Default package

Get desktop application:
View/edit binary Protocol Buffers messages

Binary expression, consisting of two expressions joined by an operator.

Used in: Expression

• optional BinaryExpression.Operator operator = 1

  Operator. Required.

• optional Expression left = 2

  Left expression. Required.

• optional Expression right = 3

  Right expression. Required.

Used in: BinaryExpression

• UNKNOWN = 0

• MATCHES = 1

  matches

• CONTAINS = 2

  contains

• AT = 3

  at

• IN = 4

  in

• LT = 5

  <

• GT = 6

  >

• LE = 7

  <=

• GE = 8

  >=

• EQ = 9

  ==

• NEQ = 10

  !=

• INTEGER_FUNCTION = 11

  intXX and uintXX functions

• PLUS = 12

  +

• MINUS = 13

  -

• TIMES = 14

  *

• DIV = 15

  \

• MOD = 16

  %

• XOR = 17

  ^

• BITWISE_AND = 18

  &

• BITWISE_OR = 19

  |

• SHIFT_LEFT = 20

  <<

• SHIFT_RIGHT = 21

  >>

• ICONTAINS = 22

• STARTSWITH = 23

• ISTARTSWITH = 24

• ENDSWITH = 25

• IENDSWITH = 26

• IEQUALS = 27

A sequence of bytes, which may contain wildcards.

Used in: HexToken

• optional bytes value = 1

  The list of values.

• optional bytes mask = 2

  The mask applied to each byte in value. Indexes and length of value and mask must match. Possible masks: 00 -> Full wildcard, value is ignored (??). 0F -> Nibble-wise wildcard (?v). F0 -> Nibble-wise wildcard (v?). FF -> No wildcard (vv).

• repeated bool nots = 3

  List of which values are using the ~ operator.

Expression used as part of a rule condition.

Used in: BinaryExpression, Expressions, ForExpression, ForInExpression, ForOfExpression, Identifier.IdentifierItem, IntegerEnumeration, IntegerFunction, Percentage, Range, Rule, StringLength, StringOffset, UnaryExpression

• oneof expression

  • bool bool_value = 1

  • BinaryExpression binary_expression = 2

  • UnaryExpression unary_expression = 3

  • string string_identifier = 4

  • ForInExpression for_in_expression = 5

  • ForOfExpression for_of_expression = 6

  • Expression not_expression = 7

  • Expressions or_expression = 8

  • Expressions and_expression = 9

  • Range range = 10

  • Regexp regexp = 11

  • Keyword keyword = 12

  • LiteralInteger literal_integer = 13

  • double double_value = 14

  • string text = 15

  • string string_count = 16

  • StringOffset string_offset = 17

  • StringLength string_length = 18

  • Identifier identifier = 19

  • IntegerFunction integer_function = 20

  • Percentage percentage_expression = 21

Sequence of expressions.

Used in: Expression, Identifier.IdentifierItem

• repeated Expression terms = 1

  Terms in the sequence.

FOR expression, used as part of ForInExpressions and ForOrExpressions. Can contain either an expression or a keyword.

Used in: ForInExpression, ForOfExpression

• oneof for

  • Expression expression = 1

    Example: "for 10"

  • ForKeyword keyword = 2

    Example: "for all"

  • Percentage percentage = 3

    Example: "x%"

Expression for iterating over iterators. Example: for <for_expression> k,v in iterator : ( expression ) Next id: 6

Used in: Expression

• optional ForExpression for_expression = 1

  FOR expression: "for any". Required.

• repeated string identifiers = 2

  Identifiers that will hold the values returned by the iterator. Required.

• optional Iterator iterator = 5

  Iterator: "(1..10)", "(1,2,3)", "identifier" . Required.

• optional Expression expression = 4

  Expression to match: "@s1[i] != @s2[i]". Required.

Keywords used in FOR expressions.

Used in: ForExpression

• NONE = 0

  No items must satisfy a condition.

• ALL = 1

  All items must satisfy a condition.

• ANY = 2

  At least one item must satisfy a condition.

A ForOfExpression is satisfied if at least "expression" strings in "string_set" satisfy "expression". Example: for all of ($s1, $s2) : (@$ > 10)

Used in: Expression

• optional ForExpression for_expression = 1

  FOR expression: "for all". Required.

