"pe.rich_signature" +"pe.exports" +"pe.number_of_exports" +"pe.number_of_imports" +"pe.imports" +"pe.locale" +"pe.language" +"pe.imphash" +"pe.section_index" +"pe.is_dll()" +"pe.is_32bit()" +"pe.is_64bit()" +"pe.rva_to_offset" + +# elf module +"\"elf\"" +"elf.type" +"elf.machine" +"elf.entry_point" +"elf.number_of_sections" +"elf.sections" +"elf.number_of_segments" +"elf.segments" +"elf.dynamic_section_entires" +"elf.dynamic" +"elf.symtab_entries" +"elf.symtab" + +# cuckoo module +"\"cuckoo\"" +"cuckoo.network" +"cuckoo.registry" +"cuckoo.filesystem" +"cuckoo.sync" + +# magic module +"\"magic\"" +"magic.type()" +"magic.mime_type()" + + +# hash module +"\"hash\"" +"hash.md5" +"hash.sha1" +"hash.sha256" +"hash.checksum32" +"hash.crc32" + +# math module +"\"math\"" +"math.entropuy" +"math.monte_carlo_pi" +"math.serial_correlation" +"math.mean" +"math.deviation" +"math.in_range" +"math.max" +"max.min" + +# dotnet module +"\"dotnet\"" +"dotnet.version" +"dotnet.module_name" +"dotnet.number_of_streams" +"dotnet.streams" +"dotnet.number_of_guid" +"dotnet.guids" +"dotnet.number_of_resources" +"dotnet.resources" +"dotnet.assembly" +"dotnet.number_of_modulerefs" +"dotnet.modulerefs" +"dotnet.typelib" +"dotnet.assembly_refs" +"dotnet.number_of_user_strings" +"dotnet.user_strings" +"dotnet.number_of_field_offsets" +"dotnet.field_offsets" + +# time module +"\"time\"" +"time.now()" + + +# misc +"/*" +"*/" +"//" +"$a=" +"{a?}" +"[0-9]" +"{(0A|??)}" +"<<" +">>" +"#a" +"$a" +".." +"@a" + +# regex +"*?" +"+?" +"??" +"{1,2}?" |