[Forensics-changes] [yara] 202/407: Include "offset" and "length" in pe.rich_signature and remove "start"

Sat Jul 1 10:28:26 UTC 2017

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit ac338444eb353693e3aab3d7774ce7dac9c23c89
Author: Victor M. Alvarez <plusvic at gmail.com>
Date:   Fri Nov 7 14:02:51 2014 +0100

    Include "offset" and "length" in pe.rich_signature and remove "start"
    
    By including "offset" and "length" we can compute a hash for the rich signature, which can be a useful way of detecting files. Example:
    
     hash.md5(pe.rich_signature.offset, pe.rich_signature.length) == "c5d73827a4a2b4f8ca1e6af5de76a7dd"
    
    "start" is not that useful, because it "key" xored with a constant. If you need the value for "start" you can do uint32be(pe.rich_signature.offset)
---
 libyara/modules/pe.c | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 5e2a6c1..24ebbb4 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -36,17 +36,8 @@ limitations under the License.
 #include <yara/mem.h>
 #include <yara/strutils.h>
 
-
 #include "pe_utils.c"
 
-
-#define bigendian(n) \
-    (((((uint32_t)(n) & 0xFF)) << 24) | \
-     ((((uint32_t)(n) & 0xFF00)) << 8) | \
-     ((((uint32_t)(n) & 0xFF0000)) >> 8) | \
-     ((((uint32_t)(n) & 0xFF000000)) >> 24))
-
-
 #define MODULE_NAME pe
 
 #define RESOURCE_TYPE_CURSOR         1
@@ -188,7 +179,8 @@ PIMAGE_NT_HEADERS32 pe_get_header(
 // http://www.ntcore.com/files/richsign.htm
 
 void pe_parse_rich_signature(
-    PE* pe)
+    PE* pe,
+    size_t base_address)
 {
   PIMAGE_DOS_HEADER mz_header;
   PIMAGE_NT_HEADERS32 pe_header;
@@ -249,9 +241,13 @@ void pe_parse_rich_signature(
       memcpy(raw_data, rich_signature, rich_len);
 
       set_integer(
-          bigendian(rich_signature->dans), pe->object, "rich_signature.start");
+          base_address + 0x80, pe->object, "rich_signature.offset");
+
+      set_integer(
+          rich_len, pe->object, "rich_signature.length");
+
       set_integer(
-          bigendian(rich_signature->key1), pe->object, "rich_signature.key");
+          rich_signature->key1, pe->object, "rich_signature.key");
 
       break;
     }
@@ -1519,7 +1515,8 @@ begin_declarations;
   end_struct_array("sections");
 
   begin_struct("rich_signature");
-    declare_integer("start");
+    declare_integer("offset");
+    declare_integer("length");
     declare_integer("key");
     declare_string("raw_data");
     declare_string("clear_data");
@@ -1676,7 +1673,7 @@ int module_load(
         module_object->data = pe;
 
         pe_parse_header(pe, block->base, context->flags);
-        pe_parse_rich_signature(pe);
+        pe_parse_rich_signature(pe, block->base);
 
         #if defined(HAVE_LIBCRYPTO)
         pe_parse_certificates(pe);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

