dictionaries/yara.dict - platform/external/AFLplusplus - Git at Google

 # https://yara.readthedocs.io/en/latest/

 # Keywords
 "all"
 "and"
 "any"
 "ascii"
 "at"
 "condition"
 "contains"
 "entrypoint"
 "false"
 "filesize"
 "for"
 "fullword"
 "global"
 "import"
 "in"
 "include"
 "int16"
 "int16be"
 "int32"
 "int32be"
 "int8"
 "int8be"
 "matches"
 "meta"
 "nocase"
 "not"
 "of"
 "or"
 "private"
 "rule"
 "strings"
 "them"
 "true"
 "uint16"
 "uint16be"
 "uint32"
 "uint32be"
 "uint8"
 "uint8be"
 "wide"
 "xor"

 # pe module
 "\"pe\""
 "pe.machine"
 "pe.checksum"
 "pe.calculate_checksum"
 "pe.subsystem"
 "pe.timestamp"
 "pe.pointer_to_symbol_table"
 "pe.number_of_sumbols"
 "pe.size_of_optional_header"
 "pe.pothdr_magic"
 "pe.size_of_code"
 "pe.size_of_initialized_data"
 "pe.size_of_unnitialized_data"
 "pe.entrypoint"
 "pe.base_of_code"
 "pe.base_of_data"
 "pe.image_base"
 "pe.section_alignment"
 "pe.file_alignment"
 "pe.win32_version_value"
 "pe.size_of_image"
 "pe.size_of_headers"
 "pe.characteristics"
 "pe.linker_version"
 "pe.os_version"
 "pe.image_version"
 "pe.subsystem_version"
 "pe.dll_characteristics"
 "pe.size_of_stack_reserve"
 "pe.size_of_stack_commit"
 "pe.size_of_heap_reserve"
 "pe.size_of_heap_commit"
 "pe.loader_flags"
 "pe.number_of_rva_and_sizes"
 "pe.data_directories"
 "pe.number_of_sections"
 "pe.sections"
 "pe.overlay"
 "pe.number_of_resources"
 "pe.resource_timestamp"
 "pe.resource_version"
 "pe.resources"
 "pe.version_info"
 "pe.number_of_signatures"
 "pe.signatures"
 "pe.rich_signature"
 "pe.exports"
 "pe.number_of_exports"
 "pe.number_of_imports"
 "pe.imports"
 "pe.locale"
 "pe.language"
 "pe.imphash"
 "pe.section_index"
 "pe.is_dll()"
 "pe.is_32bit()"
 "pe.is_64bit()"
 "pe.rva_to_offset"

 # elf module
 "\"elf\""
 "elf.type"
 "elf.machine"
 "elf.entry_point"
 "elf.number_of_sections"
 "elf.sections"
 "elf.number_of_segments"
 "elf.segments"
 "elf.dynamic_section_entires"
 "elf.dynamic"
 "elf.symtab_entries"
 "elf.symtab"

 # cuckoo module
 "\"cuckoo\""
 "cuckoo.network"
 "cuckoo.registry"
 "cuckoo.filesystem"
 "cuckoo.sync"

 # magic module
 "\"magic\""
 "magic.type()"
 "magic.mime_type()"


 # hash module
 "\"hash\""
 "hash.md5"
 "hash.sha1"
 "hash.sha256"
 "hash.checksum32"
 "hash.crc32"

 # math module
 "\"math\""
 "math.entropuy"
 "math.monte_carlo_pi"
 "math.serial_correlation"
 "math.mean"
 "math.deviation"
 "math.in_range"
 "math.max"
 "max.min"

 # dotnet module
 "\"dotnet\""
 "dotnet.version"
 "dotnet.module_name"
 "dotnet.number_of_streams"
 "dotnet.streams"
 "dotnet.number_of_guid"
 "dotnet.guids"
 "dotnet.number_of_resources"
 "dotnet.resources"
 "dotnet.assembly"
 "dotnet.number_of_modulerefs"
 "dotnet.modulerefs"
 "dotnet.typelib"
 "dotnet.assembly_refs"
 "dotnet.number_of_user_strings"
 "dotnet.user_strings"
 "dotnet.number_of_field_offsets"
 "dotnet.field_offsets"

