From f33dde9c7c4b1b7a7086a2047afd054163817c6f Mon Sep 17 00:00:00 2001 From: "Victor M. Alvarez" Date: Tue, 21 Nov 2023 15:26:58 +0100 Subject: [PATCH] feat: implement `is_64_bits`, `is_32_bits` and `is_dll` functions in PE module --- yara-x/src/modules/pe/mod.rs | 21 +++ yara-x/src/modules/pe/parser.rs | 10 +- yara-x/src/modules/pe/tests/mod.rs | 54 ++++++++ ...22597104f54a75683a5adee235401778279818.out | 1 + ...15cdc8dd28a968c6b4d3b88acdd58ce2d3b885.out | 1 + ...2a4135267a9b0156642a9596a62e85c9998cc9.out | 1 + ...2d55cd882c80e5afc511c4f7b2e0e193968f7f.out | 1 + ...eb02f56b21e48fd67044e69e7a2ae76db631e5.out | 1 + ...ee35dbec84b9d71a6abbacb26c14e83f5897e4.out | 1 + ...4742c0fad490cb2165f371f53b61941eedf072.out | 1 + ...7a19f272c62d1889216b7a6f1141571ec12649.out | 1 + ...8c44d7f095eb395779de0ad1ac946914dfa34c.out | 1 + ...bdcfea184ce9b58320891a2d72d4ec93766f14.out | 1 + ...ea8f004d49ec0c1806080fa72e960529cba14c.out | 1 + ...23b0eb69005158f981bc84560e9a5dde103d90.out | 1 + ...06dea4181f6477cfb61f2130f37d014ce21888.out | 1 + ...6ad42ccfb04ccedd3ada1e8c26939c726a4c8e.out | 1 + ...02eeb966dbf9e198c94e3d74a9e9260e5f9870.out | 1 + ...c21bbafd719dcc7cfc28f405ad3bc2783c6a12.out | 1 + ...318a0029d9d4e7903cd63291946b334c314831.out | 1 + ...540073b860e3b4d42e081f86d27bdb1cf6ede4.out | 1 + ...00c17d29de9dfc156666c98581dfeccc07548e.out | 1 + ...e218e0c9710e5a787b18c6948f2eedd9338984.out | 1 + ...19258fef40dad54532ee4355b86bc129f27345.out | 1 + ...f13f8d3920141a39b502e870348ce3b254eb80.out | 1 + ...7c12e0826b06cd15eb6dec9bf3df6465216dd8.out | 1 + yara-x/src/modules/protos/pe.proto | 124 ++++++++++++------ yara-x/src/wasm/builder.rs | 24 ++-- 28 files changed, 200 insertions(+), 56 deletions(-) diff --git a/yara-x/src/modules/pe/mod.rs b/yara-x/src/modules/pe/mod.rs index 328d05b95..26d9dfc16 100644 --- a/yara-x/src/modules/pe/mod.rs +++ b/yara-x/src/modules/pe/mod.rs @@ -34,6 +34,27 @@ fn main(input: &[u8]) -> PE { } } +/// Returns true if the file is a 32-bit PE. +#[module_export] +fn is_32_bits(ctx: &ScanContext) -> Option { + let magic = ctx.module_output::()?.opthdr_magic?; + Some(magic.value() == OptHdrMagic::IMAGE_NT_OPTIONAL_HDR32_MAGIC as i32) +} + +/// Returns true if the file is a 64-bit PE. +#[module_export] +fn is_64_bits(ctx: &ScanContext) -> Option { + let magic = ctx.module_output::()?.opthdr_magic?; + Some(magic.value() == OptHdrMagic::IMAGE_NT_OPTIONAL_HDR64_MAGIC as i32) +} + +/// Returns true if the file is dynamic link library (DLL) +#[module_export] +fn is_dll(ctx: &ScanContext) -> Option { + let characteristics = ctx.module_output::()?.characteristics?; + Some(characteristics & Characteristics::FILE_DLL as u32 != 0) +} + /// Returns the PE checksum, as calculated by YARA. /// /// This is useful for comparing with the checksum appearing in the PE header diff --git a/yara-x/src/modules/pe/parser.rs b/yara-x/src/modules/pe/parser.rs index f102f9d03..fca705cd2 100644 --- a/yara-x/src/modules/pe/parser.rs +++ b/yara-x/src/modules/pe/parser.rs @@ -1924,7 +1924,14 @@ impl From> for pe::PE { result.set_pointer_to_symbol_table(pe.pe_hdr.symbol_table_offset); result.set_number_of_symbols(pe.pe_hdr.number_of_symbols); result.set_size_of_optional_header(pe.pe_hdr.size_of_optional_header.into()); - + + result.opthdr_magic = pe + .optional_hdr + .magic + .try_into() + .ok() + .map(EnumOrUnknown::::from_i32); + result.subsystem = pe .optional_hdr .subsystem @@ -1957,7 +1964,6 @@ impl From> for pe::PE { // TODO // number_of_version_infos - // opthdr_magic result.linker_version = MessageField::some(pe::Version { major: Some(pe.optional_hdr.major_linker_version.into()), diff --git a/yara-x/src/modules/pe/tests/mod.rs b/yara-x/src/modules/pe/tests/mod.rs index 401d0c008..2c89ced31 100644 --- a/yara-x/src/modules/pe/tests/mod.rs +++ b/yara-x/src/modules/pe/tests/mod.rs @@ -338,3 +338,57 @@ fn locale_and_language() { &pe ); } + +#[test] +fn is_32bits() { + let pe = create_binary_from_zipped_ihex( + "src/modules/pe/tests/testdata/0ba6042247d90a187919dd88dc2d55cd882c80e5afc511c4f7b2e0e193968f7f.in.zip", + ); + + rule_true!( + r#" + import "pe" + rule test { + condition: + pe.is_32_bits() + } + "#, + &pe + ); +} + +#[test] +fn is_64bits() { + let pe = create_binary_from_zipped_ihex( + "src/modules/pe/tests/testdata/2e9c671b8a0411f2b397544b368c44d7f095eb395779de0ad1ac946914dfa34c.in.zip", + ); + + rule_true!( + r#" + import "pe" + rule test { + condition: + pe.is_64_bits() + } + "#, + &pe + ); +} + +#[test] +fn is_dll() { + let pe = create_binary_from_zipped_ihex( + "src/modules/pe/tests/testdata/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885.in.zip", + ); + + rule_true!( + r#" + import "pe" + rule test { + condition: + pe.is_dll() + } + "#, + &pe + ); +} diff --git a/yara-x/src/modules/pe/tests/testdata/04ac6dd0c1cc33a49962ee0f3222597104f54a75683a5adee235401778279818.out b/yara-x/src/modules/pe/tests/testdata/04ac6dd0c1cc33a49962ee0f3222597104f54a75683a5adee235401778279818.out index f2f858b2e..568222bda 100644 --- a/yara-x/src/modules/pe/tests/testdata/04ac6dd0c1cc33a49962ee0f3222597104f54a75683a5adee235401778279818.out +++ b/yara-x/src/modules/pe/tests/testdata/04ac6dd0c1cc33a49962ee0f3222597104f54a75683a5adee235401778279818.out @@ -17,6 +17,7 @@ linker_version { major: 14 minor: 29 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 258 dll_characteristics: 33088 timestamp: 1626863112 diff --git a/yara-x/src/modules/pe/tests/testdata/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885.out b/yara-x/src/modules/pe/tests/testdata/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885.out index 75f213d96..86e83b463 100644 --- a/yara-x/src/modules/pe/tests/testdata/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885.out +++ b/yara-x/src/modules/pe/tests/testdata/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885.out @@ -17,6 +17,7 @@ linker_version { major: 10 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 8450 dll_characteristics: 320 timestamp: 1528213185 diff --git a/yara-x/src/modules/pe/tests/testdata/09e7d832320e51bcc80b9aecde2a4135267a9b0156642a9596a62e85c9998cc9.out b/yara-x/src/modules/pe/tests/testdata/09e7d832320e51bcc80b9aecde2a4135267a9b0156642a9596a62e85c9998cc9.out index 9f967f036..521a187a0 100644 --- a/yara-x/src/modules/pe/tests/testdata/09e7d832320e51bcc80b9aecde2a4135267a9b0156642a9596a62e85c9998cc9.out +++ b/yara-x/src/modules/pe/tests/testdata/09e7d832320e51bcc80b9aecde2a4135267a9b0156642a9596a62e85c9998cc9.out @@ -17,6 +17,7 @@ linker_version { major: 48 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 8226 dll_characteristics: 34112 timestamp: 3665045795 diff --git a/yara-x/src/modules/pe/tests/testdata/0ba6042247d90a187919dd88dc2d55cd882c80e5afc511c4f7b2e0e193968f7f.out b/yara-x/src/modules/pe/tests/testdata/0ba6042247d90a187919dd88dc2d55cd882c80e5afc511c4f7b2e0e193968f7f.out index b5e3758a6..864bebb31 100644 --- a/yara-x/src/modules/pe/tests/testdata/0ba6042247d90a187919dd88dc2d55cd882c80e5afc511c4f7b2e0e193968f7f.out +++ b/yara-x/src/modules/pe/tests/testdata/0ba6042247d90a187919dd88dc2d55cd882c80e5afc511c4f7b2e0e193968f7f.out @@ -17,6 +17,7 @@ linker_version { major: 7 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 271 dll_characteristics: 32768 timestamp: 998081829 diff --git a/yara-x/src/modules/pe/tests/testdata/23e72ce7e9cdbc80c0095484ebeb02f56b21e48fd67044e69e7a2ae76db631e5.out b/yara-x/src/modules/pe/tests/testdata/23e72ce7e9cdbc80c0095484ebeb02f56b21e48fd67044e69e7a2ae76db631e5.out index b9c4e0410..667ebdf9b 100644 --- a/yara-x/src/modules/pe/tests/testdata/23e72ce7e9cdbc80c0095484ebeb02f56b21e48fd67044e69e7a2ae76db631e5.out +++ b/yara-x/src/modules/pe/tests/testdata/23e72ce7e9cdbc80c0095484ebeb02f56b21e48fd67044e69e7a2ae76db631e5.out @@ -17,6 +17,7 @@ linker_version { major: 14 minor: 13 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR64_MAGIC characteristics: 8226 dll_characteristics: 16736 timestamp: 1827812126 diff --git a/yara-x/src/modules/pe/tests/testdata/2775d97f8bdb3311ace960a42eee35dbec84b9d71a6abbacb26c14e83f5897e4.out b/yara-x/src/modules/pe/tests/testdata/2775d97f8bdb3311ace960a42eee35dbec84b9d71a6abbacb26c14e83f5897e4.out index aca72e95f..c402046d6 100644 --- a/yara-x/src/modules/pe/tests/testdata/2775d97f8bdb3311ace960a42eee35dbec84b9d71a6abbacb26c14e83f5897e4.out +++ b/yara-x/src/modules/pe/tests/testdata/2775d97f8bdb3311ace960a42eee35dbec84b9d71a6abbacb26c14e83f5897e4.out @@ -17,6 +17,7 @@ linker_version { major: 6 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 271 dll_characteristics: 0 timestamp: 1524722207 diff --git a/yara-x/src/modules/pe/tests/testdata/29eeeecf2c458ea3da1ce9d6d54742c0fad490cb2165f371f53b61941eedf072.out b/yara-x/src/modules/pe/tests/testdata/29eeeecf2c458ea3da1ce9d6d54742c0fad490cb2165f371f53b61941eedf072.out index 8ab6c63ce..3974ce6e5 100644 --- a/yara-x/src/modules/pe/tests/testdata/29eeeecf2c458ea3da1ce9d6d54742c0fad490cb2165f371f53b61941eedf072.out +++ b/yara-x/src/modules/pe/tests/testdata/29eeeecf2c458ea3da1ce9d6d54742c0fad490cb2165f371f53b61941eedf072.out @@ -17,6 +17,7 @@ linker_version { major: 8 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 258 dll_characteristics: 33088 timestamp: 1621233906 diff --git a/yara-x/src/modules/pe/tests/testdata/2d80c403b5c50f8bbacb65f58e7a19f272c62d1889216b7a6f1141571ec12649.out b/yara-x/src/modules/pe/tests/testdata/2d80c403b5c50f8bbacb65f58e7a19f272c62d1889216b7a6f1141571ec12649.out index 1fd7c8f3e..c2faa0d08 100644 --- a/yara-x/src/modules/pe/tests/testdata/2d80c403b5c50f8bbacb65f58e7a19f272c62d1889216b7a6f1141571ec12649.out +++ b/yara-x/src/modules/pe/tests/testdata/2d80c403b5c50f8bbacb65f58e7a19f272c62d1889216b7a6f1141571ec12649.out @@ -17,6 +17,7 @@ linker_version { major: 2 minor: 56 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 8974 dll_characteristics: 0 timestamp: 1274346651 diff --git a/yara-x/src/modules/pe/tests/testdata/2e9c671b8a0411f2b397544b368c44d7f095eb395779de0ad1ac946914dfa34c.out b/yara-x/src/modules/pe/tests/testdata/2e9c671b8a0411f2b397544b368c44d7f095eb395779de0ad1ac946914dfa34c.out index 0cb55c8a7..e962960dc 100644 --- a/yara-x/src/modules/pe/tests/testdata/2e9c671b8a0411f2b397544b368c44d7f095eb395779de0ad1ac946914dfa34c.out +++ b/yara-x/src/modules/pe/tests/testdata/2e9c671b8a0411f2b397544b368c44d7f095eb395779de0ad1ac946914dfa34c.out @@ -17,6 +17,7 @@ linker_version { major: 2 minor: 51 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR64_MAGIC characteristics: 47 dll_characteristics: 0 timestamp: 0 diff --git a/yara-x/src/modules/pe/tests/testdata/55cfd3bcea1aa352b4687c4d45bdcfea184ce9b58320891a2d72d4ec93766f14.out b/yara-x/src/modules/pe/tests/testdata/55cfd3bcea1aa352b4687c4d45bdcfea184ce9b58320891a2d72d4ec93766f14.out index 882c9f817..d279bce3c 100644 --- a/yara-x/src/modules/pe/tests/testdata/55cfd3bcea1aa352b4687c4d45bdcfea184ce9b58320891a2d72d4ec93766f14.out +++ b/yara-x/src/modules/pe/tests/testdata/55cfd3bcea1aa352b4687c4d45bdcfea184ce9b58320891a2d72d4ec93766f14.out @@ -17,6 +17,7 @@ linker_version { major: 8 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 259 dll_characteristics: 1024 timestamp: 1162198621 diff --git a/yara-x/src/modules/pe/tests/testdata/6c2abf4b80a87e63eee2996e5cea8f004d49ec0c1806080fa72e960529cba14c.out b/yara-x/src/modules/pe/tests/testdata/6c2abf4b80a87e63eee2996e5cea8f004d49ec0c1806080fa72e960529cba14c.out index 024874f64..2c410be31 100644 --- a/yara-x/src/modules/pe/tests/testdata/6c2abf4b80a87e63eee2996e5cea8f004d49ec0c1806080fa72e960529cba14c.out +++ b/yara-x/src/modules/pe/tests/testdata/6c2abf4b80a87e63eee2996e5cea8f004d49ec0c1806080fa72e960529cba14c.out @@ -17,6 +17,7 @@ linker_version { major: 2 minor: 56 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR64_MAGIC characteristics: 782 dll_characteristics: 0 timestamp: 0 diff --git a/yara-x/src/modules/pe/tests/testdata/99df28014fae5f213c8decfde423b0eb69005158f981bc84560e9a5dde103d90.out b/yara-x/src/modules/pe/tests/testdata/99df28014fae5f213c8decfde423b0eb69005158f981bc84560e9a5dde103d90.out index c51200fab..6aaabfb17 100644 --- a/yara-x/src/modules/pe/tests/testdata/99df28014fae5f213c8decfde423b0eb69005158f981bc84560e9a5dde103d90.out +++ b/yara-x/src/modules/pe/tests/testdata/99df28014fae5f213c8decfde423b0eb69005158f981bc84560e9a5dde103d90.out @@ -17,6 +17,7 @@ linker_version { major: 2 minor: 26 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 783 dll_characteristics: 0 timestamp: 1459377848 diff --git a/yara-x/src/modules/pe/tests/testdata/9bcf79a99ffbb1bd649503ce1406dea4181f6477cfb61f2130f37d014ce21888.out b/yara-x/src/modules/pe/tests/testdata/9bcf79a99ffbb1bd649503ce1406dea4181f6477cfb61f2130f37d014ce21888.out index e95ca19ba..cdaf54097 100644 --- a/yara-x/src/modules/pe/tests/testdata/9bcf79a99ffbb1bd649503ce1406dea4181f6477cfb61f2130f37d014ce21888.out +++ b/yara-x/src/modules/pe/tests/testdata/9bcf79a99ffbb1bd649503ce1406dea4181f6477cfb61f2130f37d014ce21888.out @@ -17,6 +17,7 @@ linker_version { major: 48 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 8226 dll_characteristics: 34112 timestamp: 3435013737 diff --git a/yara-x/src/modules/pe/tests/testdata/af3f20a9272489cbef4281c8c86ad42ccfb04ccedd3ada1e8c26939c726a4c8e.out b/yara-x/src/modules/pe/tests/testdata/af3f20a9272489cbef4281c8c86ad42ccfb04ccedd3ada1e8c26939c726a4c8e.out index d7be9c7ff..edf1129bd 100644 --- a/yara-x/src/modules/pe/tests/testdata/af3f20a9272489cbef4281c8c86ad42ccfb04ccedd3ada1e8c26939c726a4c8e.out +++ b/yara-x/src/modules/pe/tests/testdata/af3f20a9272489cbef4281c8c86ad42ccfb04ccedd3ada1e8c26939c726a4c8e.out @@ -17,6 +17,7 @@ linker_version { major: 2 minor: 20 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR64_MAGIC characteristics: 518 dll_characteristics: 0 timestamp: 0 diff --git a/yara-x/src/modules/pe/tests/testdata/b8543d3aceec5a754292393f6602eeb966dbf9e198c94e3d74a9e9260e5f9870.out b/yara-x/src/modules/pe/tests/testdata/b8543d3aceec5a754292393f6602eeb966dbf9e198c94e3d74a9e9260e5f9870.out index a2b2f7a89..da207025c 100644 --- a/yara-x/src/modules/pe/tests/testdata/b8543d3aceec5a754292393f6602eeb966dbf9e198c94e3d74a9e9260e5f9870.out +++ b/yara-x/src/modules/pe/tests/testdata/b8543d3aceec5a754292393f6602eeb966dbf9e198c94e3d74a9e9260e5f9870.out @@ -17,6 +17,7 @@ linker_version { major: 14 minor: 20 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR64_MAGIC characteristics: 34 dll_characteristics: 49504 timestamp: 1776026023 diff --git a/yara-x/src/modules/pe/tests/testdata/bd82090d9c6e23c1e2708550f4c21bbafd719dcc7cfc28f405ad3bc2783c6a12.out b/yara-x/src/modules/pe/tests/testdata/bd82090d9c6e23c1e2708550f4c21bbafd719dcc7cfc28f405ad3bc2783c6a12.out index 7edb81bd0..7ef7f63f5 100644 --- a/yara-x/src/modules/pe/tests/testdata/bd82090d9c6e23c1e2708550f4c21bbafd719dcc7cfc28f405ad3bc2783c6a12.out +++ b/yara-x/src/modules/pe/tests/testdata/bd82090d9c6e23c1e2708550f4c21bbafd719dcc7cfc28f405ad3bc2783c6a12.out @@ -17,6 +17,7 @@ linker_version { major: 8 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 259 dll_characteristics: 1024 timestamp: 1162198621 diff --git a/yara-x/src/modules/pe/tests/testdata/c703e95b9ec0ca955b1bcf33e1318a0029d9d4e7903cd63291946b334c314831.out b/yara-x/src/modules/pe/tests/testdata/c703e95b9ec0ca955b1bcf33e1318a0029d9d4e7903cd63291946b334c314831.out index 1f9a62fbf..2f104fe63 100644 --- a/yara-x/src/modules/pe/tests/testdata/c703e95b9ec0ca955b1bcf33e1318a0029d9d4e7903cd63291946b334c314831.out +++ b/yara-x/src/modules/pe/tests/testdata/c703e95b9ec0ca955b1bcf33e1318a0029d9d4e7903cd63291946b334c314831.out @@ -17,6 +17,7 @@ linker_version { major: 2 minor: 56 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR64_MAGIC characteristics: 782 dll_characteristics: 0 timestamp: 0 diff --git a/yara-x/src/modules/pe/tests/testdata/c704cca0fe4c9bdee18a302952540073b860e3b4d42e081f86d27bdb1cf6ede4.out b/yara-x/src/modules/pe/tests/testdata/c704cca0fe4c9bdee18a302952540073b860e3b4d42e081f86d27bdb1cf6ede4.out index ee7b6c075..8623823e4 100644 --- a/yara-x/src/modules/pe/tests/testdata/c704cca0fe4c9bdee18a302952540073b860e3b4d42e081f86d27bdb1cf6ede4.out +++ b/yara-x/src/modules/pe/tests/testdata/c704cca0fe4c9bdee18a302952540073b860e3b4d42e081f86d27bdb1cf6ede4.out @@ -17,6 +17,7 @@ linker_version { major: 2 minor: 26 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 783 dll_characteristics: 0 timestamp: 1459377848 diff --git a/yara-x/src/modules/pe/tests/testdata/d009038e4e371f9cdc3a96923700c17d29de9dfc156666c98581dfeccc07548e.out b/yara-x/src/modules/pe/tests/testdata/d009038e4e371f9cdc3a96923700c17d29de9dfc156666c98581dfeccc07548e.out index 5adf51893..bb57ebbd2 100644 --- a/yara-x/src/modules/pe/tests/testdata/d009038e4e371f9cdc3a96923700c17d29de9dfc156666c98581dfeccc07548e.out +++ b/yara-x/src/modules/pe/tests/testdata/d009038e4e371f9cdc3a96923700c17d29de9dfc156666c98581dfeccc07548e.out @@ -17,6 +17,7 @@ linker_version { major: 9 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 258 dll_characteristics: 1024 timestamp: 1301987779 diff --git a/yara-x/src/modules/pe/tests/testdata/db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984.out b/yara-x/src/modules/pe/tests/testdata/db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984.out index 2e5fff114..1519bd9ff 100644 --- a/yara-x/src/modules/pe/tests/testdata/db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984.out +++ b/yara-x/src/modules/pe/tests/testdata/db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984.out @@ -17,6 +17,7 @@ linker_version { major: 14 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR64_MAGIC characteristics: 34 dll_characteristics: 33056 timestamp: 1629390430 diff --git a/yara-x/src/modules/pe/tests/testdata/e3d45a2865818756068757d7e319258fef40dad54532ee4355b86bc129f27345.out b/yara-x/src/modules/pe/tests/testdata/e3d45a2865818756068757d7e319258fef40dad54532ee4355b86bc129f27345.out index cd7a75f8e..b4c1a01ec 100644 --- a/yara-x/src/modules/pe/tests/testdata/e3d45a2865818756068757d7e319258fef40dad54532ee4355b86bc129f27345.out +++ b/yara-x/src/modules/pe/tests/testdata/e3d45a2865818756068757d7e319258fef40dad54532ee4355b86bc129f27345.out @@ -17,6 +17,7 @@ linker_version { major: 9 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 8450 dll_characteristics: 0 timestamp: 1299001425 diff --git a/yara-x/src/modules/pe/tests/testdata/e5b038a7a8578bbe020784877bf13f8d3920141a39b502e870348ce3b254eb80.out b/yara-x/src/modules/pe/tests/testdata/e5b038a7a8578bbe020784877bf13f8d3920141a39b502e870348ce3b254eb80.out index c4a834124..ca2003652 100644 --- a/yara-x/src/modules/pe/tests/testdata/e5b038a7a8578bbe020784877bf13f8d3920141a39b502e870348ce3b254eb80.out +++ b/yara-x/src/modules/pe/tests/testdata/e5b038a7a8578bbe020784877bf13f8d3920141a39b502e870348ce3b254eb80.out @@ -17,6 +17,7 @@ linker_version { major: 10 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 8450 dll_characteristics: 1344 timestamp: 1314765018 diff --git a/yara-x/src/modules/pe/tests/testdata/eda21be1b234c84acb8257f2f77c12e0826b06cd15eb6dec9bf3df6465216dd8.out b/yara-x/src/modules/pe/tests/testdata/eda21be1b234c84acb8257f2f77c12e0826b06cd15eb6dec9bf3df6465216dd8.out index 944f9e567..8f31a95c4 100644 --- a/yara-x/src/modules/pe/tests/testdata/eda21be1b234c84acb8257f2f77c12e0826b06cd15eb6dec9bf3df6465216dd8.out +++ b/yara-x/src/modules/pe/tests/testdata/eda21be1b234c84acb8257f2f77c12e0826b06cd15eb6dec9bf3df6465216dd8.out @@ -17,6 +17,7 @@ linker_version { major: 0 minor: 0 } +opthdr_magic: IMAGE_NT_OPTIONAL_HDR32_MAGIC characteristics: 270 dll_characteristics: 0 timestamp: 0 diff --git a/yara-x/src/modules/protos/pe.proto b/yara-x/src/modules/protos/pe.proto index e52b825ac..9fbaa80f2 100644 --- a/yara-x/src/modules/protos/pe.proto +++ b/yara-x/src/modules/protos/pe.proto @@ -18,64 +18,65 @@ message PE { optional Version image_version = 6; optional Version linker_version = 7; - optional uint32 characteristics = 8; - optional uint32 dll_characteristics = 9; - optional uint32 timestamp = 10; - optional uint64 image_base = 11; - optional uint32 checksum = 12; - optional uint32 base_of_code = 13; - optional uint32 base_of_data = 14; + optional OptHdrMagic opthdr_magic = 8; + optional uint32 characteristics = 9; + optional uint32 dll_characteristics = 10; + optional uint32 timestamp = 11; + optional uint64 image_base = 12; + optional uint32 checksum = 13; + optional uint32 base_of_code = 14; + optional uint32 base_of_data = 15; // Entry point as a file offset. - optional uint32 entry_point = 15; + optional uint32 entry_point = 16; // Entry point as it appears in the PE header (RVA). - optional uint32 entry_point_raw = 16; + optional uint32 entry_point_raw = 17; - optional string dll_name = 17; - optional uint32 export_timestamp = 18; + optional string dll_name = 18; + optional uint32 export_timestamp = 19; - optional uint32 section_alignment = 19; - optional uint32 file_alignment = 20; - optional uint32 loader_flags = 21; + optional uint32 section_alignment = 20; + optional uint32 file_alignment = 21; + optional uint32 loader_flags = 22; - optional uint32 size_of_optional_header = 22; - optional uint32 size_of_code = 23; - optional uint32 size_of_initialized_data = 24; - optional uint32 size_of_uninitialized_data = 25; - optional uint32 size_of_image = 26; - optional uint32 size_of_headers = 27; + optional uint32 size_of_optional_header = 23; + optional uint32 size_of_code = 24; + optional uint32 size_of_initialized_data = 25; + optional uint32 size_of_uninitialized_data = 26; + optional uint32 size_of_image = 27; + optional uint32 size_of_headers = 28; - optional uint64 size_of_stack_reserve = 28; - optional uint64 size_of_stack_commit = 29; - optional uint64 size_of_heap_reserve = 30; - optional uint64 size_of_heap_commit = 31; + optional uint64 size_of_stack_reserve = 29; + optional uint64 size_of_stack_commit = 30; + optional uint64 size_of_heap_reserve = 31; + optional uint64 size_of_heap_commit = 32; - optional uint32 pointer_to_symbol_table = 32; - optional uint32 number_of_symbols = 33; - optional uint32 number_of_rva_and_sizes = 34; - optional uint32 win32_version_value = 35; + optional uint32 pointer_to_symbol_table = 33; + optional uint32 number_of_symbols = 34; + optional uint32 number_of_rva_and_sizes = 35; + optional uint32 win32_version_value = 36; - map version_info = 36; - repeated KeyValue version_info_list = 37; + map version_info = 37; + repeated KeyValue version_info_list = 38; - optional uint32 number_of_sections = 38; - optional uint64 number_of_imported_functions = 39; - optional uint64 number_of_delayed_imported_functions = 40; + optional uint32 number_of_sections = 39; + optional uint64 