diff --git a/site/content/docs/intro/duplicate_rule_error.png b/site/content/docs/intro/duplicate_rule_error.png
new file mode 100644
index 000000000..826bd398a
Binary files /dev/null and b/site/content/docs/intro/duplicate_rule_error.png differ
diff --git a/site/content/docs/intro/wrong_arguments_error.png b/site/content/docs/intro/wrong_arguments_error.png
new file mode 100644
index 000000000..1dc8ff2f1
Binary files /dev/null and b/site/content/docs/intro/wrong_arguments_error.png differ
diff --git a/site/content/docs/intro/yara_vs_yara-x.md b/site/content/docs/intro/yara_vs_yara-x.md
new file mode 100644
index 000000000..2a26f5130
--- /dev/null
+++ b/site/content/docs/intro/yara_vs_yara-x.md
@@ -0,0 +1,59 @@
+---
+title: "YARA-X vs YARA"
+description: "How YARA-X and YARA differ. Which are the pros and cons."
+summary: ""
+date: 2023-09-07T16:04:48+02:00
+lastmod: 2023-09-07T16:04:48+02:00
+draft: false
+menu:
+ docs:
+ parent: ""
+ identifier: "yara-x_vs_yara"
+weight: 115
+toc: true
+seo:
+ title: "" # custom title (optional)
+ description: "" # custom description (recommended)
+ canonical: "" # custom canonical URL (optional)
+ noindex: false # false (default) or true
+---
+
+YARA-X intends to be the replacement for YARA, and it has been designed with
+usability, backward-compatibility, and performance in mind. YARA-X is already
+better than YARA in many aspects, but it's still very young and therefore some
+features are not implemented yet, and there are rough edges that need to be
+polished. This section covers the pros and cons of YARA-X versus YARA.
+
+## The good things
+
+Let's start by talking about the things that YARA-X does better. If you prefer
+seeing the glass half-empty go to [the bad things](#the-bad-things) section.
+
+### Better error reporting
+
+Error reports in YARA-X are much more detailed and explicative. Each error
+message tries to provide as much context about the error as possible, which
+improves the user's experience. They also look better.
+
+
+
+
+
+### More user friendly CLI
+
+### Higher overall performance
+
+### Parser reusability
+
+## The bad things
+
+Of course, not everything is great. YARA-X has some drawbacks that we need to
+discuss too. Some of the drawbacks are related to the lack of features that
+YARA already has, but YARA-X does not. These may be eliminated in the future as
+YARA-X matures.
+
+### API is not compatible
+
+### No include statements
+
+### No process scanning
\ No newline at end of file
diff --git a/site/content/docs/modules/dotnet.md b/site/content/docs/modules/dotnet.md
index 32b1fb46b..1e291de2b 100644
--- a/site/content/docs/modules/dotnet.md
+++ b/site/content/docs/modules/dotnet.md
@@ -45,32 +45,32 @@ rule BlopStream {
## Module structure
-| Field | Type |
-|------------------------------|--------------------------------------|
-| is_dotnet | bool |
-| module_name | string |
-| version | string |
-| number_of_streams | integer |
-| number_of_guids | integer |
-| number_of_resources | integer |
-| number_of_generic_parameters | integer |
-| number_of_classes | integer |
-| number_of_assembly_refs | integer |
-| number_of_modulerefs | integer |
-| number_of_user_strings | integer |
-| number_of_constants | integer |
-| number_of_field_offsets | integer |
-| typelib | string |
-| streams | array of [Stream](#stream) |
-| guids | array of string |
-| constants | array of string |
-| assembly | [Assembly](#assembly) |
-| assembly_refs | array of [AssemblyRef](#assemblyref) |
-| resources | array of [Resource](#resource) |
-| classes | array of [Class](#class) |
-| field_offsets | array of integer |
-| user_strings | array of string |
-| modulerefs | array of string |
+| Field | Type |
+|------------------------------|-----------------------------------|
+| is_dotnet | bool |
+| module_name | string |
+| version | string |
+| number_of_streams | integer |
+| number_of_guids | integer |
+| number_of_resources | integer |
+| number_of_generic_parameters | integer |
+| number_of_classes | integer |
+| number_of_assembly_refs | integer |
+| number_of_modulerefs | integer |
+| number_of_user_strings | integer |
+| number_of_constants | integer |
+| number_of_field_offsets | integer |
+| typelib | string |
+| streams | [Stream](#stream) array |
+| guids | string array |
+| constants | string array |
+| assembly | [Assembly](#assembly) array |
+| assembly_refs | [AssemblyRef](#assemblyref) array |
+| resources | [Resource](#resource) array |
+| classes | [Class](#class) array |
+| field_offsets | integer array |
+| user_strings | string array |
+| modulerefs | string array |
### Assembly
@@ -122,21 +122,21 @@ rule WindowsFirewallHelper {
This is the structure of each item in the `classes` array.