• optional StringSet string_set = 2

  String set: "($s1, $s2)". Required.

• optional Expression expression = 3

  Expression to match: "(@$ > 10)"

• optional Range range = 4

  "3 of ($s1, $s2) in (0..100)"

• optional RuleEnumeration rule_enumeration = 5

  Rule set: "(rule1, rule2, foo*)". Only one of StringSet or RuleEnumeration is allowed.

• optional Expression at = 6

  Offset to match: "1 of them at 0"

List of alternatives for a part in the hexadecimal string.

Used in: HexToken

• repeated HexTokens tokens = 1

  Alternatives, which are sequences of tokens.

A token in a hexadecimal string. A token can be either a sequence of bytes, a jump or an alternative.

Used in: HexTokens

• oneof value

  • BytesSequence sequence = 1

    A sequence of bytes, which may contain wildcards.

  • Jump jump = 2

    A jump.

  • HexAlternative alternative = 3

    An alternative of token sequences.

Sequence of hexadecimal string tokens.

Used in: HexAlternative, String

• repeated HexToken token = 1

  Tokens.

Identifier used as part of expressions. Consists of sequence of identifiers, expressions and arguments. Examples: - my_var - pe.number_of_resources - math.entropy(mystr[i])

Used in: Expression, Iterator

• repeated Identifier.IdentifierItem items = 1

  Items in the identifier.

Used in: Identifier

• oneof item

  • string identifier = 1

  • Expression index = 2

  • Expressions arguments = 3

Enumeration of integer values.

Used in: IntegerSet

• repeated Expression values = 1

  Enumeration values, which can be calculated from an expression.

Functions for reading data from a file at a specified offset or virtual address.

Used in: Expression

• optional string function = 1

  Integer function: (u)intXX(be). Required.

• optional Expression argument = 2

  Offset or virtual address. Required.

Set of integer numbers, which can be either an enumeration of integer values or a range of values.

Used in: Iterator

• oneof set

  • IntegerEnumeration integer_enumeration = 1

    Enumeration of integer values.

  • Range range = 2

    Range of values.

Used in: ForInExpression

• oneof iterator

  • IntegerSet integer_set = 1

  • Identifier identifier = 2

Sequence of arbitrary content and variable length.

Used in: HexToken

• optional int64 start = 1

  Minimum jump length. 0 if not present.

  0 if not present

• optional int64 end = 2

  Maximum jump length. Infinite if not present.

Keywords used in expressions of rule condition.

Used in: Expression

• UNKNOWN = 1

• ENTRYPOINT = 2

  Raw offset of a PE or ELF file entrypoint.

• FILESIZE = 3

  Size of the scanned file.

LiteralInteger

Used in: Expression

• required int64 value = 1

• required int64 base = 2

Rule metadata entry.

Used in: Rule

• optional string key = 1

  Metadata key. Can be repeated. Required.

• oneof value

  Entry value, which can be a string, a number or a boolean.

  • string text = 2

  • int64 number = 3

  • bool boolean = 4

Used in: Expression, ForExpression

• optional Expression expression = 1

A range of values. The start and end of a range are expressions, so they do not need to be constants.

Used in: Expression, ForOfExpression, IntegerSet

• optional Expression start = 1

  Range start. Required.

• optional Expression end = 2

  Range end. Required.

Regular expression string.

Used in: Expression, String

• optional string text = 1

  String content.

• optional StringModifiers modifiers = 2

  String modifiers.

YARA rule.

Used in: RuleSet

• optional RuleModifiers modifiers = 1

  Rule modifiers (global, private).

• optional string identifier = 2

  Rule identifier. Must be unique in the ruleset. Required.

• repeated string tags = 3

  Tags. Cannot be repeated.

• repeated Meta meta = 4

  Metadata.

• repeated String strings = 5

  String declarations.

• optional Expression condition = 6

  Boolean expression to check.

Set of rules, referenced by their identifier. A wildcard can be used to match multiple rules.

Used in: ForOfExpression

• repeated RuleEnumeration.RuleEnumerationItem items = 1

  Items in the rule enumeration.