number_of_imported_functions = 40; + optional uint64 number_of_delayed_imported_functions = 41; - optional RichSignature rich_signature = 41; - optional string pdb_path = 42; + optional RichSignature rich_signature = 42; + optional string pdb_path = 43; - repeated Section sections = 43; - repeated DirEntry data_directories = 44; - repeated Resource resources = 45; - repeated Import import_details = 46; - repeated Import delayed_import_details = 47; - repeated Export export_details = 48; + repeated Section sections = 44; + repeated DirEntry data_directories = 45; + repeated Resource resources = 46; + repeated Import import_details = 47; + repeated Import delayed_import_details = 48; + repeated Export export_details = 49; // TODO: implement resource_version? - optional Overlay overlay = 49; + optional Overlay overlay = 50; } message Version { @@ -250,4 +251,43 @@ enum ImportFlags { IMPORT_STANDARD = 0x01; IMPORT_DELAYED = 0x02; IMPORT_ANY = 0x03; +} + +enum OptHdrMagic { + IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b; + IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b; +} + +enum Characteristics { + option (yara.enum_options).inline = true; + // Relocation info stripped from file. + FILE_RELOCS_STRIPPED = 0x0001; + // File is executable (i.e. no unresolved external references). + FILE_EXECUTABLE_IMAGE = 0x0002; + // Line numbers stripped from file. + FILE_LINE_NUMS_STRIPPED = 0x0004; + // Local symbols stripped from file. + FILE_LOCAL_SYMS_STRIPPED = 0x0008; + // Aggressively trim working set + FILE_AGGRESIVE_WS_TRIM = 0x0010; + // App can handle >2gb addresses + FILE_LARGE_ADDRESS_AWARE = 0x0020; + // Bytes of machine word are reversed. + FILE_BYTES_REVERSED_LO = 0x0080; + // 32 bit word machine. + FILE_32BIT_MACHINE = 0x0100; + // Debugging info stripped from file in .DBG file + FILE_DEBUG_STRIPPED = 0x0200; + // If Image is on removable media, copy and run from the swap file. + FILE_REMOVABLE_RUN_FROM_SWAP = 0x0400; + // If Image is on Net, copy and run from the swap file. + FILE_NET_RUN_FROM_SWAP = 0x0800; + // System File. + FILE_SYSTEM = 0x1000; + // File is a DLL.s + FILE_DLL = 0x2000; + // File should only be run on a UP machine + FILE_UP_SYSTEM_ONLY = 0x4000; + // Bytes of machine word are reversed. + FILE_BYTES_REVERSED_HI = 0x8000; } \ No newline at end of file diff --git a/yara-x/src/wasm/builder.rs b/yara-x/src/wasm/builder.rs index a784322a2..5057356d4 100644 --- a/yara-x/src/wasm/builder.rs +++ b/yara-x/src/wasm/builder.rs @@ -467,38 +467,38 @@ mod tests { assert_eq!( text, r#"(module - (func (;103;) (type 1) (result i32) + (func (;118;) (type 1) (result i32) i32.const 0 global.set 2 i32.const 0 global.set 3 - call 104 - call 105 + call 119 + call 120 global.get 3 ) - (func (;104;) (type 0) + (func (;119;) (type 0) block ;; label = @1 - call 106 + call 121 end block ;; label = @1 - call 107 + call 122 end ) - (func (;105;) (type 0) + (func (;120;) (type 0) block ;; label = @1 - call 108 + call 123 end ) - (func (;106;) (type 0) + (func (;121;) (type 0) i32.const 4 ) - (func (;107;) (type 0) + (func (;122;) (type 0) i32.const 5 ) - (func (;108;) (type 0) + (func (;123;) (type 0) i32.const 6 ) - (export "main" (func 103)) + (export "main" (func 118)) )"# ); }