-| Field | Type |
-|------------------------------|----------------------------|
-| fullname | string |
-| name | string |
-| namespace | string |
-| visibility | string |
-| type | string |
-| abstract | bool |
-| sealed | bool |
-| number_of_base_types | integer |
-| number_of_generic_parameters | integer |
-| number_of_methods | integer |
-| base_types | array of string |
-| generic_parameters | array of string |
-| methods | array of [Method](#method) |
+| Field | Type |
+|------------------------------|-------------------------|
+| fullname | string |
+| name | string |
+| namespace | string |
+| visibility | string |
+| type | string |
+| abstract | bool |
+| sealed | bool |
+| number_of_base_types | integer |
+| number_of_generic_parameters | integer |
+| number_of_methods | integer |
+| base_types | string array |
+| generic_parameters | string array |
+| methods | [Method](#method) array |
###### Example
@@ -155,19 +155,19 @@ rule DebugInfoInPDBAttribute {
This is the structure of each item in the `methods` array within each Class.
-| Field | Type |
-|------------------------------|--------------------------|
-| name | string |
-| visibility | string |
-| abstract | bool |
-| static | bool |
-| virtual | bool |
-| final | bool |
-| return_type | string |
-| number_of_generic_parameters | integer |
-| number_of_parameters | integer |
-| generic_parameters | array of string |
-| parameters | array of [Param](#param) |
+| Field | Type |
+|------------------------------|-----------------------|
+| name | string |
+| visibility | string |
+| abstract | bool |
+| static | bool |
+| virtual | bool |
+| final | bool |
+| return_type | string |
+| number_of_generic_parameters | integer |
+| number_of_parameters | integer |
+| generic_parameters | string array |
+| parameters | [Param](#param) array |
###### Example
diff --git a/site/content/docs/modules/elf.md b/site/content/docs/modules/elf.md
index 870fe09ad..6cd5ae186 100644
--- a/site/content/docs/modules/elf.md
+++ b/site/content/docs/modules/elf.md
@@ -37,27 +37,56 @@ rule elf_64 {
}
```
+## Functions
+
+### import_md5()
+
+Returns the MD5 of the import table.
+
+### telfhash()
+
+Returns the TrendMicro's `telfhash` for the ELF file. This is a symbol hash for
+ELF files, just like `imphash` is an imports hash for PE files. With `telfhash`,
+you can cluster ELF files by similarity based on symbols.
+
+Find more information in
+TrendMicro's [whitepaper](https://documents.trendmicro.com/assets/pdf/TB_Telfhash-%20An%20Algorithm%20That%20Finds%20Similar%20Malicious%20ELF%20Files%20Used%20in%20Linux%20IoT%20Malware.pdf)
+or
+visit [https://github.com/trendmicro/telfhash](https://github.com/trendmicro/telfhash)
+for tools other tools that compute the `telfhash`.
+
+###### Example
+
+```
+import "elf"
+
+rule FindByTelfhash {
+ condition:
+ elf.telfhash() == "t166a00284751084526486df8b5df5b2fccb3f511dbc188c37156f5e714a11bc5d71014d"
+}
+```
+
## Module structure
-| Field | Type |
-|-------------------------|------------------------------|
-| type | [Type](#type) |
-| machine | [Machine](#machine) |
-| entry_point | integer |
-| sh_offset | integer |
-| sh_entry_size | integer |
-| ph_offset | integer |
-| ph_entry_size | integer |
-| number_of_sections | integer |
-| number_of_segments | integer |
-| symtab_entries | integer |
-| dynsym_entries | integer |
-| dynamic_section_entries | integer |
-| sections | array of [Section](#section) |
-| segments | array of [Segment](#segment) |
-| symtab | array of [Sym](#sym) |
-| dynsym | array of [Sym](#sym) |
-| dynamic | array of [Dyn](#dyn) |
+| Field | Type |
+|-------------------------|---------------------------|
+| type | [Type](#type) |
+| machine | [Machine](#machine) |
+| entry_point | integer |
+| sh_offset | integer |
+| sh_entry_size | integer |
+| ph_offset | integer |
+| ph_entry_size | integer |
+| number_of_sections | integer |
+| number_of_segments | integer |
+| symtab_entries | integer |
+| dynsym_entries | integer |
+| dynamic_section_entries | integer |
+| sections | [Section](#section) array |
+| segments | [Segment](#segment) array |
+| symtab | [Sym](#sym) array |
+| dynsym | [Sym](#sym) array |
+| dynamic | [Dyn](#dyn) array |
### Dyn
diff --git a/site/content/docs/modules/macho.md b/site/content/docs/modules/macho.md
index e9c0797c9..cd208e126 100644
--- a/site/content/docs/modules/macho.md
+++ b/site/content/docs/modules/macho.md
