rouge-lexer-yara 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 7986144d60452ab72d171f7c645cf810e5922fd0a85496800c1d9911f569703c
+  data.tar.gz: 5333ed55cbc923af93359aeeac6342cf2cb2f84e5ce3ea4dfc6a3115811a622d
+SHA512:
+  metadata.gz: e36b57cbcb23e585570ba4c83fe0873fb32221e18cb2ae02906af1aec2d7fa4c8e4149cd3da0791f83ec387adbe119ee9f83464d56e585ac08562d885de3d932
+  data.tar.gz: f8ddcb2702465c873cb81ab56e095162b462c71511f6c8974fb9e2396931524adb329af6a6744f92b0b353133ee54d208da04842923d872a953c593a5f33c346

data/lib/rouge/lexer/yara.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'rouge'
+require File.expand_path('../lexers/yara', __dir__)

data/lib/rouge/lexers/yara.rb

@@ -0,0 +1,139 @@
+# -*- coding: utf-8 -*- #
+# frozen_string_literal: true
+
+module Rouge
+  module Lexers
+    class YARA < RegexLexer
+      title 'YARA'
+      desc 'YARA malware pattern-matching rule language'
+      tag 'yara'
+      aliases 'yar'
+      filenames '*.yar', '*.yara'
+      mimetypes 'text/x-yara'
+
+      def self.detect?(text)
+        return true if text =~ /\A\s*(?:rule|import|include)\b/
+      end
+
+      def self.keywords
+        @keywords ||= Set.new %w(
+          all and any at condition contains defined endswith
+          entrypoint filesize for global icontains iendswith
+          iequals in istartswith matches meta none not of
+          or private startswith strings them
+        )
+      end
+
+      def self.keywords_declaration
+        @keywords_declaration ||= Set.new %w(
+          rule import include
+        )
+      end
+
+      def self.keywords_pseudo
+        @keywords_pseudo ||= Set.new %w(
+          ascii base64 base64wide fullword nocase wide xor
+        )
+      end
+
+      def self.builtins
+        @builtins ||= Set.new %w(
+          int8 int16 int32 uint8 uint16 uint32
+          int8be int16be int32be uint8be uint16be uint32be
+        )
+      end
+
+      state :root do
+        rule %r/\s+/, Text::Whitespace
+        rule %r(//.*$), Comment::Single
+        rule %r(/\*), Comment::Multiline, :multiline_comment
+
+        # section labels: meta: strings: condition:
+        rule %r/(meta|strings|condition)(\s*)(:)/ do
+          groups Name::Label, Text::Whitespace, Punctuation
+        end
+
+        # hex string entry: = { hex_content }
+        rule %r/(=)(\s*)(\{)/m do
+          groups Operator, Text::Whitespace, Str::Other
+          push :hex_string
+        end
+
+        # double-quoted strings
+        rule %r/"/, Str::Double, :string
+
+        # regex literals
+        rule %r(/) do
+          token Str::Regex
+          push :regex
+        end
+
+        # variables: $ident, #ident, @ident, !ident, bare $
+        rule %r/[#@!]\w+/, Name::Variable
+        rule %r/\$\w*/, Name::Variable
+
+        # hex numbers
+        rule %r/0x[0-9a-fA-F]+/, Num::Hex
+        # decimal numbers with optional size suffix
+        rule %r/\d+(?:KB|MB)?/, Num::Integer
+
+        # range operator
+        rule %r/\.\./, Operator
+
+        # multi-character operators
+        rule %r/==|!=|<=|>=|<<|>>/, Operator
+        # single-character operators
+        rule %r/[+\-*\\%&|^~<>=]/, Operator
+
+        # punctuation
+        rule %r/[{}()\[\]:.,]/, Punctuation
+
+        # word classification
+        rule %r/\w+/ do |m|
+          if self.class.keywords_declaration.include?(m[0])
+            token Keyword::Declaration
+          elsif self.class.keywords_pseudo.include?(m[0])
+            token Keyword::Pseudo
+          elsif m[0] == 'true' || m[0] == 'false'
+            token Keyword::Constant
+          elsif self.class.builtins.include?(m[0])
+            token Name::Builtin
+          elsif self.class.keywords.include?(m[0])
+            token Keyword
+          else
+            token Name
+          end
+        end
+      end
+
+      state :multiline_comment do
+        rule %r([*]/), Comment::Multiline, :pop!
+        rule %r([^*]+), Comment::Multiline
+        rule %r([*]), Comment::Multiline
+      end
+
+      state :string do
+        rule %r/\\./, Str::Escape
+        rule %r/"/, Str::Double, :pop!
+        rule %r/[^\\"]+/, Str::Double
+      end
+
+      state :hex_string do
+        rule %r/\s+/, Text::Whitespace
+        rule %r/\}/, Str::Other, :pop!
+        rule %r(//.*$), Comment::Single
+        rule %r(/\*), Comment::Multiline, :multiline_comment
+        rule %r/[0-9a-fA-F?]{2}/, Str::Other
+        rule %r/~/, Operator
+        rule %r/\[[\d\-]*\]/, Str::Other
+        rule %r/[|()]/, Punctuation
+      end
+
+      state :regex do
+        rule %r/\\./, Str::Regex
+        rule %r(/[is]*), Str::Regex, :pop!
+        rule %r([^\\/]+), Str::Regex
+      end
+    end
+  end
+end