 # time module
 "\"time\""
 "time.now()"


 # misc
 "/*"
 "*/"
 "//"
 "$a="
 "{a?}"
 "[0-9]"
 "{(0A|??)}"
 "<<"
 ">>"
 "#a"
 "$a"
 ".."
 "@a"

 # regex
 "*?"
 "+?"
 "??"
 "{1,2}?"
	# https://yara.readthedocs.io/en/latest/

	# Keywords
	"all"
	"and"
	"any"
	"ascii"
	"at"
	"condition"
	"contains"
	"entrypoint"
	"false"
	"filesize"
	"for"
	"fullword"
	"global"
	"import"
	"in"
	"include"
	"int16"
	"int16be"
	"int32"
	"int32be"
	"int8"
	"int8be"
	"matches"
	"meta"
	"nocase"
	"not"
	"of"
	"or"
	"private"
	"rule"
	"strings"
	"them"
	"true"
	"uint16"
	"uint16be"
	"uint32"
	"uint32be"
	"uint8"
	"uint8be"
	"wide"
	"xor"

	# pe module
	"\"pe\""
	"pe.machine"
	"pe.checksum"
	"pe.calculate_checksum"
	"pe.subsystem"
	"pe.timestamp"
	"pe.pointer_to_symbol_table"
	"pe.number_of_sumbols"
	"pe.size_of_optional_header"
	"pe.pothdr_magic"
	"pe.size_of_code"
	"pe.size_of_initialized_data"
	"pe.size_of_unnitialized_data"
	"pe.entrypoint"
	"pe.base_of_code"
	"pe.base_of_data"
	"pe.image_base"
	"pe.section_alignment"
	"pe.file_alignment"
	"pe.win32_version_value"
	"pe.size_of_image"
	"pe.size_of_headers"
	"pe.characteristics"
	"pe.linker_version"
	"pe.os_version"
	"pe.image_version"
	"pe.subsystem_version"
	"pe.dll_characteristics"
	"pe.size_of_stack_reserve"
	"pe.size_of_stack_commit"
	"pe.size_of_heap_reserve"
	"pe.size_of_heap_commit"
	"pe.loader_flags"
	"pe.number_of_rva_and_sizes"
	"pe.data_directories"
	"pe.number_of_sections"
	"pe.sections"
	"pe.overlay"
	"pe.number_of_resources"
	"pe.resource_timestamp"
	"pe.resource_version"
	"pe.resources"
	"pe.version_info"
	"pe.number_of_signatures"
	"pe.signatures"
	"pe.rich_signature"
	"pe.exports"
	"pe.number_of_exports"
	"pe.number_of_imports"
	"pe.imports"
	"pe.locale"
	"pe.language"
	"pe.imphash"
	"pe.section_index"
	"pe.is_dll()"
	"pe.is_32bit()"
	"pe.is_64bit()"
	"pe.rva_to_offset"

	# elf module
	"\"elf\""
	"elf.type"
	"elf.machine"
	"elf.entry_point"
	"elf.number_of_sections"
	"elf.sections"
	"elf.number_of_segments"
	"elf.segments"
	"elf.dynamic_section_entires"
	"elf.dynamic"
	"elf.symtab_entries"
	"elf.symtab"

	# cuckoo module
	"\"cuckoo\""
	"cuckoo.network"
	"cuckoo.registry"
	"cuckoo.filesystem"
	"cuckoo.sync"

	# magic module
	"\"magic\""
	"magic.type()"
	"magic.mime_type()"


	# hash module
	"\"hash\""
	"hash.md5"
	"hash.sha1"
	"hash.sha256"
	"hash.checksum32"
	"hash.crc32"

	# math module
	"\"math\""
	"math.entropuy"
	"math.monte_carlo_pi"
	"math.serial_correlation"
	"math.mean"
	"math.deviation"
	"math.in_range"
	"math.max"
	"max.min"

	# dotnet module
	"\"dotnet\""
	"dotnet.version"
	"dotnet.module_name"
	"dotnet.number_of_streams"
	"dotnet.streams"
	"dotnet.number_of_guid"
	"dotnet.guids"
	"dotnet.number_of_resources"
	"dotnet.resources"
	"dotnet.assembly"
	"dotnet.number_of_modulerefs"
	"dotnet.modulerefs"
	"dotnet.typelib"
	"dotnet.assembly_refs"
	"dotnet.number_of_user_strings"
	"dotnet.user_strings"
	"dotnet.number_of_field_offsets"
	"dotnet.field_offsets"

	# time module
	"\"time\""
	"time.now()"


	# misc
	"/*"
	"*/"
	"//"
	"$a="
	"{a?}"
	"[0-9]"
	"{(0A\|??)}"
	"<<"
	">>"
	"#a"
	"$a"
	".."
	"@a"

	# regex
	"*?"
	"+?"
	"??"
	"{1,2}?"