@@ -42,19 +42,19 @@ most of the fields present in a Mach-O file header. Let's see some examples:
| symtab | [Symtab](#symtab) |
| dysymtab | [Dysymtab](#dysymtab) |
| code_signature_data | [LinkedItData](#linkeditdata) |
-| segments | array of [Segment](#segment) |
-| dylibs | array of [Dylib](#dylib) |
+| segments | [Segment](#segment) array |
+| dylibs | [Dylib](#dylib) array |
| dyld_info | [DyldInfo](#dyldinfo) |
-| rpaths | array of string |
-| entitlements | array of string |
+| rpaths | string array |
+| entitlements | string array |
| certificates | [Certificates](#certificates) |
| uuid | string |
| build_version | [BuildVersion](#buildversion) |
| min_version | [MinVersion](#minversion) |
| fat_magic | integer |
| nfat_arch | integer |
-| fat_arch | array of [FatArch](#fatarch) |
-| file | array of [File](#file) |
+| fat_arch | [FatArch](#fatarch) array |
+| file | [File](#file) array |
### BuildTool
@@ -65,22 +65,22 @@ most of the fields present in a Mach-O file header. Let's see some examples:
### BuildVersion
-| Field | Type |
-|----------|----------------------------------|
-| platform | integer |
-| minos | string |
-| sdk | string |
-| ntools | integer |
-| tools | array of [BuildTool](#buildtool) |
+| Field | Type |
+|----------|-------------------------------|
+| platform | integer |
+| minos | string |
+| sdk | string |
+| ntools | integer |
+| tools | [BuildTool](#buildtool) array |
### Certificates
-| Field | Type |
-|--------------|-----------------|
-| common_names | array of string |
-| signer_names | array of string |
+| Field | Type |
+|--------------|--------------|
+| common_names | string array |
+| signer_names | string array |
### DyldInfo
@@ -157,10 +157,10 @@ most of the fields present in a Mach-O file header. Let's see some examples:
| entry_point | integer |
| stack_size | integer |
| source_version | string |
-| segments | array of [Segment](#segment) |
-| dylibs | array of [Dylib](#dylib) |
-| rpaths | array of string |
-| entitlements | array of string |
+| segments | [Segment](#segment) array |
+| dylibs | [Dylib](#dylib) array |
+| rpaths | string array |
+| entitlements | string array |
| symtab | [Symtab](#symtab) |
| dysymtab | [Dysymtab](#dysymtab) |
| dyld_info | [DyldInfo](#dyldInfo) |
@@ -204,28 +204,28 @@ most of the fields present in a Mach-O file header. Let's see some examples:
### Segment
-| Field | Type |
-|----------|------------------------------|
-| segname | string |
-| vmaddr | integer |
-| vmsize | integer |
-| fileoff | integer |
-| filesize | integer |
-| maxprot | integer |
-| initprot | integer |
-| nsects | integer |
-| flags | integer |
-| sections | array of [Section](#section) |
+| Field | Type |
+|----------|---------------------------|
+| segname | string |
+| vmaddr | integer |
+| vmsize | integer |
+| fileoff | integer |
+| filesize | integer |
+| maxprot | integer |
+| initprot | integer |
+| nsects | integer |
+| flags | integer |
+| sections | [Section](#section) array |
### Symtab
-| Field | Type |
-|---------|-----------------|
-| symoff | integer |
-| nsyms | integer |
-| stroff | integer |
-| strsize | integer |
-| entries | array of string |
+| Field | Type |
+|---------|--------------|
+| symoff | integer |
+| nsyms | integer |
+| stroff | integer |
+| strsize | integer |
+| entries | string array |
### CPU_ARM_64_SUBTYPE
diff --git a/site/content/docs/modules/pe.md b/site/content/docs/modules/pe.md
index b7a2eff66..0495713f4 100644
--- a/site/content/docs/modules/pe.md
+++ b/site/content/docs/modules/pe.md
@@ -50,297 +50,388 @@ rule is_pe {
## Functions
+### is_32bit()
+
+Returns true if the file is a 32-bit PE.
+
+### is_64bit()
+
+Returns true if the file is a 64-bit PE.
+
+### is_dll()
+
+Returns true if the file is Dynamic Link Library (DLL).
+
+### rva_to_offset(rva)
+
+Given a relative virtual address (RVA) returns the corresponding file offset.
+
+### calculate_checksum()
+
+Calculate the PE checksum. Useful for checking if the checksum in the header is
+correct.
+
+###### Example
+
+```
+import "pe"
+
+rule WrongChecksum {
+ condition:
+ pe.calculate_checksum() != pe.checksum
+}
+```
+
+### section_index(name)
+
+Returns the index into the `sections` array for the section that has the given
+name. The `name` argument is case-sensitive.
+
+### section_index(offset)
+
+Returns the index into the `sections` array for the section that contains
+the given file offset.
