[Forensics-changes] [yara] 02/192: Rename dllcharacteristics to dll_characteristics and shorten mask names.
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:31:40 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.6.0
in repository yara.
commit a558692cdab3ccf92eb9388e6eb6c8b534404e08
Author: Tracy Camp <tcamp at bit9.local>
Date: Wed Feb 3 10:40:58 2016 -0500
Rename dllcharacteristics to dll_characteristics and shorten mask
names.
Add documentation notes for new flags.
---
docs/modules/pe.rst | 42 ++++++++++++++++++++++++++++++++++++++++--
libyara/modules/pe.c | 40 ++++++++++++++++++++--------------------
2 files changed, 60 insertions(+), 22 deletions(-)
diff --git a/docs/modules/pe.rst b/docs/modules/pe.rst
index f5c2d47..dbf3ddd 100644
--- a/docs/modules/pe.rst
+++ b/docs/modules/pe.rst
@@ -75,6 +75,12 @@ Reference
.. c:type:: SUBSYSTEM_OS2_CUI
.. c:type:: SUBSYSTEM_POSIX_CUI
.. c:type:: SUBSYSTEM_NATIVE_WINDOWS
+ .. c:type:: SUBSYSTEM_WINDOWS_CE_GUI
+ .. c:type:: SUBSYSTEM_EFI_APPLICATION
+ .. c:type:: SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER
+ .. c:type:: SUBSYSTEM_EFI_RUNTIME_DRIVER
+ .. c:type:: SUBSYSTEM_XBOX
+ .. c:type:: SUBSYSTEM_WINDOWS_BOOT_APPLICATION
*Example: pe.subsystem == pe.SUBSYSTEM_NATIVE*
@@ -94,8 +100,9 @@ Reference
.. c:type:: characteristics
- Bitmap with PE characteristics. Individual characteristics can be inspected
- by performing a bitwise AND operation with the following constants:
+ Bitmap with PE FileHeader characteristics. Individual characteristics
+ can be inspected by performing a bitwise AND operation with the
+ following constants:
.. c:type:: RELOCS_STRIPPED
.. c:type:: EXECUTABLE_IMAGE
@@ -167,6 +174,37 @@ Reference
Minor subsystem version.
+.. c:type:: dll_characteristics
+
+ Bitmap with PE OptionalHeader DllCharacteristics. Do not confuse these
+ flags with the PE FileHeader Characteristics. Individual
+ characteristics can be inspected by performing a bitwise AND
+ operation with the following constants:
+
+ .. c:type:: DYNAMIC_BASE
+
+ File can be relocated - also marks the file as ASLR compatible
+
+ .. c:type:: FORCE_INTEGRITY
+ .. c:type:: NX_COMPAT
+
+ Marks the file as DEP compatible
+
+ .. c:type:: NO_ISOLATION
+ .. c:type:: NO_SEH
+
+ The file does not contain structured exception handlers, this must be
+ set to use SafeSEH
+
+ .. c:type:: NO_BIND
+ .. c:type:: WDM_DRIVER
+
+ Marks the file as a Windows Driver Model (WDM) device driver.
+
+ .. c:type:: TERMINAL_SERVER_AWARE
+
+ Marks the file as terminal server compatible
+
.. c:type:: number_of_sections
Number of sections in the PE.
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index d9ba4b9..8555ed7 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1388,7 +1388,7 @@ void pe_parse_header(
set_integer(
OptionalHeader(DllCharacteristics),
- pe->object, "dllcharacteristics");
+ pe->object, "dll_characteristics");
pe_iterate_resources(
pe,
@@ -1842,7 +1842,7 @@ define_function(locale)
define_function(language)
{
YR_OBJECT* module = module();
- PE* pe = module->data;
+ PE* pe = (PE *)module->data;
uint64_t language = integer_argument(1);
int64_t n, i;
@@ -1885,7 +1885,7 @@ define_function(is_dll)
define_function(is_32bit)
{
YR_OBJECT* module = module();
- PE* pe = module->data;
+ PE* pe = (PE *)module->data;
if (pe == NULL)
return_integer(UNDEFINED);
@@ -1897,7 +1897,7 @@ define_function(is_32bit)
define_function(is_64bit)
{
YR_OBJECT* module = module();
- PE* pe = module->data;
+ PE* pe = (PE *)module->data;
if (pe == NULL)
return_integer(UNDEFINED);
@@ -2037,14 +2037,14 @@ begin_declarations;
declare_integer("SUBSYSTEM_XBOX");
declare_integer("SUBSYSTEM_WINDOWS_BOOT_APPLICATION");
- declare_integer("DLLCHARACTERISTICS_DYNAMIC_BASE");
- declare_integer("DLLCHARACTERISTICS_FORCE_INTEGRITY");
- declare_integer("DLLCHARACTERISTICS_NX_COMPAT");
- declare_integer("DLLCHARACTERISTICS_NO_ISOLATION");
- declare_integer("DLLCHARACTERISTICS_NO_SEH");
- declare_integer("DLLCHARACTERISTICS_NO_BIND");
- declare_integer("DLLCHARACTERISTICS_WDM_DRIVER");
- declare_integer("DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE");
+ declare_integer("DYNAMIC_BASE");
+ declare_integer("FORCE_INTEGRITY");
+ declare_integer("NX_COMPAT");
+ declare_integer("NO_ISOLATION");
+ declare_integer("NO_SEH");
+ declare_integer("NO_BIND");
+ declare_integer("WDM_DRIVER");
+ declare_integer("TERMINAL_SERVER_AWARE");
declare_integer("RELOCS_STRIPPED");
declare_integer("EXECUTABLE_IMAGE");
@@ -2338,28 +2338,28 @@ int module_load(
set_integer(
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE, module_object,
- "DLLCHARACTERISTICS_DYNAMIC_BASE");
+ "DYNAMIC_BASE");
set_integer(
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY, module_object,
- "DLLCHARACTERISTICS_FORCE_INTEGRITY");
+ "FORCE_INTEGRITY");
set_integer(
IMAGE_DLLCHARACTERISTICS_NX_COMPAT, module_object,
- "DLLCHARACTERISTICS_NX_COMPAT");
+ "_NX_COMPAT");
set_integer(
IMAGE_DLLCHARACTERISTICS_NO_ISOLATION, module_object,
- "DLLCHARACTERISTICS_NO_ISOLATION");
+ "NO_ISOLATION");
set_integer(
IMAGE_DLLCHARACTERISTICS_NO_SEH, module_object,
- "DLLCHARACTERISTICS_NO_SEH");
+ "NO_SEH");
set_integer(
IMAGE_DLLCHARACTERISTICS_NO_BIND, module_object,
- "DLLCHARACTERISTICS_NO_BIND");
+ "NO_BIND");
set_integer(
IMAGE_DLLCHARACTERISTICS_WDM_DRIVER, module_object,
- "DLLCHARACTERISTICS_WDM_DRIVER");
+ "WDM_DRIVER");
set_integer(
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE, module_object,
- "DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE");
+ "TERMINAL_SERVER_AWARE");
set_integer(
IMAGE_FILE_RELOCS_STRIPPED, module_object,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list