From 269b22389ad19340ee5a9bea9a8f27ab0c6b8ef1 Mon Sep 17 00:00:00 2001 From: Jacob Latonis Date: Fri, 29 Sep 2023 14:25:44 -0500 Subject: [PATCH 1/7] feat: implement dylib parsing --- yara-x/src/modules/macho/mod.rs | 135 +++++++++++++++++++++++- yara-x/src/modules/macho/tests/mod.rs | 21 ++++ yara-x/src/modules/modules.rs | 16 +-- yara-x/src/modules/protos/macho.proto | 25 +++-- yara-x/src/tests/mod.rs | 141 ++++++++++++++++++++++++++ 5 files changed, 321 insertions(+), 17 deletions(-) diff --git a/yara-x/src/modules/macho/mod.rs b/yara-x/src/modules/macho/mod.rs index 9f9d0a134..7e625191e 100644 --- a/yara-x/src/modules/macho/mod.rs +++ b/yara-x/src/modules/macho/mod.rs @@ -16,7 +16,7 @@ use log::*; use arrayref::array_ref; use byteorder::{BigEndian, ByteOrder}; -use nom::{bytes::complete::take, multi::count, number::complete::*, IResult}; +use nom::{bytes::complete::{take, take_till, tag}, multi::count, number::complete::*, IResult, sequence::tuple, combinator::map_res}; use thiserror::Error; /// Mach-O file needs to have at least header of size 28 to be considered @@ -50,7 +50,11 @@ const CPU_TYPE_POWERPC64: u32 = 0x01000012; /// Define Mach-O load commands const LC_SEGMENT: u32 = 0x00000001; const LC_UNIXTHREAD: u32 = 0x00000005; +const LC_LOAD_DYLIB: u32 = 0x0000000c; +const LC_ID_DYLIB: u32 = 0x0000000d; +const LC_LOAD_WEAK_DYLIB: u32 = 0x80000018; const LC_SEGMENT_64: u32 = 0x00000019; +const LC_REEXPORT_DYLIB: u32 = 0x8000001f; const LC_MAIN: u32 = 0x80000028; /// Enum that provides strongly-typed error system used in code @@ -153,6 +157,27 @@ struct LoadCommand { cmdsize: u32, } +/// `DylibObject`: Represents a dylib struct in the Mach-O file. +/// Fields: name, timestamp, current_version, compatibility_version +#[repr(C)] +#[derive(Debug, Default, Clone)] +struct DylibObject { + name: Vec, + timestamp: u32, + current_version: u32, + compatibility_version: u32 +} + +/// `DylibCommand`: Represents a dylib command in the Mach-O file. +/// Fields: cmd, cmdsize, dylib +#[repr(C)] +#[derive(Debug, Default, Clone)] +struct DylibCommand { + cmd: u32, + cmdsize: u32, + dylib: DylibObject, +} + /// `SegmentCommand32`: Represents a 32-bit segment command in the Mach-O file. /// Fields: cmd, cmdsize, segname, vmaddr, vmsize, fileoff, filesize, maxprot, /// initprot, nsects, flags @@ -609,6 +634,29 @@ fn swap_load_command(command: &mut LoadCommand) { command.cmdsize = BigEndian::read_u32(&command.cmdsize.to_le_bytes()); } +/// Swaps the endianness of fields within a Mach-O dylib from BigEndian +/// to LittleEndian in-place. +/// +/// # Arguments +/// +/// * `dylib`: A mutable reference to the Mach-O dylib. +fn swap_dylib(dylib: &mut DylibObject) { + dylib.timestamp = BigEndian::read_u32(&dylib.timestamp.to_le_bytes()); + dylib.compatibility_version = BigEndian::read_u32(& dylib.compatibility_version.to_le_bytes()); + dylib.current_version = BigEndian::read_u32(& dylib.current_version.to_le_bytes()); +} + +/// Swaps the endianness of fields within a Mach-O dylib command from +/// BigEndian to LittleEndian in-place. +/// +/// # Arguments +/// +/// * `command`: A mutable reference to the Mach-O dylib command. +fn swap_dylib_command(command: &mut DylibCommand) { + command.cmd = BigEndian::read_u32(&command.cmd.to_le_bytes()); + command.cmdsize = BigEndian::read_u32(&command.cmdsize.to_le_bytes()); +} + /// Swaps the endianness of fields within a 32-bit Mach-O segment command from /// BigEndian to LittleEndian in-place. /// @@ -839,6 +887,29 @@ fn parse_load_command(input: &[u8]) -> IResult<&[u8], LoadCommand> { Ok((input, LoadCommand { cmd, cmdsize })) } +fn parse_dylib(input: &[u8]) -> IResult<&[u8], DylibObject> { + + // offset but we don't need it + let (input, _) = le_u32(input)?; + let (input, timestamp) = le_u32(input)?; + let (input, current_version) = le_u32(input)?; + let (input, compatibility_version) = le_u32(input)?; + + // subtract 24 as offset is from beginning of load_command structure + // let (input, _) = take(offset - 24)(input)?; + let (input, name) = map_res(tuple((take_till(|b| b == b'\x00'), tag(b"\x00"))), |(s, _)| std::str::from_utf8(s),)(input)?; + + Ok((input, DylibObject{name: name.into(), timestamp, compatibility_version, current_version})) +} + +fn parse_dylib_command(input: &[u8]) -> IResult<&[u8], DylibCommand> { + let (input, cmd) = le_u32(input)?; + let (input, cmdsize) = le_u32(input)?; + let (input, dylib) = parse_dylib(input)?; + + Ok((input, DylibCommand { cmd, cmdsize, dylib })) +} + /// Parse the 32-bit segment command of a Mach-O file, offering a structured /// view of its content. /// @@ -1385,6 +1456,63 @@ fn parse_ppc_thread_state64(input: &[u8]) -> IResult<&[u8], PPCThreadState64> { Ok((input, PPCThreadState64 { srr0, srr1, r, cr, xer, lr, ctr, vrsave })) } +/// Handles the LC_LOAD_DYLIB, LC_ID_DYLIB, LC_LOAD_WEAK_DYLIB, and LC_REEXPORT_DYLIB commands for Mach-O files, parsing the data +/// and populating a protobuf representation of the dylib. +/// +/// # Arguments +/// +/// * `command_data`: The raw byte data of the segment command. +/// * `size`: The size of the segment command data. +/// * `macho_file`: Mutable reference to the protobuf representation of the +/// Mach-O file. +/// +/// # Returns +/// +/// Returns a `Result<(), MachoError>` indicating the success or failure of the +/// operation. +/// +/// # Errors +/// +/// * `MachoError::FileSectionTooSmall`: Returned when the segment size is +/// smaller than the expected DylibCommand struct size. +/// * `MachoError::ParsingError`: Returned when there is an error parsing the +/// segment command data. +/// * `MachoError::MissingHeaderValue`: Returned when the "magic" header value +/// is missing, needed for determining if bytes should be swapped. +fn handle_dylib_command(command_data: &[u8], + size: usize, + macho_file: &mut File,) -> Result<(), MachoError> { + + if size < std::mem::size_of::() { + return Err(MachoError::FileSectionTooSmall( + "DylibCommand".to_string(), + )); + } + + let (_, mut dy) = parse_dylib_command(command_data) + .map_err(|e| MachoError::ParsingError(format!