+
+### imphash()
+
+Returns the import hash (or imphash) for the PE. The imphash is an MD5 hash of
+the PE's import table after some normalization. The imphash for a PE can be also
+computed with [pefile](https://github.com/erocarrera/pefile) and you can find
+more information
+in [Mandiant's blog](https://www.mandiant.com/resources/blog/tracking-malware-import-hashing).
+
+{{< callout title="Notice">}}
+
+The returned hash string is always in lowercase.
+
+{{< /callout >}}
+
## Module structure
-| Field | Type | Description |
-|--------------------------------------|----------------------------------|---------------------------------------------------|
-| is_pe | [bool](#bool) | True if the file is PE. Example: pe.is_pe. |
-| machine | [Machine](#machine) | Machine type. |
-| subsystem | [Subsystem](#subsystem) | Subsystem type. |
-| os_version | [Version](#version) | OS version. |
-| subsystem_version | [Version](#version) | Subsystem version. |
-| image_version | [Version](#version) | |
-| linker_version | [Version](#version) | |
-| opthdr_magic | [OptionalMagic](#optionalmagic) | |
-| characteristics | integer | |
-| dll_characteristics | integer | |
-| timestamp | integer | |
-| image_base | integer | |
-| checksum | integer | |
-| base_of_code | integer | |
-| base_of_data | integer | |
-| entry_point | integer | Entry point as a file offset. |
-| entry_point_raw | integer | Entry point as it appears in the PE header (RVA). |
-| dll_name | string | |
-| export_timestamp | integer | |
-| section_alignment | integer | |
-| file_alignment | integer | |
-| loader_flags | integer | |
-| size_of_optional_header | integer | |
-| size_of_code | integer | |
-| size_of_initialized_data | integer | |
-| size_of_uninitialized_data | integer | |
-| size_of_image | integer | |
-| size_of_headers | integer | |
-| size_of_stack_reserve | integer | |
-| size_of_stack_commit | integer | |
-| size_of_heap_reserve | integer | |
-| size_of_heap_commit | integer | |
-| pointer_to_symbol_table | integer | |
-| win32_version_value | integer | |
-| number_of_symbols | integer | |
-| number_of_rva_and_sizes | integer | |
-| number_of_sections | integer | |
-| number_of_imported_functions | integer | |
-| number_of_delayed_imported_functions | integer | |
-| number_of_resources | integer | |
-| number_of_version_infos | integer | |
-| number_of_imports | integer | |
-| number_of_delayed_imports | integer | |
-| number_of_exports | integer | |
-| number_of_signatures | integer | |
-| version_info | dictionary | |
-| version_info_list | array of [KeyValue](#keyvalue) | |
-| rich_signature | [RichSignature](#richSignature) | |
-| pdb_path | string | |
-| sections | array of [Section](#section) | |
-| data_directories | array of [DirEntry](#dirEntry) | |
-| resource_timestamp | integer | |
-| resource_version | [Version](#version) | TODO: implement resource_version? |
-| resources | array of [Resource](#resource) | |
-| import_details | array of [Import](#import) | |
-| delayed_import_details | array of [Import](#import) | |
-| export_details | array of [Export](#export) | |
-| is_signed | bool | |
-| signatures | array of [Signature](#signature) | |
-| overlay | [Overlay](#overlay) | |
-
-### VersionInfo
-
-| Field | Type | Label | Description |
-|-------|-------------------|----------|-------------|
-| key | [string](#string) | optional | |
-| value | [string](#string) | optional | |
+| Field | Type | Description |
+|--------------------------------------|---------------------------------|--------------------------------------------------|
+| is_pe | bool | True if the file is PE |
+| is_signed | bool | True if the Authenticode signature is correct |
+| machine | [Machine](#machine) | Machine type |
+| subsystem | [Subsystem](#subsystem) | Subsystem type |
+| os_version | [Version](#version) | OS version |
+| subsystem_version | [Version](#version) | Subsystem version |
+| image_version | [Version](#version) | Image version |
+| linker_version | [Version](#version) | Linker version |
+| opthdr_magic | [OptionalMagic](#optionalmagic) | Magic in optional headers |
+| characteristics | integer | [Characteristics](#characteristics) flags |
+| dll_characteristics | integer | [DllCharacteristics](#dllcharacteristics) flags |
+| timestamp | integer | PE timestamp (as Unix timestamp) |
+| image_base | integer | Image base |
+| checksum | integer | PE checksum |
+| base_of_code | integer | Base of code |
+| base_of_data | integer | Base of data |
+| entry_point | integer | Entry point as a file offset |
+| entry_point_raw | integer | Entry point as it appears in the PE header (RVA) |
+| dll_name | string | DLL name |
+| export_timestamp | integer | Exports timestamp (as Unix timestamp) |
+| section_alignment | integer | Section alignment |
+| file_alignment | integer | File alignment |