data/spec/demos/yara

@@ -0,0 +1,19 @@
+import "pe"
+
+rule ExampleRule : demo
+{
+    meta:
+        author = "Rouge"
+        score = 75
+        is_demo = true
+
+    strings:
+        $text = "malware" ascii wide nocase
+        $hex = { 4D 5A 90 00 ?? [4-8] 50 45 }
+        $re = /md5: [0-9a-fA-F]{32}/i
+
+    condition:
+        filesize < 5MB and
+        uint16(0) == 0x5A4D and
+        any of them
+}

data/spec/visual/samples/yara

@@ -0,0 +1,376 @@
+/*
+    YARA Visual Sample
+    Covers a wide range of YARA syntax elements.
+*/
+
+// Import statements
+import "pe"
+import "elf"
+import "hash"
+import "math"
+import "dotnet"
+import "time"
+import "console"
+import "string"
+
+// Include statement
+include "other_rules.yar"
+include "./includes/more_rules.yar"
+
+// Simple rule with no strings
+rule AlwaysFalse
+{
+    condition:
+        false
+}
+
+// Basic rule with tags and metadata
+rule BasicExample : Tag1 Tag2 ExampleTag
+{
+    meta:
+        description = "A basic YARA rule example"
+        author = "Rouge Lexer Test"
+        date = "2024-01-15"
+        version = 1
+        is_test = true
+        score = 75
+
+    strings:
+        $text1 = "This is a test string"
+        $text2 = "Another string with escapes: \t\n\r\\\""
+        $text3 = "Hex escape: \x4D\x5A"
+
+    condition:
+        any of them
+}
+
+// String modifiers
+rule StringModifiers
+{
+    strings:
+        $wide_str = "Borland" wide
+        $ascii_str = "text" ascii
+        $wide_ascii = "mixed" wide ascii
+        $nocase_str = "foobar" nocase
+        $fullword_str = "domain" fullword
+        $xor_str = "This program cannot" xor
+        $xor_range = "encrypted" xor(0x01-0xff)
+        $base64_str = "This program cannot" base64
+        $base64wide_str = "secret" base64wide
+        $base64_custom = "data" base64("!@#$%^&*(){}[].,|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu")
+        $combined = "malware" wide ascii nocase fullword
+        $private_str = "hidden" private
+
+    condition:
+        any of them
+}
+
+// Hexadecimal strings with various features
+rule HexStrings
+{
+    strings:
+        // Basic hex string
+        $hex1 = { E2 34 A1 C8 23 FB }
+
+        // Wild-cards
+        $hex2 = { E2 34 ?? C8 A? FB }
+
+        // Not operator
+        $hex3 = { F4 23 ~00 62 B4 }
+        $hex4 = { F4 23 ~?0 62 B4 }
+
+        // Jumps
+        $hex5 = { F4 23 [4-6] 62 B4 }
+        $hex6 = { FE 39 45 [6] 89 00 }
+        $hex7 = { FE 39 45 [10-] 89 00 }
+        $hex8 = { FE 39 45 [-] 89 00 }
+
+        // Alternatives
+        $hex9 = { F4 23 ( 62 B4 | 56 ) 45 }
+        $hex10 = { F4 23 ( 62 B4 | 56 | 45 ?? 67 ) 45 }
+
+    condition:
+        any of ($hex*)
+}
+
+// Regular expressions
+rule RegexPatterns
+{
+    strings:
+        $re1 = /md5: [0-9a-fA-F]{32}/
+        $re2 = /state: (on|off)/
+        $re3 = /foo/i
+        $re4 = /bar./s
+        $re5 = /baz./is
+        $re6 = /https?:\/\/[^\s]+/
+        $re7 = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/
+
+    condition:
+        any of them
+}
+
+// Global rule
+global rule SizeLimit
+{
+    condition:
+        filesize < 2MB
+}
+
+// Private rule
+private rule IsExecutable
+{
+    condition:
+        uint16(0) == 0x5A4D
+}
+
+// Global private rule
+global private rule NotTooLarge
+{
+    condition:
+        filesize < 10MB
+}
+
+// Counting strings and offsets
+rule CountingAndOffsets
+{
+    strings:
+        $a = "dummy1"
+        $b = "dummy2"
+
+    condition:
+        #a == 6 and #b > 10 and
+        $a at 100 and
+        $b in (100..filesize) and
+        @a[1] < 1000 and
+        !a[1] > 5
+}
+
+// Data access functions
+rule DataAccess
+{
+    condition:
+        // MZ signature and PE signature
+        uint16(0) == 0x5A4D and
+        uint32(uint32(0x3C)) == 0x00004550 and
+        int8(0) == 0x4D and
+        int16(0) == 0x5A4D and
+        int32(0) != 0 and
+        uint8(0) == 0x4D and
+        int8be(0) == 0x4D and
+        int16be(0) == 0x4D5A and
+        int32be(0) != 0 and
+        uint8be(0) == 0x4D and
+        uint16be(0) == 0x4D5A and
+        uint32be(0) != 0
+}
+
+// Sets of strings and quantifiers
+rule StringSets
+{
+    strings:
+        $foo1 = "foo1"
+        $foo2 = "foo2"
+        $foo3 = "foo3"
+        $bar1 = "bar1"
+        $bar2 = "bar2"
+
+    condition:
+        2 of ($foo*) and
+        all of them and
+        any of ($bar*) and
+        none of ($foo*) or
+        1 of ($*)
+}
+
+// Anonymous strings
+rule AnonymousStrings
+{
+    strings:
+        $ = "dummy1"
+        $ = "dummy2"
+
+    condition:
+        1 of them
+}
+
+// For loops and iterators
+rule ForLoops
+{
+    strings:
+        $a = "dummy1"
+        $b = "dummy2"
+
+    condition:
+        for all i in (1,2,3) : ( @a[i] + 10 == @b[i] ) and
+        for all i in (1..#a) : ( @a[i] < 100 ) and
+        for any of ($a,$b) : ( $ at 0 ) and
+        for 2 i in (1..#a) : ( @a[i] < 100 )
+}
+
+// Using PE module
+rule PEModuleExample
+{
+    condition:
+        pe.entry_point == 0x1000 and
+        pe.number_of_sections > 3 and
+        pe.characteristics & pe.DLL != 0
+}
+
+// String operators in conditions
+rule StringOperators
+{
+    condition:
+        pe.sections[0].name contains ".text" and
+        pe.sections[0].name icontains ".TEXT" and
+        pe.sections[0].name startswith "." and
+        pe.sections[0].name istartswith "." and
+        pe.sections[0].name endswith "ext" and
+        pe.sections[0].name iendswith "EXT" and
+        pe.sections[0].name iequals ".TEXT" and
+        pe.sections[0].name matches /\.[a-z]+/
+}
+
+// Iterating over module data
+rule ModuleIteration
+{
+    condition:
+        for any section in pe.sections : (
+            section.name == ".text" and
+            section.characteristics & 0x20000000 != 0
+        )
+}
+
+// Using defined operator
+rule DefinedExample
+{
+    condition:
+        defined pe.entry_point and
+        pe.entry_point == 0x1000
+}
+
+// Arithmetic and bitwise operators
+rule Operators
+{
+    strings:
+        $a = "test"
+
+    condition:
+        #a > 5 + 3 and
+        #a < 100 - 50 and
+        #a != 10 * 2 and
+        filesize \ 1024 < 100 and
+        filesize % 512 == 0 and
+        uint8(0) & 0xFF == 0x4D and
+        uint8(0) | 0x00 == 0x4D and
+        uint8(0) ^ 0x00 == 0x4D and
+        ~uint8(0) != 0 and
+        uint8(0) << 8 == 0x4D00 and
+        uint16(0) >> 8 == 0x4D
+}
+
+// Rule references
