[Forensics-changes] [yara] 332/407: Add section characteristics.

Sat Jul 1 10:28:42 UTC 2017

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit 0bd0fa9a7dc92078ba8f94f7f0e59371f89ad74f
Author: Wesley Shields <wxs at atarininja.org>
Date:   Thu Jan 8 22:51:35 2015 -0500

    Add section characteristics.
    
    This make it useful to be more specific which sections you want flag.
    For example, you can trigger on the entropy of only executable sections.
    
    The list of flags is from section 3.1 of the specification but in the
    interest of keeping the list short I stripped out all the reserved or
    object file only values.
---
 libyara/include/yara/pe.h | 15 ++++++++++
 libyara/modules/pe.c      | 76 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+)

diff --git a/libyara/include/yara/pe.h b/libyara/include/yara/pe.h
index 9951ab8..82a7251 100644
--- a/libyara/include/yara/pe.h
+++ b/libyara/include/yara/pe.h
@@ -117,6 +117,21 @@ typedef struct _IMAGE_FILE_HEADER {
 #define IMAGE_FILE_MACHINE_I386              0x014c  // Intel 386.
 #define IMAGE_FILE_MACHINE_AMD64             0x8664  // Intel x64.
 
+// Section characteristics
+#define SECTION_CNT_CODE                     0x00000020
+#define SECTION_CNT_INITIALIZED_DATA         0x00000040
+#define SECTION_CNT_UNINITIALIZED_DATA       0x00000080
+#define SECTION_GPREL                        0x00008000
+#define SECTION_MEM_16BIT                    0x00020000
+#define SECTION_LNK_NRELOC_OVFL              0x01000000
+#define SECTION_MEM_DISCARDABLE              0x02000000
+#define SECTION_MEM_NOT_CACHED               0x04000000
+#define SECTION_MEM_NOT_PAGED                0x08000000
+#define SECTION_MEM_SHARED                   0x10000000
+#define SECTION_MEM_EXECUTE                  0x20000000
+#define SECTION_MEM_READ                     0x40000000
+#define SECTION_MEM_WRITE                    0x80000000
+
 //
 // Directory format.
 //
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index b6e809e..c9b566d 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1467,6 +1467,42 @@ begin_declarations;
   declare_integer("UP_SYSTEM_ONLY");
   declare_integer("BYTES_REVERSED_HI");
 
+  declare_integer("SECTION_TYPE_NO_PAD");
+  declare_integer("SECTION_CNT_CODE");
+  declare_integer("SECTION_CNT_INITIALIZED_DATA");
+  declare_integer("SECTION_CNT_UNINITIALIZED_DATA");
+  declare_integer("SECTION_LNK_OTHER");
+  declare_integer("SECTION_LNK_INFO");
+  declare_integer("SECTION_LNK_REMOVE");
+  declare_integer("SECTION_LNK_COMDAT");
+  declare_integer("SECTION_GPREL");
+  declare_integer("SECTION_MEM_PURGEABLE");
+  declare_integer("SECTION_MEM_16BIT");
+  declare_integer("SECTION_MEM_LOCKED");
+  declare_integer("SECTION_MEM_PRELOAD");
+  declare_integer("SECTION_ALIGN_1BYTES");
+  declare_integer("SECTION_ALIGN_2BYTES");
+  declare_integer("SECTION_ALIGN_4BYTES");
+  declare_integer("SECTION_ALIGN_8BYTES");
+  declare_integer("SECTION_ALIGN_16BYTES");
+  declare_integer("SECTION_ALIGN_32BYTES");
+  declare_integer("SECTION_ALIGN_64BYTES");
+  declare_integer("SECTION_ALIGN_128BYTES");
+  declare_integer("SECTION_ALIGN_256BYTES");
+  declare_integer("SECTION_ALIGN_512BYTES");
+  declare_integer("SECTION_ALIGN_1024BYTES");
+  declare_integer("SECTION_ALIGN_2048BYTES");
+  declare_integer("SECTION_ALIGN_4096BYTES");
+  declare_integer("SECTION_ALIGN_8192BYTES");
+  declare_integer("SECTION_LNK_NRELOC_OVFL");
+  declare_integer("SECTION_MEM_DISCARDABLE");
+  declare_integer("SECTION_MEM_NOT_CACHED");
+  declare_integer("SECTION_MEM_NOT_PAGED");
+  declare_integer("SECTION_MEM_SHARED");
+  declare_integer("SECTION_MEM_EXECUTE");
+  declare_integer("SECTION_MEM_READ");
+  declare_integer("SECTION_MEM_WRITE");
+
   declare_integer("machine");
   declare_integer("number_of_sections");
   declare_integer("timestamp");
@@ -1650,6 +1686,46 @@ int module_load(
       IMAGE_FILE_BYTES_REVERSED_HI, module_object,
       "BYTES_REVERSED_HI");
 
+  set_integer(
+      SECTION_CNT_CODE, module_object,
+      "SECTION_CNT_CODE");
+  set_integer(
+      SECTION_CNT_INITIALIZED_DATA, module_object,
+      "SECTION_CNT_INITIALIZED_DATA");
+  set_integer(
+      SECTION_CNT_UNINITIALIZED_DATA, module_object,
+      "SECTION_CNT_UNINITIALIZED_DATA");
+  set_integer(
+      SECTION_GPREL, module_object,
+      "SECTION_GPREL");
+  set_integer(
+      SECTION_MEM_16BIT, module_object,
+      "SECTION_MEM_16BIT");
+  set_integer(
+      SECTION_LNK_NRELOC_OVFL, module_object,
+      "SECTION_LNK_NRELOC_OVFL");
+  set_integer(
+      SECTION_MEM_DISCARDABLE, module_object,
+      "SECTION_MEM_DISCARDABLE");
+  set_integer(
+      SECTION_MEM_NOT_CACHED, module_object,
+      "SECTION_MEM_NOT_CACHED");
+  set_integer(
+      SECTION_MEM_NOT_PAGED, module_object,
+      "SECTION_MEM_NOT_PAGED");
+  set_integer(
+      SECTION_MEM_SHARED, module_object,
+      "SECTION_MEM_SHARED");
+  set_integer(
+      SECTION_MEM_EXECUTE, module_object,
+      "SECTION_MEM_EXECUTE");
+  set_integer(
+      SECTION_MEM_READ, module_object,
+      "SECTION_MEM_READ");
+  set_integer(
+      SECTION_MEM_WRITE, module_object,
+      "SECTION_MEM_WRITE");
+
   YR_MEMORY_BLOCK* block;
 
   foreach_memory_block(context, block)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