+| loader_flags | integer | Loader flags |
+| size_of_optional_header | integer | Size of optional header |
+| size_of_code | integer | Size of code |
+| size_of_initialized_data | integer | Size of initialized data |
+| size_of_uninitialized_data | integer | Size of uninitialized data |
+| size_of_image | integer | Size of image |
+| size_of_headers | integer | Size of headers |
+| size_of_stack_reserve | integer | Size of stack reserve |
+| size_of_stack_commit | integer | Size of stack commit |
+| size_of_heap_reserve | integer | Size of heap reserve |
+| size_of_heap_commit | integer | Size of heap commit |
+| pointer_to_symbol_table | integer | File offset of symbol table |
+| win32_version_value | integer | Win32 version |
+| number_of_symbols | integer | Number of symbols |
+| number_of_rva_and_sizes | integer | Number of |
+| number_of_sections | integer | Length of `sections` |
+| number_of_imported_functions | integer | Total number of imported functions |
+| number_of_delayed_imported_functions | integer | Total number of delayed imported functions |
+| number_of_resources | integer | Length of `resources` |
+| number_of_version_infos | integer | Length of `version_info_list` |
+| number_of_imports | integer | Length of `import_details` |
+| number_of_delayed_imports | integer | Length of `delayed_import_details` |
+| number_of_exports | integer | Length of `export_details` |
+| number_of_signatures | integer | Length of `signatures` |
+| version_info | dictionary | Dictionary with PE version information |
+| version_info_list | [KeyValue](#keyvalue) array | Like `version_info` but as array |
+| rich_signature | [RichSignature](#richSignature) | Rich signature information |
+| pdb_path | string | PDB path |
+| sections | [Section](#section) array | Sections |
+| data_directories | [DirEntry](#dirEntry) array | Data directory entries |
+| resource_timestamp | integer | Resource timestamp (as Unix timestamp) |
+| resource_version | [Version](#version) | Resource version |
+| resources | [Resource](#resource) array | Resources |
+| import_details | [Import](#import) array | Imports information |
+| delayed_import_details | [Import](#import) array | Delayed imports information |
+| export_details | [Export](#export) array | Exports information |
+| signatures | [Signature](#signature) array | Signatures information |
+| overlay | [Overlay](#overlay) | PE overlay details |
### Certificate
-| Field | Type | Label | Description |
-|---------------|-----------------|----------|-------------|
-| issuer | integer | optional | |
-| subject | integer | optional | |
-| thumbprint | integer | optional | |
-| version | [int64](#int64) | optional | |
-| algorithm | integer | optional | |
-| algorithm_oid | integer | optional | |
-| serial | integer | optional | |
-| not_before | [int64](#int64) | optional | |
-| not_after | [int64](#int64) | optional | |
+This is the structure of each item in the `certificates` array.
-
+| Field | Type |
+|---------------|---------|
+| issuer | string |
+| subject | string |
+| thumbprint | string |
+| version | integer |
+| algorithm | string |
+| algorithm_oid | string |
+| serial | string |
+| not_before | integer |
+| not_after | integer |
### CounterSignature
-| Field | Type | Label | Description |
-|------------|--------------------------------|----------|-------------|
-| verified | [bool](#bool) | optional | |
-| sign_time | [int64](#int64) | optional | |
-| digest | integer | optional | |
-| digest_alg | integer | optional | |
-| chain | [Certificate](#pe-Certificate) | repeated | |
-
-
+| Field | Type |
+|------------|-----------------------------------|
+| verified | bool |
+| sign_time | integer |
+| digest | string |
+| digest_alg | string |
+| chain | [Certificate](#certificate) array |
### DirEntry
-| Field | Type | Label | Description |
-|-----------------|---------|----------|-------------|
-| virtual_address | integer | required | |
-| size | integer | required | |
-
-
+| Field | Type |
+|-----------------|---------|
+| virtual_address | integer |
+| size | integer |
### Export
-| Field | Type | Label | Description |
-|--------------|---------|----------|-------------|
-| name | integer | optional | |
-| ordinal | integer | required | |
-| rva | integer | required | |
-| offset | integer | optional | |
-| forward_name | integer | optional | |
-
-
+| Field | Type |
+|--------------|---------|
+| name | string |
+| ordinal | integer |
+| rva | integer |
+| offset | integer |
+| forward_name | string |
### Function
-| Field | Type | Label | Description |
-|---------|---------|----------|-------------|
-| name | integer | optional | |
-| ordinal | integer | optional | |
-| rva | integer | required | |
-
-
+| Field | Type |
+|---------|---------|
+| name | string |
+| ordinal | integer |
+| rva | integer |
### Import
-| Field | Type | Label | Description |
