edeca/yara_example_1.yar

## yara_example_1.yar
import "math"

rule example {
  meta:
    author = "David Cannings"
    description = "Rule example - finding a chunk of code near other known code"

  strings:
    $chunk = { AA BB CC DD }
    $chunk_prologue = { 11 22 33 44 }
    $chunk_epilogue = { FF EE DD CC }

  condition:
    for 5 i in (1..math.min(#chunk, 50)) : (
      for any j in (1..math.min(#chunk_prologue, 50)) : (
          @chunk[i] > @chunk_prologue[j] and
          @chunk[i] - @chunk_prologue[j] < 20 and
          @chunk[i] - @chunk_prologue[j] > 0 and
      )
      and
      for any k in (1..math.min(#chunk_epilogue, 50)) : (
          @chunk[i] < @chunk_epilogue[k] and
          @chunk_epilogue[k] - @chunk[i] < 20 and
          @chunk_epilogue[k] - @chunk[i] > 0
      )
    )
}
	import "math"

	rule example {
	meta:
	author = "David Cannings"
	description = "Rule example - finding a chunk of code near other known code"

	strings:
	$chunk = { AA BB CC DD }
	$chunk_prologue = { 11 22 33 44 }
	$chunk_epilogue = { FF EE DD CC }

	condition:
	for 5 i in (1..math.min(#chunk, 50)) : (
	for any j in (1..math.min(#chunk_prologue, 50)) : (
	@chunk[i] > @chunk_prologue[j] and
	@chunk[i] - @chunk_prologue[j] < 20 and
	@chunk[i] - @chunk_prologue[j] > 0 and
	)
	and
	for any k in (1..math.min(#chunk_epilogue, 50)) : (
	@chunk[i] < @chunk_epilogue[k] and
	@chunk_epilogue[k] - @chunk[i] < 20 and
	@chunk_epilogue[k] - @chunk[i] > 0
	)
	)
	}