[Forensics-changes] [yara] 308/407: Add all known Machine types.
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:39 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit 2e24d7067a3aa4f16ae09f59912f2b7dd2d990aa
Author: Wesley Shields <wxs at atarininja.org>
Date: Sun Jan 4 14:58:14 2015 -0500
Add all known Machine types.
Expand the check for valid machine types to include all the known ones.
---
libyara/include/yara/pe.h | 24 ++++++++++++++++++++++--
libyara/modules/pe.c | 24 ++++++++++++++++++++++--
2 files changed, 44 insertions(+), 4 deletions(-)
diff --git a/libyara/include/yara/pe.h b/libyara/include/yara/pe.h
index 9951ab8..9edd53e 100644
--- a/libyara/include/yara/pe.h
+++ b/libyara/include/yara/pe.h
@@ -114,8 +114,28 @@ typedef struct _IMAGE_FILE_HEADER {
#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.
-#define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386.
-#define IMAGE_FILE_MACHINE_AMD64 0x8664 // Intel x64.
+#define IMAGE_FILE_MACHINE_UNKNOWN 0x0000
+#define IMAGE_FILE_MACHINE_AM33 0x01d3
+#define IMAGE_FILE_MACHINE_AMD64 0x8664
+#define IMAGE_FILE_MACHINE_ARM 0x01c0
+#define IMAGE_FILE_MACHINE_ARMNT 0x01c4
+#define IMAGE_FILE_MACHINE_ARM64 0xaa64
+#define IMAGE_FILE_MACHINE_EBC 0x0ebc
+#define IMAGE_FILE_MACHINE_I386 0x014c
+#define IMAGE_FILE_MACHINE_IA64 0x0200
+#define IMAGE_FILE_MACHINE_M32R 0x9041
+#define IMAGE_FILE_MACHINE_MIPS16 0x0266
+#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366
+#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466
+#define IMAGE_FILE_MACHINE_POWERPC 0x01f0
+#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1
+#define IMAGE_FILE_MACHINE_R4000 0x0166
+#define IMAGE_FILE_MACHINE_SH3 0x01a2
+#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3
+#define IMAGE_FILE_MACHINE_SH4 0x01a6
+#define IMAGE_FILE_MACHINE_SH5 0x01a8
+#define IMAGE_FILE_MACHINE_THUMB 0x01c2
+#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169
//
// Directory format.
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index b6e809e..7e01ce1 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -163,8 +163,28 @@ PIMAGE_NT_HEADERS32 pe_get_header(
headers_size += pe_header->FileHeader.SizeOfOptionalHeader;
if (pe_header->Signature == IMAGE_NT_SIGNATURE &&
- (pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 ||
- pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) &&
+ (pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_UNKNOWN ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_AM33 ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64 ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_ARM ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_ARMNT ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_ARM64 ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_EBC ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_M32R ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_MIPS16 ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_MIPSFPU ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_MIPSFPU16 ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_POWERPC ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_POWERPCFP ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_R4000 ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_SH3 ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_SH3DSP ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_SH4 ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_SH5 ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_THUMB ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_WCEMIPSV2) &&
data_size > headers_size)
{
return pe_header;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list