-|---------------------|--------------------------|----------|-------------|
-| library_name | integer | required | |
-| number_of_functions | integer | required | |
-| functions | [Function](#pe-Function) | repeated | |
-
-
+| Field | Type |
+|---------------------|-----------------------------|
+| library_name | string |
+| number_of_functions | integer |
+| functions | [Function](#function) array |
### KeyValue
-| Field | Type | Label | Description |
-|-------|---------|----------|-------------|
-| key | integer | required | |
-| value | integer | required | |
-
-
+| Field | Type |
+|-------|--------|
+| key | string |
+| value | string |
### Overlay
-| Field | Type | Label | Description |
-|--------|---------|----------|-------------|
-| offset | integer | required | |
-| size | integer | required | |
+| Field | Type |
+|--------|---------|
+| offset | integer |
+| size | integer |
-
+### VersionInfoEntry
-### PE.VersionInfoEntry
-
-| Field | Type | Label | Description |
-|-------|---------|----------|-------------|
-| key | integer | optional | |
-| value | integer | optional | |
-
-
+| Field | Type |
+|-------|--------|
+| key | string |
+| value | string |
### Resource
-| Field | Type | Label | Description |
-|-----------------|----------------------------------|----------|-------------|
-| length | integer | required | |
-| rva | integer | required | |
-| offset | integer | optional | |
-| type | [ResourceType](#pe-ResourceType) | optional | |
-| id | integer | optional | |
-| language | integer | optional | |
-| type_string | [bytes](#bytes) | optional | |
-| name_string | [bytes](#bytes) | optional | |
-| language_string | [bytes](#bytes) | optional | |
-
-
+| Field | Type |
+|-----------------|-------------------------------|
+| length | integer |
+| rva | integer |
+| offset | integer |
+| type | [ResourceType](#resourcetype) |
+| id | integer |
+| language | integer |
+| type_string | string |
+| name_string | string |
+| language_string | string |
### RichSignature
-| Field | Type | Label | Description |
-|------------|--------------------------|----------|-------------|
-| offset | integer | required | |
-| length | integer | required | |
-| key | integer | required | |
-| raw_data | [bytes](#bytes) | required | |
-| clear_data | [bytes](#bytes) | required | |
-| tools | [RichTool](#pe-RichTool) | repeated | |
-
-
+| Field | Type |
+|------------|-----------------------------|
+| offset | integer |
+| length | integer |
+| key | integer |
+| raw_data | string |
+| clear_data | string |
+| tools | [RichTool](#richtool) array |
### RichTool
-| Field | Type | Label | Description |
-|---------|---------|----------|-------------|
-| toolid | integer | required | |
-| version | integer | required | |
-| times | integer | required | |
-
-
+| Field | Type |
+|---------|---------|
+| toolid | integer |
+| version | integer |
+| times | integer |
### Section
-| Field | Type | Description |
-|-------------------------|-----------------|-------------|
-| name | [bytes](#bytes) | |
-| full_name | [bytes](#bytes) | |
-| characteristics | integer | |
-| raw_data_size | integer | |
-| raw_data_offset | integer | |
-| virtual_address | integer | |
-| virtual_size | integer | |
-| pointer_to_relocations | integer | |
-| pointer_to_line_numbers | integer | |
-| number_of_relocations | integer | |
-| number_of_line_numbers | integer | |
-
-
+| Field | Type |
+|-------------------------|---------|
+| name | string |
+| full_name | string |
+| characteristics | integer |
+| raw_data_size | integer |
+| raw_data_offset | integer |
+| virtual_address | integer |
+| virtual_size | integer |
+| pointer_to_relocations | integer |
+| pointer_to_line_numbers | integer |
+| number_of_relocations | integer |
+| number_of_line_numbers | integer |
### Signature
-| Field | Type | Label | Description |
-|-----------------------------|------------------------------------------|----------|-------------|
-| subject | integer | optional | |
-| issuer | integer | optional | |
-| thumbprint | integer | optional | |
-| version | [int64](#int64) | optional | |
-| algorithm | integer | optional | |
-| algorithm_oid | integer | optional | |
-| serial | integer | optional | |
-| not_before | [int64](#int64) | optional | |
-| not_after | [int64](#int64) | optional | |
-| verified | [bool](#bool) | optional | |
-| digest_alg | integer | optional | |
-| digest | integer | optional | |
-| file_digest | integer | optional | |
-| number_of_certificates | integer | optional | |
-| number_of_countersignatures | integer | optional | |
-| signer_info | [SignerInfo](#pe-SignerInfo) | optional | |
-| certificates | [Certificate](#pe-Certificate) | repeated | |
-| countersignatures | [CounterSignature](#pe-CounterSignature) | repeated | |
-
-
+Structure of each of the items in the `signatures` array.