An entry in the rule enumeration.

Used in: RuleEnumeration

• optional string rule_identifier = 1

  Identifier or part of it if a wildcard (*) is used. Includes the wildcard if present.

• optional bool has_wildcard = 2

  Wildcard (*).

Rule modifiers.

Used in: Rule

• optional bool global = 1

  Impose restrictions on all the rules in the ruleset.

• optional bool private = 2

  Rule is not reported when matches a file.

Set of YARA rules.

• repeated string imports = 1

  Names of the imported modules. Examples: "pe", "elf", "cuckoo", "magic", "hash", "math", ...

• repeated string includes = 2

  Path to other YARA source files whose content should be included. Examples: - "other_rule.yar" - "rules/rule1.yar"

• repeated Rule rules = 3

  Set of rules.

Rule string entry.

Used in: Rule

• optional string id = 1

  String identifier. Required.

• oneof value

  String value, which can be a text string, an hexadecimal string or a regular expression.

  • TextString text = 2

  • HexTokens hex = 3

  • Regexp regexp = 4

Enumeration of strings, referenced by their identifier. A wildcard can be used to match multiple strings. Examples: $str1, $str*

Used in: StringSet

• repeated StringEnumeration.StringEnumerationItem items = 1

  Items in the strings enumeration.

An entry in the strings enumeration.

Used in: StringEnumeration

• optional string string_identifier = 1

  String identifier or part of it if a wildcard (*) is used. Includes the wildcard if present.

• optional bool has_wildcard = 2

  Wildcard (*).

Refers to the length of the matches of a string (or, optionally, to the length of the i-th match). It is useful when combined with regular expressions or hexadecimal strings, which may contain jumps. Examples: - !s1 > 50 - !s1[1] != 30

Used in: Expression

• optional string string_identifier = 1

  String Identifier. Required.

• optional Expression index = 2

  The index of the match.

Modifiers for TextStrings and Regexps.

Used in: Regexp, TextString

• optional bool nocase = 1

  Case-insensitive.

• optional bool ascii = 2

  Strings should be ASCII-encoded.

• optional bool wide = 3

  String should be encoded with two bytes per character.

• optional bool fullword = 4

  Only matches the string if it appears delimited by non-alphanumeric chars.

• optional bool xor = 5

  Matches strings with a single-byte XOR applied to them.

• optional bool i = 6

  Regexp case-insensitive modifier.

• optional bool s = 7

  Regexp single-line modifier.

• optional bool private = 8

  String is private.

• optional int32 xor_min = 9

  Minimum and maximum values for the XOR key. These values are present only if the "xor" field is true.

• optional int32 xor_max = 10

• optional bool base64 = 11

  String is base64.

• optional string base64alphabet = 12

  Optional alphabet for base64 strings.

• optional bool base64wide = 13

  String is base64 wide.

Refers to the offset or virtual address at which a string (or, optionally, the i-th occurence of the string) is found. Examples: - $s1 at 1000 - $s1[2] at 1000

Used in: Expression

• optional string string_identifier = 1

  String identifier. Required.

• optional Expression index = 2

  The index of the occurrence of the string.

Set of strings. Can be either an enumeration of strings or a keyword.

Used in: ForOfExpression

• oneof set

  • StringEnumeration strings = 1

    Enumeration of strings. Example: ($s1, $s2, $s3)

  • StringSetKeyword keyword = 2

    Keyword. Example: them.

Keywords used in string sets.

Used in: StringSet

• THEM = 1

  All the strings in the rule (equivalent to $*).

Text string.

Used in: String

• optional string text = 1

  String content. Any character that appears in escaped form in the source is translated to their binary form. For example, if the string contained \x01, this string contains a 01 byte.

• optional StringModifiers modifiers = 2

  String modifiers.

Unary expression, consisting of an operator applied to an expression.

Used in: Expression

• optional UnaryExpression.Operator operator = 1

  Operator. Required.

• optional Expression expression = 2

  Expression. Required.

Used in: UnaryExpression

• UNKNOWN = 0

• UNARY_MINUS = 1

  -

• BITWISE_NOT = 2

  ~

• DEFINED = 3