+rule Rule1
+{
+    strings:
+        $a = "dummy1"
+
+    condition:
+        $a
+}
+
+rule Rule2
+{
+    strings:
+        $a = "dummy2"
+
+    condition:
+        $a and Rule1
+}
+
+rule MainRule
+{
+    condition:
+        any of (Rule*)
+}
+
+// Ranges in string sets
+rule RangesInSets
+{
+    strings:
+        $a1 = "test1"
+        $a2 = "test2"
+        $b1 = "other"
+
+    condition:
+        all of ($a*) in (filesize-500..filesize) and
+        any of ($a*, $b*) in (1000..2000) and
+        any of ($a*) at 0 and
+        #a1 in (filesize-500..filesize) == 2
+}
+
+// Hash module usage
+rule HashExample
+{
+    condition:
+        hash.md5(0, filesize) == "d41d8cd98f00b204e9800998ecf8427e" and
+        hash.sha256(0, filesize) != ""
+}
+
+// Math module usage
+rule MathExample
+{
+    condition:
+        math.entropy(0, filesize) > 7.0
+}
+
+// For loop with text strings (YARA 4.3+)
+rule ForWithStrings
+{
+    condition:
+        for any s in ("71b36345516e076a0663e0bea97759e4",
+                       "1e7f7edeb06de02f2c2a9319de99e033") : (
+            hash.md5(0, filesize) == s
+        )
+}
+
+// Time module
+rule TimeExample
+{
+    condition:
+        time.now() > 1704067200
+}
+
+// Complex real-world-like rule
+rule SuspiciousPEFile : malware suspicious
+{
+    meta:
+        description = "Detects suspicious PE files"
+        author = "Security Analyst"
+        severity = "high"
+        score = 85
+        in_the_wild = true
+
+    strings:
+        $mz = { 4D 5A }
+        $pe = { 50 45 00 00 }
+        $str1 = "CreateRemoteThread" ascii wide
+        $str2 = "VirtualAllocEx" fullword
+        $str3 = "WriteProcessMemory" nocase
+        $url = /https?:\/\/[a-z0-9\.\-]+\.[a-z]{2,}/i
+        $suspicious_hex = { 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 [2-6] }
+
+    condition:
+        $mz at 0 and
+        $pe in (0..1024) and
+        filesize < 5MB and
+        2 of ($str*) and
+        not $url and
+        (
+            pe.entry_point < 0x1000 or
+            pe.number_of_sections > 7 or
+            for any section in pe.sections : (
+                section.name == ".packed" or
+                math.entropy(section.raw_data_offset, section.raw_data_size) > 7.5
+            )
+        )
+}

metadata

@@ -0,0 +1,63 @@
+--- !ruby/object:Gem::Specification
+name: rouge-lexer-yara
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Sean Whalen
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2026-03-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rouge
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: A Rouge plugin providing syntax highlighting for YARA malware pattern-matching
+  rule language
+email:
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/rouge/lexer/yara.rb
+- lib/rouge/lexers/yara.rb
+- spec/demos/yara
+- spec/visual/samples/yara
+homepage: https://github.com/seanthegeek/rouge-lexer-yara
+licenses:
+- MIT
+metadata:
+  source_code_uri: https://github.com/seanthegeek/rouge-lexer-yara
+  bug_tracker_uri: https://github.com/seanthegeek/rouge-lexer-yara/issues
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.20
+signing_key:
+specification_version: 4
+summary: Rouge lexer for YARA
+test_files: []