+
+| Field | Type |
+|-----------------------------|---------------------------------------------|
+| subject | string |
+| issuer | string |
+| thumbprint | string |
+| version | integer |
+| algorithm | string |
+| algorithm_oid | string |
+| serial | string |
+| not_before | integer |
+| not_after | integer |
+| verified | bool |
+| digest_alg | string |
+| digest | string |
+| file_digest | string |
+| number_of_certificates | integer |
+| number_of_countersignatures | integer |
+| signer_info | [SignerInfo](#signerinfo) |
+| certificates | [Certificate](#certificate) array |
+| countersignatures | [CounterSignature](#countersignature) array |
+
+###### Example
-### SignerInfo
+```
+import "pe"
-| Field | Type | Label | Description |
-|--------------|--------------------------------|----------|-------------|
-| program_name | integer | optional | |
-| digest | integer | optional | |
-| digest_alg | integer | optional | |
-| chain | [Certificate](#pe-Certificate) | repeated | |
+rule NotVerified {
+ condition:
+ for any sig in pe.signatures : (
+ sig.subject contains "Microsoft" and
+ not sig.verified
+ )
+}
+```
-
+### SignerInfo
+
+| Field | Type |
+|--------------|-----------------------------------|
+| program_name | string |
+| digest | string |
+| digest_alg | string |
+| chain | [Certificate](#certificate) array |
### Version
-| Field | Type | Label | Description |
-|-------|---------|----------|-------------|
-| major | integer | required | |
-| minor | integer | required | |
+The structures of fields
+like `os_version`, `subsystem_version`, `image_version`,
+`linker_version` and `resource_version`.
+
+| Field | Type |
+|-------|---------|
+| major | integer |
+| minor | integer |
-
+###### Example
+
+```
+import "pe"
+
+rule Windows_5_2 {
+ condition:
+ pe.os_version.major == 5 and
+ pe.os_version.minor == 2
+}
+```
### Characteristics
+Possible flags found in the `characteristics` field.
+
| Name | Number | Description |
|-------------------------|--------|------------------------------------------------------------------|
-| RELOCS_STRIPPED | 1 | Relocation info stripped from file. |
-| EXECUTABLE_IMAGE | 2 | File is executable (i.e. no unresolved external references). |
-| LINE_NUMS_STRIPPED | 4 | Line numbers stripped from file. |
-| LOCAL_SYMS_STRIPPED | 8 | Local symbols stripped from file. |
-| AGGRESIVE_WS_TRIM | 16 | Aggressively trim working set |
-| LARGE_ADDRESS_AWARE | 32 | App can handle >2gb addresses |
-| BYTES_REVERSED_LO | 128 | Bytes of machine word are reversed. |
-| MACHINE_32BIT | 256 | 32 bit word machine. |
-| DEBUG_STRIPPED | 512 | Debugging info stripped from file in .DBG file |
-| REMOVABLE_RUN_FROM_SWAP | 1024 | If Image is on removable media, copy and run from the swap file. |
-| NET_RUN_FROM_SWAP | 2048 | If Image is on Net, copy and run from the swap file. |
-| SYSTEM | 4096 | System File. |
-| DLL | 8192 | File is a DLL.s |
-| UP_SYSTEM_ONLY | 16384 | File should only be run on a UP machine |
-| BYTES_REVERSED_HI | 32768 | Bytes of machine word are reversed. |
-
-
+| RELOCS_STRIPPED | 0x0001 | Relocation info stripped from file. |
+| EXECUTABLE_IMAGE | 0x0002 | File is executable (i.e. no unresolved external references). |
+| LINE_NUMS_STRIPPED | 0x0004 | Line numbers stripped from file. |
+| LOCAL_SYMS_STRIPPED | 0x0008 | Local symbols stripped from file. |
+| AGGRESIVE_WS_TRIM | 0x0010 | Aggressively trim working set |
+| LARGE_ADDRESS_AWARE | 0x0020 | App can handle >2gb addresses |
+| BYTES_REVERSED_LO | 0x0080 | Bytes of machine word are reversed. |
+| MACHINE_32BIT | 0x0100 | 32 bit word machine. |
+| DEBUG_STRIPPED | 0x0200 | Debugging info stripped from file in .DBG file |
+| REMOVABLE_RUN_FROM_SWAP | 0x0400 | If Image is on removable media, copy and run from the swap file. |
+| NET_RUN_FROM_SWAP | 0x0800 | If Image is on Net, copy and run from the swap file. |
+| SYSTEM | 0x1000 | System File. |
+| DLL | 0x2000 | File is a DLL.s |
+| UP_SYSTEM_ONLY | 0x4000 | File should only be run on a UP machine |
+| BYTES_REVERSED_HI | 0x8000 | Bytes of machine word are reversed. |
+
+###### Example
+
+```
+import "pe"
+
+rule IsDLL {
+ condition:
+ pe.characteristics & pe.DLL != 0
+}
+```
+
+### DllCharacteristics
+
+Possible flags found in the `dll_characteristics` field.
