Skip to content

Commit

Permalink
feat: rpath_present function for querying rpaths
Browse files Browse the repository at this point in the history
  • Loading branch information
@latonis
latonis committed Jan 10, 2024
1 parent 2932da7 commit b9e461d
Show file tree
Hide file tree
Showing 3 changed files with 99 additions and 26 deletions.
39 changes: 38 additions & 1 deletion yara-x/src/modules/macho/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2836,7 +2836,7 @@ fn ep_for_arch_subtype(
}

/// The function for checking if any dylib name present in the main Mach-O or embedded Mach-O files
/// contain a dylib wit
/// contain a dylib with the desired name
///
/// # Arguments
///
Expand Down Expand Up @@ -2875,6 +2875,43 @@ fn dylibs_present(
Some(false)
}

/// The function for checking if any rpath present in the main Mach-O or embedded Mach-O files
/// contain an rpath with the desired path
///
/// # Arguments
///
/// * `ctx`: A mutable reference to the scanning context.
/// * `rpath`: The name of the dylib to check if present
///
/// # Returns
///
/// An `Option<bool>` containing if the path is found
#[module_export(name = "rpath_present")]
fn rpaths_present(ctx: &ScanContext, rpath: RuntimeString) -> Option<bool> {
let macho = ctx.module_output::<Macho>()?;
let expected_rpath = rpath.as_bstr(ctx);

for rp in macho.rpaths.iter() {
if rp.path.as_ref().is_some_and(|path| {
expected_rpath.eq_ignore_ascii_case(path.as_bytes())
}) {
return Some(true);
}
}

for file in macho.file.iter() {
for rp in file.rpaths.iter() {
if rp.path.as_ref().is_some_and(|path| {
expected_rpath.eq_ignore_ascii_case(path.as_bytes())
}) {
return Some(true);
}
}
}

Some(false)
}

/// The primary function for processing a Mach-O file, extracting its
/// information and populating a `Macho` protobuf object with the extracted
/// data.
Expand Down
64 changes: 50 additions & 14 deletions yara-x/src/modules/macho/tests/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -415,10 +415,14 @@ fn test_swap_entry_point_command() {

#[test]
fn test_macho_module() {
let macho_data = create_binary_from_zipped_ihex(
let tiny_universal_macho_data = create_binary_from_zipped_ihex(
"src/modules/macho/tests/testdata/tiny_universal.in.zip",
);

let x86_macho_data = create_binary_from_zipped_ihex(
"src/modules/macho/tests/testdata/macho_x86_file.in.zip",
);

rule_true!(
r#"
import "macho"
Expand Down Expand Up @@ -469,7 +473,7 @@ fn test_macho_module() {
macho.file_index_for_arch(0x00000007) == 0
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_true!(
Expand All @@ -480,7 +484,7 @@ fn test_macho_module() {
macho.file_index_for_arch(0x01000007) == 1
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_false!(
Expand All @@ -491,7 +495,7 @@ fn test_macho_module() {
macho.file_index_for_arch(0x00000008) == 0
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_true!(
Expand All @@ -513,7 +517,7 @@ fn test_macho_module() {
macho.file_index_for_arch(0x00000007, 0x00000003) == 0
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_true!(
Expand All @@ -524,7 +528,7 @@ fn test_macho_module() {
macho.file_index_for_arch(16777223, 2147483651) == 1
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_false!(
Expand All @@ -535,7 +539,7 @@ fn test_macho_module() {
macho.file_index_for_arch(0x00000008, 0x00000004) == 0
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_true!(
Expand All @@ -546,7 +550,7 @@ fn test_macho_module() {
not defined macho.file_index_for_arch(0x00000008, 0x00000004)
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_true!(
Expand All @@ -568,7 +572,7 @@ fn test_macho_module() {
macho.entry_point_for_arch(0x00000007) == 0x00001EE0
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_true!(
Expand All @@ -579,7 +583,7 @@ fn test_macho_module() {
macho.entry_point_for_arch(0x01000007) == 0x00004EE0
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_true!(
Expand All @@ -590,7 +594,7 @@ fn test_macho_module() {
macho.entry_point_for_arch(0x00000007, 0x00000003) == 0x00001EE0
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_true!(
Expand All @@ -601,7 +605,7 @@ fn test_macho_module() {
macho.entry_point_for_arch(16777223, 2147483651) == 0x00004EE0
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_false!(
Expand All @@ -612,7 +616,7 @@ fn test_macho_module() {
macho.entry_point_for_arch(0x00000008, 0x00000003) == 0x00001EE0
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_true!(
Expand Down Expand Up @@ -644,6 +648,38 @@ fn test_macho_module() {
macho.dylib_present("/usr/lib/libSystem.B.dylib")
}
"#,
&macho_data
&tiny_universal_macho_data
);

rule_false!(
r#"
import "macho"
rule test {
condition:
macho.rpath_present("totally not present rpath")
}
"#
);

rule_false!(
r#"
import "macho"
rule macho_test {
condition:
macho.rpath_present("@loader_path/../Frameworks")
}
"#,
&tiny_universal_macho_data
);

rule_true!(
r#"
import "macho"
rule macho_test {
condition:
macho.rpath_present("@loader_path/../Frameworks")
}
"#,
&x86_macho_data
);
}
22 changes: 11 additions & 11 deletions yara-x/src/wasm/builder.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -470,38 +470,38 @@ mod tests {
assert_eq!(
text,
r#"(module
(func (;151;) (type 1) (result i32)
(func (;152;) (type 1) (result i32)
i32.const 0
global.set 2
i32.const 0
global.set 3
call 152
call 153
call 154
global.get 3
)
(func (;152;) (type 0)
block ;; label = @1
call 154
end
(func (;153;) (type 0)
block ;; label = @1
call 155
end
)
(func (;153;) (type 0)
block ;; label = @1
call 156
end
)
(func (;154;) (type 0)
i32.const 4
block ;; label = @1
call 157
end
)
(func (;155;) (type 0)
i32.const 5
i32.const 4
)
(func (;156;) (type 0)
i32.const 5
)
(func (;157;) (type 0)
i32.const 6
)
(export "main" (func 151))
(export "main" (func 152))
)"#
);
}
Expand Down

0 comments on commit b9e461d

Please sign in to comment.