[Forensics-changes] [yara] 11/192: Add pe.overlay.offset and pe.overlay.size (closes #432) (#505)
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:31:41 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.6.0
in repository yara.
commit bc0dd6580893588fa4da151fb0854092172ed6fb
Author: Fernando Mercês <nandu88 at gmail.com>
Date: Thu Aug 18 07:22:41 2016 -0300
Add pe.overlay.offset and pe.overlay.size (closes #432) (#505)
* Add pe.overlay integer
* Add pe.overlay_size integer
* Change overlay to a structure with the integer fields offset and size
* Check for overlay in the loop of pe_parse_header() to avoid looping through PE sections twice
* Add overlay structure to PE module documentation
---
docs/modules/pe.rst | 16 ++++++++++++++++
libyara/modules/pe.c | 28 +++++++++++++++++++++++++++-
2 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/docs/modules/pe.rst b/docs/modules/pe.rst
index f5c2d47..a32f774 100644
--- a/docs/modules/pe.rst
+++ b/docs/modules/pe.rst
@@ -224,6 +224,22 @@ Reference
*Example: pe.sections[1].characteristics & SECTION_CNT_CODE*
+.. c:type:: overlay
+
+ .. versionadded:: 3.6.0
+
+ A structure containing the following integer members:
+
+ .. c:member:: offset
+
+ Overlay section offset.
+
+ .. c:member:: size
+
+ Overlay section size.
+
+ *Example: uint8(0x0d) at pe.overlay.offset and pe.overlay.size > 1024*
+
.. c:type:: number_of_resources
Number of resources in the PE.
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 8c4cb12..fac99b7 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1159,6 +1159,9 @@ void pe_parse_header(
char section_name[IMAGE_SIZEOF_SHORT_NAME + 1];
int i, scount;
+ uint64_t highest_sec_siz = 0;
+ uint64_t highest_sec_ofs = 0;
+ uint64_t last_section_end;
set_integer(
pe->header->FileHeader.Machine,
@@ -1262,10 +1265,28 @@ void pe_parse_header(
section->Misc.VirtualSize,
pe->object, "sections[%i].virtual_size", i);
+ // This will catch the section with the highest raw offset to help checking
+ // if overlay data is present
+ if (section->PointerToRawData > highest_sec_ofs)
+ {
+ highest_sec_ofs = section->PointerToRawData;
+ highest_sec_siz = section->SizeOfRawData;
+ }
+
section++;
}
-}
+ // An overlay is data appended to a PE file. Its location is RawData + RawOffset of the last
+ // section on the physical file
+ last_section_end = highest_sec_siz + highest_sec_ofs;
+
+ // This way "overlay" is set to UNDEFINED for files that do not have an overlay section
+ if (last_section_end && (pe->data_size > last_section_end))
+ {
+ set_integer(last_section_end, pe->object, "overlay.offset");
+ set_integer(pe->data_size - last_section_end, pe->object, "overlay.size");
+ }
+}
//
// Given a posix timestamp argument, make sure not_before <= arg <= not_after
@@ -1953,6 +1974,11 @@ begin_declarations;
declare_integer("raw_data_size");
end_struct_array("sections");
+ begin_struct("overlay");
+ declare_integer("offset");
+ declare_integer("size");
+ end_struct("overlay");
+
begin_struct("rich_signature");
declare_integer("offset");
declare_integer("length");
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list