+
+| Name | Number |
+|-----------------------|--------|
+| HIGH_ENTROPY_VA | 0x0020 |
+| DYNAMIC_BASE | 0x0040 |
+| FORCE_INTEGRITY | 0x0080 |
+| NX_COMPAT | 0x0100 |
+| NO_ISOLATION | 0x0200 |
+| NO_SEH | 0x0400 |
+| NO_BIND | 0x0800 |
+| APPCONTAINER | 0x1000 |
+| WDM_DRIVER | 0x2000 |
+| GUARD_CF | 0x4000 |
+| TERMINAL_SERVER_AWARE | 0x8000 |
+
+###### Example
+
+```
+import "pe"
+
+rule WdmDriver {
+ condition:
+ pe.dll_characteristics & pe.WDM_DRIVER != 0
+}
+```
### DirectoryEntry
@@ -363,26 +454,6 @@ rule is_pe {
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 14 |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 15 |
-
-
-### DllCharacteristics
-
-| Name | Number |
-|-----------------------|--------|
-| HIGH_ENTROPY_VA | 32 |
-| DYNAMIC_BASE | 64 |
-| FORCE_INTEGRITY | 128 |
-| NX_COMPAT | 256 |
-| NO_ISOLATION | 512 |
-| NO_SEH | 1024 |
-| NO_BIND | 2048 |
-| APPCONTAINER | 4096 |
-| WDM_DRIVER | 8192 |
-| GUARD_CF | 16384 |
-| TERMINAL_SERVER_AWARE | 32768 |
-
-
-
### ImportFlags
| Name | Number |
@@ -391,10 +462,10 @@ rule is_pe {
| IMPORT_DELAYED | 2 |
| IMPORT_ANY | 3 |
-
-
### Machine
+Each of the possible values in the `machine` field.
+
| Name | Number |
|-------------------|--------|
| MACHINE_UNKNOWN | 0 |
@@ -420,7 +491,16 @@ rule is_pe {
| MACHINE_THUMB | 450 |
| MACHINE_WCEMIPSV2 | 361 |
-
+###### Example
+
+```
+import "pe"
+
+rule ARM {
+ condition:
+ pe.machine == pe.MACHINE_ARM
+}
+```
### OptionalMagic
@@ -430,8 +510,6 @@ rule is_pe {
| IMAGE_NT_OPTIONAL_HDR64_MAGIC | 523 |
| IMAGE_ROM_OPTIONAL_HDR_MAGIC | 263 |
-
-
### ResourceType
https://learn.microsoft.com/en-us/windows/win32/menurc/resource-types?redirectedfrom=MSDN
@@ -460,8 +538,6 @@ https://learn.microsoft.com/en-us/windows/win32/menurc/resource-types?redirected
| RESOURCE_TYPE_HTML | 23 |
| RESOURCE_TYPE_MANIFEST | 24 |
-
-
### SectionCharacteristics
| Name | Number |
@@ -501,8 +577,6 @@ https://learn.microsoft.com/en-us/windows/win32/menurc/resource-types?redirected
| SECTION_MEM_WRITE | 33 |
| SECTION_SCALE_INDEX | 34 |
-
-
### Subsystem
| Name | Number |
diff --git a/site/content/docs/writing_rules/differences.md b/site/content/docs/writing_rules/differences.md
index 0b9884ba6..73afaf821 100644
--- a/site/content/docs/writing_rules/differences.md
+++ b/site/content/docs/writing_rules/differences.md
@@ -9,7 +9,7 @@ menu:
docs:
parent: ""
identifier: "differences"
-weight: 290
+weight: 310
toc: true
seo:
title: "" # custom title (optional)
@@ -92,20 +92,34 @@ patterns must be at least 3 characters long.
In YARA 4.x if you use both `base64` and `base64wide` in the same string they
must use the same alphabet. If you specify a custom alphabet for `base64`, you
-must do the same for `base64wide`, so this in error:
+must do the same for `base64wide`, this is an error:
```
$a = "foo" base64 base64wide("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
```
In YARA-X you can specify different alphabets for `base64` and `base64wide`
-in the same pattern. In the example above `base64` will use the default
+in the same pattern. In the example above, `base64` will use the default
alphabet as always, while `base64wide` will use the custom alphabet.
-## Negative numbers as array indexes
+## Global rules can't depend on non-global rules
-The expression `@a[-1]` is valid in YARA 4.x, but its value is always
-`undefined`. In YARA-X this is an error.
+In YARA 4.x a global rule can depend on a non-global rule, as long as the
+non-global rule is declared first. For instance, this is valid in YARA 4.x:
+
+```
+rule my_non_global_rule {
+ condition:
+ ....
+}
+
+global rule my_global_rule {
+ condition:
+ my_non_global_rule
+}
+```
+
+In YARA-X this is forbidden, global rules can only depend on other global rules.
## "of" statement accepts tuples of boolean expressions
@@ -160,6 +174,11 @@ which doesn't match `"mississippi" xor(1) fullword`. In other words, YARA-X
searches for full words contained inside a longer XORed string, which is
the intended behavior in most cases.
+## Negative numbers as array indexes
+
+The expression `@a[-1]` is valid in YARA 4.x, but its value is always
+`undefined`. In YARA-X this is an error.
+
## Jump bounds in hex patterns
In YARA 4.x the following hex pattern is invalid: