added 4.0.0 keyword and module updates

infosec-intern · infosec-intern · commit af9dbb055f02 · 2020-04-29T10:03:58.000-06:00
diff --git a/test/rules/peek_rules.yara b/test/rules/peek_rules.yara
@@ -42,3 +42,18 @@ rule RuleReferenceExample
     condition:
         SyntaxExample and $hex_string
 }
+
+rule Yara4Example
+{
+    meta:
+        description = "Example rule to test features added in version 4.0"
+    strings:
+        $b64name = "string" base64
+        $b64wname = "string" base64wide
+    condition:
+        any of them
+        and pe.pdb_path == "C:\fake_pdb_path"
+        and pe.dll_name == "library.dll"
+        and pe.export_timestamp == 000000000
+        and pe.exports_index(40)
+}
diff --git a/yara/src/modules_schema.json b/yara/src/modules_schema.json
@@ -15,12 +15,21 @@
         "DEBUG_STRIPPED": "enum",
         "DLL": "enum",
         "dll_characteristics": "property",
+        "dll_name": "property",
         "DYNAMIC_BASE": "enum",
         "entry_point": "property",
         "EXECUTABLE_IMAGE": "enum",
+        "export_timestamp": "property",
+        "exports": "method",
+        "export_details": {
+            "offset": "property",
+            "name": "property",
+            "forward_name": "property",
+            "ordinal": "property"
+        },
+        "exports_index": "method",
         "file_alignment": "property",
         "FORCE_INTEGRITY": "enum",
-        "exports": "method",
         "id": "property",
         "image_base": "property",
         "IMAGE_DIRECTORY_ENTRY_BASERELOC": "enum",
@@ -103,6 +112,7 @@
             "offset": "property",
             "size": "property"
         },
+        "pdb_path": "property",
         "pointer_to_symbol_table": "property",
         "RELOCS_STRIPPED": "enum",
         "REMOVABLE_RUN_FROM_SWAP": "enum",
diff --git a/yara/syntaxes/yara.tmLanguage b/yara/syntaxes/yara.tmLanguage
@@ -269,7 +269,7 @@
 			<key>name</key>
 			<string>storage.modifier.yara</string>
 			<key>match</key>
-			<string>(\bfullword\b|\bglobal\b|\bnocase\b|\bprivate\b|\bwide\b|\bxor\b)</string>
+			<string>(\bbase64\b|\bbase64wide\b|\bfullword\b|\bglobal\b|\bnocase\b|\bprivate\b|\bwide\b|\bxor\b)</string>
 		</dict>
 		<!-- Data Types - Integer -->
 		<dict>
