-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathyara.json
50 lines (50 loc) · 1.42 KB
/
yara.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
"Import": {
"prefix": "import",
"body": "import \"${1|pe,elf,cuckoo,magic,hash,math,dotnet,time|}\"",
"description": "Import a YARA module"
},
"for..of": {
"prefix": "for..of",
"body": [
"for ${1:any} of ${2:them} : (",
"\t${3:boolean_expression}",
")"
],
"description": "Apply the same condition to many strings"
},
"for..in": {
"prefix": "for..in",
"body": [
"for ${1:any i} in ( ${2:them} ) : (",
"\t${3:boolean_expression}",
")"
],
"description": "Loop over items"
},
"any": {
"prefix": "any",
"body": "any of ${them}",
"description": "String set keyword: any"
},
"all": {
"prefix": "all",
"body": "all of ${them}",
"description": "String set keyword: all"
},
"PE Header": {
"prefix": "header_pe",
"body": "uint16(0) == 0x5A4D ",
"description": "Generate a condition to check for a PE file header"
},
"ELF Header": {
"prefix": "header_elf",
"body": "uint32(0) == 0x464C457F ",
"description": "Generate a condition to check for an ELF file header"
},
"Mach-O Header": {
"prefix": "header_macho",
"body": "uint32(0) == 0xFEEDFACF ",
"description": "Generate a condition to check for a Mach-O file header"
}
}