[Forensics-changes] [yara] 13/407: Document ELF module

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:27:58 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit ab30621a7b9f25e27cbac8bbe58f5cac56299fa3
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date:   Thu Aug 28 14:56:19 2014 +0200

    Document ELF module
---
 docs/modules.rst                    |  11 +-
 docs/modules/{cuckoo => cuckoo.rst} |   4 +-
 docs/modules/elf.rst                | 193 ++++++++++++++++++++++++++++++++++++
 docs/modules/{magic => magic.rst}   |   0
 docs/modules/{pe => pe.rst}         |   4 +-
 5 files changed, 205 insertions(+), 7 deletions(-)

diff --git a/docs/modules.rst b/docs/modules.rst
index 17b4f92..faf62a8 100644
--- a/docs/modules.rst
+++ b/docs/modules.rst
@@ -8,9 +8,14 @@ more complex conditions. Here you'll find described some modules officially
 distributed with YARA, but you can also learn how to write your own modules in
 the :ref:`writing-modules` section.
 
-.. include:: modules/pe
-.. include:: modules/cuckoo
-.. include:: modules/magic
+
+.. toctree::
+   :maxdepth: 3
+
+   modules/pe
+   modules/elf
+   modules/cuckoo
+   modules/magic
 
 
 
diff --git a/docs/modules/cuckoo b/docs/modules/cuckoo.rst
similarity index 98%
rename from docs/modules/cuckoo
rename to docs/modules/cuckoo.rst
index 1cb5423..ceee712 100644
--- a/docs/modules/cuckoo
+++ b/docs/modules/cuckoo.rst
@@ -84,8 +84,8 @@ If you are using ``yara-python`` then you must pass the behavior report in the
     rules.match(pe_file, modules_data={'cuckoo': bytes(report_data)})
 
 
-Cuckoo module reference
------------------------
+Reference
+---------
 
 .. default-domain:: c
 
diff --git a/docs/modules/elf.rst b/docs/modules/elf.rst
new file mode 100644
index 0000000..208ee81
--- /dev/null
+++ b/docs/modules/elf.rst
@@ -0,0 +1,193 @@
+
+.. _elf-module:
+
+##########
+ELF module
+##########
+
+The ELF module is very similar to the :ref:`pe-module`, but for ELF files. This
+module exposes most of the fields present in a ELF header. Let's see some
+examples::
+
+    import "elf"
+
+    rule single_section
+    {
+        condition:
+            elf.number_of_sections == 1
+    }
+
+    rule elf_64
+    {
+        condition:
+            elf.machine == elf.EM_X86_64
+    }
+
+Reference
+---------
+
+.. c:type:: type
+
+    Integer with one of the following values:
+
+    .. c:type:: ET_NONE
+
+        No file type.
+
+    .. c:type:: ET_REL
+
+        Relocatable file.
+
+    .. c:type:: ET_EXEC
+
+        Executable file.
+
+    .. c:type:: ET_DYN
+
+        Shared object file.
+
+    .. c:type:: ET_CORE
+
+        Core file.
+
+    *Example: elf.type == elf.ET_EXEC*
+
+.. c:type:: machine
+
+    Integer with one of the following values:
+
+    .. c:type:: EM_M32
+    .. c:type:: EM_SPARC
+    .. c:type:: EM_386
+    .. c:type:: EM_68K
+    .. c:type:: EM_88K
+    .. c:type:: EM_860
+    .. c:type:: EM_MIPS
+    .. c:type:: EM_ARM"
+    .. c:type:: EM_MIPS
+    .. c:type:: EM_X86_64
+
+    *Example: elf.machine == elf.EM_X86_64*
+
+.. c:type:: entry_point
+
+    Entry point raw offset or virtual address depending if YARA is scanning a
+    file or process memory respectively. This is equivalent to the deprecated
+    ``entrypoint`` keyword.
+
+.. c:type:: number_of_sections
+
+    Number of sections in the ELF file.
+
+.. c:type:: sections
+
+    An zero-based array of section objects, one for each section the ELF has.
+    Individual sections can be accessed by using the [] operator. Each section
+    object has the following attributes:
+
+    .. c:member:: name
+
+        Section's name.
+
+        *Example: elf.section[3].name == ".bss"*
+
+    .. c:member:: size
+
+        Section's size in bytes. Unless the section type is SHT_NOBITS, the
+        section occupies sh_size bytes in the file. A section of
+        :c:type:`SHT_NOBITS` may have a non-zero size, but it occupies no space
+        in the file.
+
+    .. c:member:: offset
+
+        Offset from the beginning of the file to the first byte in the section.
+        One section type, :c:type:`SHT_NOBITS` described below, occupies no
+        space in the file, and its :c:member:`offset` member locates the
+        conceptual placement in the file.
+
+    .. c:member:: type
+
+        Integer with one of the following value:
+
+        .. c:type:: SHT_NULL
+
+            This value marks the section as inactive; it does not have
+            an associated section. Other members of the section header have
+            undefined values.
+
+        .. c:type:: SHT_PROGBITS
+
+            The section holds information defined by the program, whose format
+            and meaning are determined solely by the program.
+
+        .. c:type:: SHT_SYMTAB
+
+            The section hold a symbol table.
+
+        .. c:type:: SHT_STRTAB
+
+            The section holds a string table. An object file may have multiple
+            string table sections.
+
+        .. c:type:: SHT_RELA
+
+            The section holds relocation entries.
+
+        .. c:type:: SHT_HASH
+
+            The section holds a symbol hash table.
+
+        .. c:type:: SHT_DYNAMIC
+
+            The section holds information for dynamic linking.
+
+        .. c:type:: SHT_NOTE
+
+            The section holds information that marks the file in some way.
+
+        .. c:type:: SHT_NOBITS
+
+            A section of this type occupies no space in the file but otherwise resembles :c:type:`SHT_PROGBITS`.
+
+        .. c:type:: SHT_REL
+
+            The section holds relocation entries.
+
+        .. c:type:: SHT_SHLIB
+
+            This section type is reserved but has unspecified semantics.
+
+        .. c:type:: SHT_DYNSYM
+
+            This section holds dynamic linking symbols.
+
+    .. c:member:: flags
+
+        Integer with sections's flags as defined below:
+
+        .. c:type:: SHF_WRITE
+
+            The section contains data that should be writable during process
+            execution.
+
+        .. c:type:: SHF_ALLOC
+
+            The section occupies memory during process execution. Some control sections do not reside in the memory image of an object file; this attribute is off for those sections.
+
+        .. c:type:: SHF_EXECINSTR
+
+            The section contains executable machine instructions.
+
+        *Example: elf.section[2].flags & elf.SHF_WRITE*
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/modules/magic b/docs/modules/magic.rst
similarity index 100%
rename from docs/modules/magic
rename to docs/modules/magic.rst
diff --git a/docs/modules/pe b/docs/modules/pe.rst
similarity index 99%
rename from docs/modules/pe
rename to docs/modules/pe.rst
index 5dbfc85..99a8060 100644
--- a/docs/modules/pe
+++ b/docs/modules/pe.rst
@@ -30,8 +30,8 @@ write more expressive and targeted rules. Let's see some examples::
             pe.characteristics & pe.DLL
     }
 
-PE module reference
--------------------
+Reference
+---------
 
 .. c:type:: machine
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list