[Forensics-changes] [yara] 110/192: Merge branch 'master' of https://github.com/campt/yara into campt-master
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:31:53 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.6.0
in repository yara.
commit 3e18541978916f73ddbffeb9cd911ba1fa92ba8f
Merge: 67ba4ff b19e5d2
Author: plusvic <plusvic at gmail.com>
Date: Wed Mar 8 17:36:20 2017 +0100
Merge branch 'master' of https://github.com/campt/yara into campt-master
docs/modules/pe.rst | 42 +++++++++++++++++++++++++++++--
libyara/include/yara/pe.h | 32 ++++++++++++++++++------
libyara/modules/pe.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 129 insertions(+), 9 deletions(-)
diff --cc libyara/include/yara/pe.h
index ff11886,5b16eae..a2ab154
--- a/libyara/include/yara/pe.h
+++ b/libyara/include/yara/pe.h
@@@ -318,13 -299,13 +318,31 @@@ typedef struct _IMAGE_NT_HEADERS64
// Subsystem Values
--#define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.
--#define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem.
--#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.
--#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.
--#define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.
--#define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.
--#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.
++#define IMAGE_SUBSYSTEM_UNKNOWN 0
++#define IMAGE_SUBSYSTEM_NATIVE 1
++#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2
++#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3
++#define IMAGE_SUBSYSTEM_OS2_CUI 5
++#define IMAGE_SUBSYSTEM_POSIX_CUI 7
++#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8
++#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9
++#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10
++#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11
++#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12
++#define IMAGE_SUBSYSTEM_EFI_ROM_IMAGE 13
++#define IMAGE_SUBSYSTEM_XBOX 14
++#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
++
++// DllCharacteristics values
++
++#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040
++#define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080
++#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100
++#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200
++#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400
++#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800
++#define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000
++#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
//
// Section header format.
diff --cc libyara/modules/pe.c
index 8ef646c,81d5833..9d141b9
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@@ -1228,13 -1383,13 +1228,17 @@@ void pe_parse_header
pe->object, "subsystem_version.minor");
set_integer(
- OptionalHeader(Subsystem),
+ yr_le32toh(OptionalHeader(pe, CheckSum)),
+ pe->object, "checksum");
+
+ set_integer(
+ yr_le16toh(OptionalHeader(pe, Subsystem)),
pe->object, "subsystem");
+ set_integer(
- OptionalHeader(DllCharacteristics),
++ OptionalHeader(pe, DllCharacteristics),
+ pe->object, "dll_characteristics");
+
pe_iterate_resources(
pe,
(RESOURCE_CALLBACK_FUNC) pe_collect_resources,
@@@ -2027,10 -2128,10 +2046,12 @@@ begin_declarations
declare_integer("minor");
end_struct("subsystem_version");
+ declare_integer("checksum");
+ declare_function("calculate_checksum", "", "i", calculate_checksum);
declare_integer("subsystem");
+ declare_integer("dll_characteristics");
+
begin_struct_array("sections");
declare_string("name");
declare_integer("characteristics");
@@@ -2228,6 -2317,49 +2249,49 @@@ int module_load
set_integer(
IMAGE_SUBSYSTEM_NATIVE_WINDOWS, module_object,
"SUBSYSTEM_NATIVE_WINDOWS");
+ set_integer(
+ IMAGE_SUBSYSTEM_WINDOWS_CE_GUI, module_object,
+ "SUBSYSTEM_WINDOWS_CE_GUI");
+ set_integer(
+ IMAGE_SUBSYSTEM_EFI_APPLICATION, module_object,
- "SUBSYSTEM_EFI_APPLICATION");
++ "SUBSYSTEM_EFI_APPLICATION");
+ set_integer(
+ IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER, module_object,
- "SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER");
++ "SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER");
+ set_integer(
+ IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER, module_object,
- "SUBSYSTEM_EFI_RUNTIME_DRIVER");
++ "SUBSYSTEM_EFI_RUNTIME_DRIVER");
+ set_integer(
+ IMAGE_SUBSYSTEM_XBOX, module_object,
- "SUBSYSTEM_XBOX");
++ "SUBSYSTEM_XBOX");
+ set_integer(
+ IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION, module_object,
- "SUBSYSTEM_WINDOWS_BOOT_APPLICATION");
++ "SUBSYSTEM_WINDOWS_BOOT_APPLICATION");
+
+ set_integer(
+ IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE, module_object,
- "DYNAMIC_BASE");
++ "DYNAMIC_BASE");
+ set_integer(
+ IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY, module_object,
- "FORCE_INTEGRITY");
++ "FORCE_INTEGRITY");
+ set_integer(
+ IMAGE_DLLCHARACTERISTICS_NX_COMPAT, module_object,
- "_NX_COMPAT");
++ "NX_COMPAT");
+ set_integer(
+ IMAGE_DLLCHARACTERISTICS_NO_ISOLATION, module_object,
- "NO_ISOLATION");
++ "NO_ISOLATION");
+ set_integer(
+ IMAGE_DLLCHARACTERISTICS_NO_SEH, module_object,
- "NO_SEH");
++ "NO_SEH");
+ set_integer(
+ IMAGE_DLLCHARACTERISTICS_NO_BIND, module_object,
- "NO_BIND");
++ "NO_BIND");
+ set_integer(
+ IMAGE_DLLCHARACTERISTICS_WDM_DRIVER, module_object,
- "WDM_DRIVER");
++ "WDM_DRIVER");
+ set_integer(
+ IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE, module_object,
- "TERMINAL_SERVER_AWARE");
++ "TERMINAL_SERVER_AWARE");
set_integer(
IMAGE_FILE_RELOCS_STRIPPED, module_object,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list