("{:?}", e)))?; + if should_swap_bytes( + macho_file + .magic + .ok_or(MachoError::MissingHeaderValue("magic".to_string()))?, + ) { + swap_dylib_command(&mut dy); + swap_dylib(&mut dy.dylib); + } + + let dylib = Dylib { + name: Some( + std::str::from_utf8(&dy.dylib.name).unwrap_or_default().to_string(), + ), + timestamp: Some(dy.dylib.timestamp), + compatibility_version: Some(dy.dylib.compatibility_version), + current_version: Some(dy.dylib.current_version), + ..Default::default() + }; + macho_file.dylibs.push(dylib); + Ok(()) + } + /// Handles the LC_SEGMENT command for 32-bit Mach-O files, parsing the data /// and populating a protobuf representation of the segment and its associated /// file sections. @@ -1891,6 +2019,7 @@ fn handle_command( handle_segment_command_64(command_data, cmdsize, macho_file)?; seg_count += 1; } + _ => {} } // Handle rest of commands @@ -1902,6 +2031,9 @@ fn handle_command( LC_MAIN => { handle_main(command_data, cmdsize, macho_file)?; } + LC_LOAD_DYLIB | LC_ID_DYLIB | LC_LOAD_WEAK_DYLIB | LC_REEXPORT_DYLIB => { + handle_dylib_command(command_data, cmdsize, macho_file)?; + } _ => {} } } @@ -2411,6 +2543,7 @@ fn main(ctx: &ScanContext) -> Macho { macho_proto.reserved = file_data.reserved; macho_proto.number_of_segments = file_data.number_of_segments; macho_proto.segments = file_data.segments; + macho_proto.dylibs = file_data.dylibs; macho_proto.entry_point = file_data.entry_point; macho_proto.stack_size = file_data.stack_size; } diff --git a/yara-x/src/modules/macho/tests/mod.rs b/yara-x/src/modules/macho/tests/mod.rs index 42187f7a4..e7aad5862 100644 --- a/yara-x/src/modules/macho/tests/mod.rs +++ b/yara-x/src/modules/macho/tests/mod.rs @@ -220,6 +220,27 @@ fn test_swap_load_command() { assert_eq!(command.cmdsize, 0x88776655); } +#[test] +fn test_swap_dylib() { + let mut command = DylibObject { timestamp: 0x11223344, compatibility_version: 0x55667788, current_version: 0x99AABBCC, ..Default::default() }; + + swap_dylib(&mut command); + + assert_eq!(command.timestamp, 0x44332211); + assert_eq!(command.compatibility_version, 0x88776655); + assert_eq!(command.current_version, 0xCCBBAA99); +} + +#[test] +fn test_swap_dylib_command() { + let mut command = DylibCommand { cmd: 0x11223344, cmdsize: 0x55667788, ..Default::default() }; + + swap_dylib_command(&mut command); + + assert_eq!(command.cmd, 0x44332211); + assert_eq!(command.cmdsize, 0x88776655); +} + #[test] fn test_swap_segment_command() { let mut segment = SegmentCommand32 { diff --git a/yara-x/src/modules/modules.rs b/yara-x/src/modules/modules.rs index 7721e6697..051d9081d 100644 --- a/yara-x/src/modules/modules.rs +++ b/yara-x/src/modules/modules.rs @@ -1,15 +1,15 @@ // File generated automatically by build.rs. Do not edit. -#[cfg(feature = "string-module")] -pub mod string; -#[cfg(feature = "macho-module")] -pub mod macho; #[cfg(feature = "text-module")] pub mod text; -#[cfg(feature = "hash-module")] -pub mod hash; #[cfg(feature = "test_proto2-module")] pub mod test_proto2; +#[cfg(feature = "hash-module")] +pub mod hash; +#[cfg(feature = "test_proto3-module")] +pub mod test_proto3; +#[cfg(feature = "macho-module")] +pub mod macho; #[cfg(feature = "time-module")] pub mod time; -#[cfg(feature = "test_proto3-module")] -pub mod test_proto3; \ No newline at end of file +#[cfg(feature = "string-module")] +pub mod string; \ No newline at end of file diff --git a/yara-x/src/modules/protos/macho.proto b/yara-x/src/modules/protos/macho.proto index bd8b3ca07..e75f3f17b 100644 --- a/yara-x/src/modules/protos/macho.proto +++ b/yara-x/src/modules/protos/macho.proto @@ -8,6 +8,13 @@ option (yara.module_options) = { rust_module: "macho" }; +message Dylib { + optional string name = 1; + optional uint32 timestamp = 2; + optional uint32 compatibility_version = 3; + optional uint32 current_version = 4; +} + message Section { optional string segname = 1; optional string sectname = 2; @@ -58,8 +65,9 @@ message File { optional uint32 reserved = 8; optional uint64 number_of_segments = 9; repeated Segment segments = 10; - optional uint64 entry_point = 11; - optional uint64 stack_size = 12; + repeated Dylib dylibs = 11; + optional uint64 entry_point = 12; + optional uint64 stack_size = 13; } message Macho { @@ -74,16 +82,17 @@ message Macho { optional uint32 reserved = 8; optional uint64 number_of_segments = 9; repeated Segment segments = 10; - optional uint64 entry_point = 11; - optional uint64 stack_size = 12; + repeated Dylib dylibs = 11; + optional uint64 entry_point = 12; + optional uint64 stack_size = 13; // Add fields for Mach-O fat binary header - optional uint32 fat_magic = 13; - optional uint32 nfat_arch = 14; - repeated FatArch fat_arch = 15; + optional uint32 fat_magic = 14; + optional uint32 nfat_arch = 15; + repeated FatArch fat_arch = 16; // Nested Mach-O files - repeated File file = 16; + repeated File file = 17; } enum HEADER { diff --git a/yara-x/src/tests/mod.rs b/yara-x/src/tests/mod.rs index fe8bfaf3c..e73ed431a 100644 --- a/yara-x/src/tests/mod.rs +++ b/yara-x/src/tests/mod.rs @@ -2874,6 +2874,111 @@ fn test_macho_module() { 0x00, 0x00, 0x00, 0x00, // align ]; + let macho_x86_64_dylib_file = [ + 0xcf, 0xfa, 0xed, 0xfe, 0x07, 0x00, 0x00, 0x01, + 0x03, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, + 0x0d, 0x00, 0x00, 0x00, 0xe8, 0x02, 0x00, 0x00, + 0x85, 0x00, 0x10, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x19, 0x00, 0x00, 0x00, 0x38, 0x01, 0x00, 0x00, + 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x5f, 0x5f, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x50, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x50, 0x0f, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x5f, 0x5f, 0x75, 0x6e, 0x77, 0x69, 0x6e, 0x64, + 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x00, 0x00, 0x00, + 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x98, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x98, 0x0f, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x5f, 0x5f, 0x65, 0x68, 0x5f, 0x66, 0x72, 0x61, + 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xe0, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xe0, 0x0f, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x19, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, + 0x5f, 0x5f, 0x4c, 0x49, 0x4e, 0x4b, 0x45, 0x44, + 0x49, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0d, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x66, 0x61, 0x63, 0x74, 0x5f, 0x78, 0x38, 0x36, + 0x5f, 0x36, 0x34, 0x2e, 0x64, 0x79, 0x6c, 0x69, + 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x22, 0x00, 0x00, 0x80, 0x30, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, + 0x38, 0x10, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x58, 0x10, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x1b, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, + 0x8c, 0x90, 0x46, 0x12, 0x62, 0x53, 0x3f, 0xa1, + 0xb8, 0xd2, 0xd5, 0x82, 0x98, 0x48, 0xa8, 0xfc, + 0x24, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x00, 0x09, 0x0a, 0x00, 0x00, 0x0a, 0x0a, 0x00, + 0x2a, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xbd, 0x04, 0x00, 0x00, 0x01, 0x00, + 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x6c, 0x69, 0x62, + 0x2f, 0x6c, 0x69, 0x62, 0x53, 0x79, 0x73, 0x74, + 0x65, 0x6d, 0x2e, 0x42, 0x2e, 0x64, 0x79, 0x6c, + 0x69, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x26, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x10, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, + 0x29, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x20, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x2b, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x20, 0x10, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00 + ]; + rule_true!( r#" import "macho" @@ -3033,6 +3138,42 @@ fn test_macho_module() { "#, &[] ); + + rule_true!(r#" + import "macho" + rule test { + condition: + macho.dylibs[0].timestamp == 1 and + macho.dylibs[1].timestamp == 2 + } + "#, &macho_x86_64_dylib_file); + + rule_true!(r#" + import "macho" + rule test { + condition: + macho.dylibs[0].compatibility_version == 0 and + macho.dylibs[1].compatibility_version == 65536 + } + "#, &macho_x86_64_dylib_file); + + rule_true!(r#" + import "macho" + rule test { + condition: + macho.dylibs[0].current_version == 0 and + macho.dylibs[1].current_version == 79495168 + } + "#, &macho_x86_64_dylib_file); + + rule_true!(r#" + import "macho" + rule test { + condition: + macho.dylibs[0].name == "fact_x86_64.dylib" and + macho.dylibs[1].name == "/usr/lib/libSystem.B.dylib" + } + "#, &macho_x86_64_dylib_file); } #[test] From bed6a535a9390d04416191438e7c0df7daba1589 Mon Sep 17 00:00:00 2001 From: Jacob Latonis Date: Fri, 29 Sep 2023 14:32:30 -0500 Subject: [PATCH 2/7] small cleanup --- yara-x/src/modules/macho/mod.rs | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/yara-x/src/modules/macho/mod.rs b/yara-x/src/modules/macho/mod.rs index 7e625191e..0dd5492c4 100644 --- a/yara-x/src/modules/macho/mod.rs +++ b/yara-x/src/modules/macho/mod.rs @@ -895,8 +895,6 @@ fn parse_dylib(input: &[u8]) -> IResult<&[u8], DylibObject> { let (input, current_version) = le_u32(input)?; let (input, compatibility_version) = le_u32(input)?; - // subtract 24 as offset is from beginning of load_command structure - // let (input, _) = take(offset - 24)(input)?; let (input, name) = map_res(tuple((take_till(|b| b == b'\x00'), tag(b"\x00"))), |(s, _)| std::str::from_utf8(s),)(input)?; Ok((input, DylibObject{name: name.into(), timestamp, compatibility_version, current_version})) @@ -1461,8 +1459,8 @@ fn parse_ppc_thread_state64(input: &[u8]) -> IResult<&[u8], PPCThreadState64> { /// /// # Arguments /// -/// * `command_data`: The raw byte data of the segment command. -/// * `size`: The size of the segment command data. +/// * `command_data`: The raw byte data of the dylib command. +/// * `size`: The size of the dylib command data. /// * `macho_file`: Mutable reference to the protobuf representation of the /// Mach-O file. /// @@ -1476,7 +1474,7 @@ fn parse_ppc_thread_state64(input: &[u8]) -> IResult<&[u8], PPCThreadState64> { /// * `MachoError::FileSectionTooSmall`: Returned when the segment size is /// smaller than the expected DylibCommand struct size. /// * `MachoError::ParsingError`: Returned when there is an error parsing the -/// segment command data. +/// dylib command data. /// * `MachoError::MissingHeaderValue`: Returned when the "magic" header value /// is missing, needed for determining if bytes should be swapped. fn handle_dylib_command(command_data: &[u8], @@ -2019,7 +2017,6 @@ fn handle_command( handle_segment_command_64(command_data, cmdsize, macho_file)?; seg_count += 1; } - _ => {} } // Handle rest of commands From 3b9bc879d3eecca603579db714689e69ad018c7f Mon Sep 17 00:00:00 2001 From: Jacob Latonis Date: Fri, 29 Sep 2023 14:51:03 -0500 Subject: [PATCH 3/7] rustfmt config fix and rustfmt applied --- rustfmt.toml | 2 +- yara-x/src/modules/macho/mod.rs | 52 +++++++++++++++++++-------- yara-x/src/modules/macho/tests/mod.rs | 13 +++++-- 3 files changed, 50 insertions(+), 17 deletions(-) diff --git a/rustfmt.toml b/rustfmt.toml index cbff8e2d9..c424d7dfa 100644 --- a/rustfmt.toml +++ b/rustfmt.toml @@ -1,4 +1,4 @@ max_width = 79 -use_small_heuristics = "max" +use_small_heuristics = "Max" comment_width = 79 wrap_comments = true diff --git a/yara-x/src/modules/macho/mod.rs b/yara-x/src/modules/macho/mod.rs index 0dd5492c4..19a98a537 100644 --- a/yara-x/src/modules/macho/mod.rs +++ b/yara-x/src/modules/macho/mod.rs @@ -16,7 +16,14 @@ use log::*; use arrayref::array_ref; use byteorder::{BigEndian, ByteOrder}; -use nom::{bytes::complete::{take, take_till, tag}, multi::count, number::complete::*, IResult, sequence::tuple, combinator::map_res}; +use nom::{ + bytes::complete::{tag, take, take_till}, + combinator::map_res, + multi::count, + number::complete::*, + sequence::tuple, + IResult, +}; use thiserror::Error; /// Mach-O file needs to have at least header of size 28 to be considered @@ -165,7 +172,7 @@ struct DylibObject { name: Vec, timestamp: u32, current_version: u32, - compatibility_version: u32 + compatibility_version: u32, } /// `DylibCommand`: Represents a dylib command in the Mach-O file. @@ -642,8 +649,10 @@ fn swap_load_command(command: &mut LoadCommand) { /// * `dylib`: A mutable reference to the Mach-O dylib. fn swap_dylib(dylib: &mut DylibObject) { dylib.timestamp = BigEndian::read_u32(&dylib.timestamp.to_le_bytes()); - dylib.compatibility_version = BigEndian::read_u32(& dylib.compatibility_version.to_le_bytes()); - dylib.current_version = BigEndian::read_u32(& dylib.current_version.to_le_bytes()); + dylib.compatibility_version = + BigEndian::read_u32(&dylib.compatibility_version.to_le_bytes()); + dylib.current_version = + BigEndian::read_u32(&dylib.current_version.to_le_bytes()); } /// Swaps the endianness of fields within a Mach-O dylib command from @@ -888,16 +897,26 @@ fn parse_load_command(input: &[u8]) -> IResult<&[u8], LoadCommand> { } fn parse_dylib(input: &[u8]) -> IResult<&[u8], DylibObject> { - // offset but we don't need it let (input, _) = le_u32(input)?; let (input, timestamp) = le_u32(input)?; let (input, current_version) = le_u32(input)?; let (input, compatibility_version) = le_u32(input)?; - let (input, name) = map_res(tuple((take_till(|b| b == b'\x00'), tag(b"\x00"))), |(s, _)| std::str::from_utf8(s),)(input)?; + let (input, name) = map_res( + tuple((take_till(|b| b == b'\x00'), tag(b"\x00"))), + |(s, _)| std::str::from_utf8(s), + )(input)?; - Ok((input, DylibObject{name: name.into(), timestamp, compatibility_version, current_version})) + Ok(( + input, + DylibObject { + name: name.into(), + timestamp, + compatibility_version, + current_version, + }, + )) } fn parse_dylib_command(input: &[u8]) -> IResult<&[u8], DylibCommand> { @@ -1454,7 +1473,8 @@ fn parse_ppc_thread_state64(input: &[u8]) -> IResult<&[u8], PPCThreadState64> { Ok((input, PPCThreadState64 { srr0, srr1, r, cr, xer, lr, ctr, vrsave })) } -/// Handles the LC_LOAD_DYLIB, LC_ID_DYLIB, LC_LOAD_WEAK_DYLIB, and LC_REEXPORT_DYLIB commands for Mach-O files, parsing the data +/// Handles the LC_LOAD_DYLIB, LC_ID_DYLIB, LC_LOAD_WEAK_DYLIB, and +/// LC_REEXPORT_DYLIB commands for Mach-O files, parsing the data /// and populating a protobuf representation of the dylib. /// /// # Arguments @@ -1477,10 +1497,11 @@ fn parse_ppc_thread_state64(input: &[u8]) -> IResult<&[u8], PPCThreadState64> { /// dylib command data. /// * `MachoError::MissingHeaderValue`: Returned when the "magic" header value /// is missing, needed for determining if bytes should be swapped. -fn handle_dylib_command(command_data: &[u8], +fn handle_dylib_command( + command_data: &[u8], size: usize, - macho_file: &mut File,) -> Result<(), MachoError> { - + macho_file: &mut File, +) -> Result<(), MachoError> { if size < std::mem::size_of::() { return Err(MachoError::FileSectionTooSmall( "DylibCommand".to_string(), @@ -1500,7 +1521,9 @@ fn handle_dylib_command(command_data: &[u8], let dylib = Dylib { name: Some( - std::str::from_utf8(&dy.dylib.name).unwrap_or_default().to_string(), + std::str::from_utf8(&dy.dylib.name) + .unwrap_or_default() + .to_string(), ), timestamp: Some(dy.dylib.timestamp), compatibility_version: Some(dy.dylib.compatibility_version), @@ -1509,7 +1532,7 @@ fn handle_dylib_command(command_data: &[u8], }; macho_file.dylibs.push(dylib); Ok(()) - } +} /// Handles the LC_SEGMENT command for 32-bit Mach-O files, parsing the data /// and populating a protobuf representation of the segment and its associated @@ -2028,7 +2051,8 @@ fn handle_command( LC_MAIN => { handle_main(command_data, cmdsize, macho_file)?; } - LC_LOAD_DYLIB | LC_ID_DYLIB | LC_LOAD_WEAK_DYLIB | LC_REEXPORT_DYLIB => { + LC_LOAD_DYLIB | LC_ID_DYLIB | LC_LOAD_WEAK_DYLIB + | LC_REEXPORT_DYLIB => { handle_dylib_command(command_data, cmdsize, macho_file)?; } _ => {} diff --git a/yara-x/src/modules/macho/tests/mod.rs b/yara-x/src/modules/macho/tests/mod.rs index e7aad5862..fd48cd0b8 100644 --- a/yara-x/src/modules/macho/tests/mod.rs +++ b/yara-x/src/modules/macho/tests/mod.rs @@ -222,7 +222,12 @@ fn test_swap_load_command() { #[test] fn test_swap_dylib() { - let mut command = DylibObject { timestamp: 0x11223344, compatibility_version: 0x55667788, current_version: 0x99AABBCC, ..Default::default() }; + let mut command = DylibObject { + timestamp: 0x11223344, + compatibility_version: 0x55667788, + current_version: 0x99AABBCC, + ..Default::default() + }; swap_dylib(&mut command); @@ -233,7 +238,11 @@ fn test_swap_dylib() { #[test] fn test_swap_dylib_command() { - let mut command = DylibCommand { cmd: 0x11223344, cmdsize: 0x55667788, ..Default::default() }; + let mut command = DylibCommand { + cmd: 0x11223344, + cmdsize: 0x55667788, + ..Default::default() + }; swap_dylib_command(&mut command); From e2273ac278408feb79535fe9c6bef2de742c93ab Mon Sep 17 00:00:00 2001 From: Jacob Latonis Date: Tue, 3 Oct 2023 08:23:01 -0500 Subject: [PATCH 4/7] header comments and test blob data reorganization --- yara-x/src/modules/macho/mod.rs | 30 +++++++ yara-x/src/tests/mod.rs | 139 ++++++------------------------ yara-x/src/tests/testdata/blob.rs | 70 +++++++++++++++ yara-x/src/tests/testdata/mod.rs | 1 + 4 files changed, 126 insertions(+), 114 deletions(-) create mode 100644 yara-x/src/tests/testdata/blob.rs create mode 100644 yara-x/src/tests/testdata/mod.rs diff --git a/yara-x/src/modules/macho/mod.rs b/yara-x/src/modules/macho/mod.rs index 19a98a537..3b0da2a62 100644 --- a/yara-x/src/modules/macho/mod.rs +++ b/yara-x/src/modules/macho/mod.rs @@ -896,6 +896,21 @@ fn parse_load_command(input: &[u8]) -> IResult<&[u8], LoadCommand> { Ok((input, LoadCommand { cmd, cmdsize })) } +/// Parse a Mach-O Dylib object, transforming raw bytes into a structured +/// format. +/// +/// # Arguments +/// +/// * `input`: A slice of bytes containing the raw dylib object data. +/// +/// # Returns +/// +/// A `nom` IResult containing the remaining unparsed input and the parsed +/// dylib structure, or a `nom` error if the parsing fails. +/// +/// # Errors +/// +/// Returns a `nom` error if the input data is insufficient or malformed. fn parse_dylib(input: &[u8]) -> IResult<&[u8], DylibObject> { // offset but we don't need it let (input, _) = le_u32(input)?; @@ -919,6 +934,21 @@ fn parse_dylib(input: &[u8]) -> IResult<&[u8], DylibObject> { )) } +/// Parse a Mach-O DylibCommand, transforming raw bytes into a structured +/// format. +/// +/// # Arguments +/// +/// * `input`: A slice of bytes containing the raw DylibCommand data. +/// +/// # Returns +/// +/// A `nom` IResult containing the remaining unparsed input and the parsed +/// DylibCommand structure, or a `nom` error if the parsing fails. +/// +/// # Errors +/// +/// Returns a `nom` error if the input data is insufficient or malformed. fn parse_dylib_command(input: &[u8]) -> IResult<&[u8], DylibCommand> { let (input, cmd) = le_u32(input)?; let (input, cmdsize) = le_u32(input)?; diff --git a/yara-x/src/tests/mod.rs b/yara-x/src/tests/mod.rs index e73ed431a..c9ec77240 100644 --- a/yara-x/src/tests/mod.rs +++ b/yara-x/src/tests/mod.rs @@ -1,7 +1,11 @@ -/*! End-to-end tests.*/ +/*! End-to-end tests. */ use bstr::ByteSlice; use pretty_assertions::assert_eq; +mod testdata; + +use crate::tests::testdata::blob::MACHO_X86_64_DYLIB_FILE; + const JUMPS_DATA: &[u8; 1664] = include_bytes!("testdata/jumps.bin"); macro_rules! test_condition { @@ -2874,111 +2878,6 @@ fn test_macho_module() { 0x00, 0x00, 0x00, 0x00, // align ]; - let macho_x86_64_dylib_file = [ - 0xcf, 0xfa, 0xed, 0xfe, 0x07, 0x00, 0x00, 0x01, - 0x03, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, - 0x0d, 0x00, 0x00, 0x00, 0xe8, 0x02, 0x00, 0x00, - 0x85, 0x00, 0x10, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x19, 0x00, 0x00, 0x00, 0x38, 0x01, 0x00, 0x00, - 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x07, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, - 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x5f, 0x5f, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x50, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x50, 0x0f, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x04, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x5f, 0x5f, 0x75, 0x6e, 0x77, 0x69, 0x6e, 0x64, - 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x00, 0x00, 0x00, - 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x98, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x98, 0x0f, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x5f, 0x5f, 0x65, 0x68, 0x5f, 0x66, 0x72, 0x61, - 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xe0, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xe0, 0x0f, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x19, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, - 0x5f, 0x5f, 0x4c, 0x49, 0x4e, 0x4b, 0x45, 0x44, - 0x49, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0d, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, - 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x66, 0x61, 0x63, 0x74, 0x5f, 0x78, 0x38, 0x36, - 0x5f, 0x36, 0x34, 0x2e, 0x64, 0x79, 0x6c, 0x69, - 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x22, 0x00, 0x00, 0x80, 0x30, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, - 0x38, 0x10, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, - 0x58, 0x10, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, - 0x0b, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x1b, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, - 0x8c, 0x90, 0x46, 0x12, 0x62, 0x53, 0x3f, 0xa1, - 0xb8, 0xd2, 0xd5, 0x82, 0x98, 0x48, 0xa8, 0xfc, - 0x24, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, - 0x00, 0x09, 0x0a, 0x00, 0x00, 0x0a, 0x0a, 0x00, - 0x2a, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0c, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, - 0x18, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, - 0x00, 0x00, 0xbd, 0x04, 0x00, 0x00, 0x01, 0x00, - 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x6c, 0x69, 0x62, - 0x2f, 0x6c, 0x69, 0x62, 0x53, 0x79, 0x73, 0x74, - 0x65, 0x6d, 0x2e, 0x42, 0x2e, 0x64, 0x79, 0x6c, - 0x69, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x26, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, - 0x18, 0x10, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, - 0x29, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, - 0x20, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x2b, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, - 0x20, 0x10, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00 - ]; - rule_true!( r#" import "macho" @@ -3139,41 +3038,53 @@ fn test_macho_module() { &[] ); - rule_true!(r#" + rule_true!( + r#" import "macho" rule test { condition: macho.dylibs[0].timestamp == 1 and macho.dylibs[1].timestamp == 2 } - "#, &macho_x86_64_dylib_file); + "#, + &MACHO_X86_64_DYLIB_FILE + ); - rule_true!(r#" + rule_true!( + r#" import "macho" rule test { condition: macho.dylibs[0].compatibility_version == 0 and macho.dylibs[1].compatibility_version == 65536 } - "#, &macho_x86_64_dylib_file); + "#, + &MACHO_X86_64_DYLIB_FILE + ); - rule_true!(r#" + rule_true!( + r#" import "macho" rule test { condition: macho.dylibs[0].current_version == 0 and macho.dylibs[1].current_version == 79495168 } - "#, &macho_x86_64_dylib_file); + "#, + &MACHO_X86_64_DYLIB_FILE + ); - rule_true!(r#" + rule_true!( + r#" import "macho" rule test { condition: macho.dylibs[0].name == "fact_x86_64.dylib" and macho.dylibs[1].name == "/usr/lib/libSystem.B.dylib" } - "#, &macho_x86_64_dylib_file); + "#, + &MACHO_X86_64_DYLIB_FILE + ); } #[test] diff --git a/yara-x/src/tests/testdata/blob.rs b/yara-x/src/tests/testdata/blob.rs new file mode 100644 index 000000000..723af4a48 --- /dev/null +++ b/yara-x/src/tests/testdata/blob.rs @@ -0,0 +1,70 @@ +pub const MACHO_X86_64_DYLIB_FILE: [u8; 812] = [ + 0xcf, 0xfa, 0xed, 0xfe, 0x07, 0x00, 0x00, 0x01, 0x03, 0x00, 0x00, 0x00, + 0x06, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0xe8, 0x02, 0x00, 0x00, + 0x85, 0x00, 0x10, 0x00, 0x01, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, + 0x38, 0x01, 0x00, 0x00, 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5f, 0x5f, 0x74, 0x65, + 0x78, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x50, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x0f, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x5f, 0x5f, 0x75, 0x6e, 0x77, 0x69, 0x6e, 0x64, + 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x00, 0x00, 0x00, 0x5f, 0x5f, 0x54, 0x45, + 0x58, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x98, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x98, 0x0f, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x5f, 0x5f, 0x65, 0x68, 0x5f, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x0f, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xe0, 0x0f, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x5f, 0x5f, 0x4c, 0x49, 0x4e, 0x4b, 0x45, 0x44, + 0x49, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, + 0x30, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x61, 0x63, 0x74, + 0x5f, 0x78, 0x38, 0x36, 0x5f, 0x36, 0x34, 0x2e, 0x64, 0x79, 0x6c, 0x69, + 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 0x80, + 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x38, 0x10, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x58, 0x10, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, + 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x1b, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, + 0x8c, 0x90, 0x46, 0x12, 0x62, 0x53, 0x3f, 0xa1, 0xb8, 0xd2, 0xd5, 0x82, + 0x98, 0x48, 0xa8, 0xfc, 0x24, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x00, 0x09, 0x0a, 0x00, 0x00, 0x0a, 0x0a, 0x00, 0x2a, 0x00, 0x00, 0x00, + 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbd, 0x04, 0x00, 0x00, 0x01, 0x00, + 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x6c, 0x69, 0x62, + 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x42, 0x2e, 0x64, 0x79, 0x6c, + 0x69, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, + 0x10, 0x00, 0x00, 0x00, 0x18, 0x10, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, + 0x29, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x20, 0x10, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x2b, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x20, 0x10, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +]; diff --git a/yara-x/src/tests/testdata/mod.rs b/yara-x/src/tests/testdata/mod.rs new file mode 100644 index 000000000..1cd2af949 --- /dev/null +++ b/yara-x/src/tests/testdata/mod.rs @@ -0,0 +1 @@ +pub mod blob; From f1a748cb576b32f179ead2ce07860731e19cd141 Mon Sep 17 00:00:00 2001 From: Jacob Latonis Date: Wed, 4 Oct 2023 18:26:54 -0500 Subject: [PATCH 5/7] update test goldenfiles for dylibs and remove deprecated testing --- .../macho/tests/output/macho_ppc_file.out | 24 +++++++ .../tests/output/macho_x86_64_dylib_file.out | 46 ++++++++++++ .../macho/tests/output/macho_x86_file.out | 24 +++++++ .../tests/output/macho_x86_object_file.out | 1 + .../modules/macho/tests/output/tiny_macho.out | 1 + .../macho/tests/output/tiny_universal.out | 49 +++++++++++++ yara-x/src/tests/mod.rs | 17 ++--- yara-x/src/tests/testdata/blob.rs | 70 ------------------- yara-x/src/tests/testdata/mod.rs | 1 - 9 files changed, 154 insertions(+), 79 deletions(-) delete mode 100644 yara-x/src/tests/testdata/blob.rs delete mode 100644 yara-x/src/tests/testdata/mod.rs diff --git a/yara-x/src/modules/macho/tests/output/macho_ppc_file.out b/yara-x/src/modules/macho/tests/output/macho_ppc_file.out index 7f49112e6..b21951300 100644 --- a/yara-x/src/modules/macho/tests/output/macho_ppc_file.out +++ b/yara-x/src/modules/macho/tests/output/macho_ppc_file.out @@ -776,6 +776,30 @@ Macho { }, }, ], + dylibs: [ + Dylib { + name: Some( + "/usr/lib/libSystem.B.dylib", + ), + timestamp: Some( + 1111112572, + ), + compatibility_version: Some( + 65536, + ), + current_version: Some( + 4653313, + ), + special_fields: SpecialFields { + unknown_fields: UnknownFields { + fields: None, + }, + cached_size: CachedSize { + size: 0, + }, + }, + }, + ], entry_point: Some( 3768, ), diff --git a/yara-x/src/modules/macho/tests/output/macho_x86_64_dylib_file.out b/yara-x/src/modules/macho/tests/output/macho_x86_64_dylib_file.out index 777d5a100..6e830bbd5 100644 --- a/yara-x/src/modules/macho/tests/output/macho_x86_64_dylib_file.out +++ b/yara-x/src/modules/macho/tests/output/macho_x86_64_dylib_file.out @@ -255,6 +255,52 @@ Macho { }, }, ], + dylibs: [ + Dylib { + name: Some( + "fact_x86_64.dylib", + ), + timestamp: Some( + 1, + ), + compatibility_version: Some( + 0, + ), + current_version: Some( + 0, + ), + special_fields: SpecialFields { + unknown_fields: UnknownFields { + fields: None, + }, + cached_size: CachedSize { + size: 0, + }, + }, + }, + Dylib { + name: Some( + "/usr/lib/libSystem.B.dylib", + ), + timestamp: Some( + 2, + ), + compatibility_version: Some( + 65536, + ), + current_version: Some( + 79495168, + ), + special_fields: SpecialFields { + unknown_fields: UnknownFields { + fields: None, + }, + cached_size: CachedSize { + size: 0, + }, + }, + }, + ], entry_point: None, stack_size: None, fat_magic: None, diff --git a/yara-x/src/modules/macho/tests/output/macho_x86_file.out b/yara-x/src/modules/macho/tests/output/macho_x86_file.out index 11107aa61..521724265 100644 --- a/yara-x/src/modules/macho/tests/output/macho_x86_file.out +++ b/yara-x/src/modules/macho/tests/output/macho_x86_file.out @@ -512,6 +512,30 @@ Macho { }, }, ], + dylibs: [ + Dylib { + name: Some( + "/usr/lib/libSystem.B.dylib", + ), + timestamp: Some( + 2, + ), + compatibility_version: Some( + 65536, + ), + current_version: Some( + 79495168, + ), + special_fields: SpecialFields { + unknown_fields: UnknownFields { + fields: None, + }, + cached_size: CachedSize { + size: 0, + }, + }, + }, + ], entry_point: Some( 3728, ), diff --git a/yara-x/src/modules/macho/tests/output/macho_x86_object_file.out b/yara-x/src/modules/macho/tests/output/macho_x86_object_file.out index 21812dad5..7f40babb4 100644 --- a/yara-x/src/modules/macho/tests/output/macho_x86_object_file.out +++ b/yara-x/src/modules/macho/tests/output/macho_x86_object_file.out @@ -115,6 +115,7 @@ Macho { }, }, ], + dylibs: [], entry_point: None, stack_size: None, fat_magic: None, diff --git a/yara-x/src/modules/macho/tests/output/tiny_macho.out b/yara-x/src/modules/macho/tests/output/tiny_macho.out index 641da91df..3f444cd37 100644 --- a/yara-x/src/modules/macho/tests/output/tiny_macho.out +++ b/yara-x/src/modules/macho/tests/output/tiny_macho.out @@ -70,6 +70,7 @@ Macho { }, }, ], + dylibs: [], entry_point: Some( 116, ), diff --git a/yara-x/src/modules/macho/tests/output/tiny_universal.out b/yara-x/src/modules/macho/tests/output/tiny_universal.out index 46849c23d..b00ae418c 100644 --- a/yara-x/src/modules/macho/tests/output/tiny_universal.out +++ b/yara-x/src/modules/macho/tests/output/tiny_universal.out @@ -9,6 +9,7 @@ Macho { reserved: None, number_of_segments: None, segments: [], + dylibs: [], entry_point: None, stack_size: None, fat_magic: Some( @@ -586,6 +587,30 @@ Macho { }, }, ], + dylibs: [ + Dylib { + name: Some( + "/usr/lib/libSystem.B.dylib", + ), + timestamp: Some( + 2, + ), + compatibility_version: Some( + 65536, + ), + current_version: Some( + 79495168, + ), + special_fields: SpecialFields { + unknown_fields: UnknownFields { + fields: None, + }, + cached_size: CachedSize { + size: 0, + }, + }, + }, + ], entry_point: Some( 3808, ), @@ -1177,6 +1202,30 @@ Macho { }, }, ], + dylibs: [ + Dylib { + name: Some( + "/usr/lib/libSystem.B.dylib", + ), + timestamp: Some( + 2, + ), + compatibility_version: Some( + 65536, + ), + current_version: Some( + 79495168, + ), + special_fields: SpecialFields { + unknown_fields: UnknownFields { + fields: None, + }, + cached_size: CachedSize { + size: 0, + }, + }, + }, + ], entry_point: Some( 3808, ), diff --git a/yara-x/src/tests/mod.rs b/yara-x/src/tests/mod.rs index dae85d167..c178a6892 100644 --- a/yara-x/src/tests/mod.rs +++ b/yara-x/src/tests/mod.rs @@ -8,10 +8,6 @@ use std::fs; use std::io::{Read, Write}; use std::path::Path; -mod testdata; - -use crate::tests::testdata::blob::MACHO_X86_64_DYLIB_FILE; - const JUMPS_DATA: &[u8; 1664] = include_bytes!("testdata/jumps.bin"); macro_rules! test_condition { @@ -2883,6 +2879,11 @@ fn test_macho_module() { ); let macho_data = data.unwrap(); + let data_additional: Result, Box> = create_binary_from_ihex!( + "src/modules/macho/tests/input/macho_x86_64_dylib_file.in" + ); + let dylib_data = data_additional.unwrap(); + rule_true!( r#" import "macho" @@ -3099,7 +3100,7 @@ fn test_macho_module() { macho.dylibs[1].timestamp == 2 } "#, - &MACHO_X86_64_DYLIB_FILE + &dylib_data ); rule_true!( @@ -3111,7 +3112,7 @@ fn test_macho_module() { macho.dylibs[1].compatibility_version == 65536 } "#, - &MACHO_X86_64_DYLIB_FILE + &dylib_data ); rule_true!( @@ -3123,7 +3124,7 @@ fn test_macho_module() { macho.dylibs[1].current_version == 79495168 } "#, - &MACHO_X86_64_DYLIB_FILE + &dylib_data ); rule_true!( @@ -3135,7 +3136,7 @@ fn test_macho_module() { macho.dylibs[1].name == "/usr/lib/libSystem.B.dylib" } "#, - &MACHO_X86_64_DYLIB_FILE + &dylib_data ); } diff --git a/yara-x/src/tests/testdata/blob.rs b/yara-x/src/tests/testdata/blob.rs deleted file mode 100644 index 723af4a48..000000000 --- a/yara-x/src/tests/testdata/blob.rs +++ /dev/null @@ -1,70 +0,0 @@ -pub const MACHO_X86_64_DYLIB_FILE: [u8; 812] = [ - 0xcf, 0xfa, 0xed, 0xfe, 0x07, 0x00, 0x00, 0x01, 0x03, 0x00, 0x00, 0x00, - 0x06, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0xe8, 0x02, 0x00, 0x00, - 0x85, 0x00, 0x10, 0x00, 0x01, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, - 0x38, 0x01, 0x00, 0x00, 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, - 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5f, 0x5f, 0x74, 0x65, - 0x78, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x50, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x0f, 0x00, 0x00, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x04, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x5f, 0x5f, 0x75, 0x6e, 0x77, 0x69, 0x6e, 0x64, - 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x00, 0x00, 0x00, 0x5f, 0x5f, 0x54, 0x45, - 0x58, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x98, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x98, 0x0f, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x5f, 0x5f, 0x65, 0x68, 0x5f, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x0f, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xe0, 0x0f, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, - 0x48, 0x00, 0x00, 0x00, 0x5f, 0x5f, 0x4c, 0x49, 0x4e, 0x4b, 0x45, 0x44, - 0x49, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, - 0x30, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x61, 0x63, 0x74, - 0x5f, 0x78, 0x38, 0x36, 0x5f, 0x36, 0x34, 0x2e, 0x64, 0x79, 0x6c, 0x69, - 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 0x80, - 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, - 0x18, 0x00, 0x00, 0x00, 0x38, 0x10, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, - 0x58, 0x10, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, - 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x1b, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, - 0x8c, 0x90, 0x46, 0x12, 0x62, 0x53, 0x3f, 0xa1, 0xb8, 0xd2, 0xd5, 0x82, - 0x98, 0x48, 0xa8, 0xfc, 0x24, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, - 0x00, 0x09, 0x0a, 0x00, 0x00, 0x0a, 0x0a, 0x00, 0x2a, 0x00, 0x00, 0x00, - 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0c, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbd, 0x04, 0x00, 0x00, 0x01, 0x00, - 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x6c, 0x69, 0x62, - 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x42, 0x2e, 0x64, 0x79, 0x6c, - 0x69, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, - 0x10, 0x00, 0x00, 0x00, 0x18, 0x10, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, - 0x29, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x20, 0x10, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x2b, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, - 0x20, 0x10, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -]; diff --git a/yara-x/src/tests/testdata/mod.rs b/yara-x/src/tests/testdata/mod.rs deleted file mode 100644 index 1cd2af949..000000000 --- a/yara-x/src/tests/testdata/mod.rs +++ /dev/null @@ -1 +0,0 @@ -pub mod blob; From 870f399afd9f4e31a0b92bd95c0d555cca13ec56 Mon Sep 17 00:00:00 2001 From: Jacob Latonis Date: Thu, 5 Oct 2023 08:31:33 -0500 Subject: [PATCH 6/7] remove duplicated testing items --- yara-x/src/tests/mod.rs | 53 ----------------------------------------- 1 file changed, 53 deletions(-) diff --git a/yara-x/src/tests/mod.rs b/yara-x/src/tests/mod.rs index c178a6892..94d714f88 100644 --- a/yara-x/src/tests/mod.rs +++ b/yara-x/src/tests/mod.rs @@ -2879,11 +2879,6 @@ fn test_macho_module() { ); let macho_data = data.unwrap(); - let data_additional: Result, Box> = create_binary_from_ihex!( - "src/modules/macho/tests/input/macho_x86_64_dylib_file.in" - ); - let dylib_data = data_additional.unwrap(); - rule_true!( r#" import "macho" @@ -3090,54 +3085,6 @@ fn test_macho_module() { "#, &[] ); - - rule_true!( - r#" - import "macho" - rule test { - condition: - macho.dylibs[0].timestamp == 1 and - macho.dylibs[1].timestamp == 2 - } - "#, - &dylib_data - ); - - rule_true!( - r#" - import "macho" - rule test { - condition: - macho.dylibs[0].compatibility_version == 0 and - macho.dylibs[1].compatibility_version == 65536 - } - "#, - &dylib_data - ); - - rule_true!( - r#" - import "macho" - rule test { - condition: - macho.dylibs[0].current_version == 0 and - macho.dylibs[1].current_version == 79495168 - } - "#, - &dylib_data - ); - - rule_true!( - r#" - import "macho" - rule test { - condition: - macho.dylibs[0].name == "fact_x86_64.dylib" and - macho.dylibs[1].name == "/usr/lib/libSystem.B.dylib" - } - "#, - &dylib_data - ); } #[test] From 8d5bc7c799efe75e7234e747bd2e9676b2bf325d Mon Sep 17 00:00:00 2001 From: Jacob Latonis Date: Thu, 5 Oct 2023 09:17:02 -0500 Subject: [PATCH 7/7] goldenfiles update --- .../modules/macho/tests/testdata/macho_ppc_file.out | 6 ++++++ .../macho/tests/testdata/macho_x86_64_dylib_file.out | 12 ++++++++++++ .../modules/macho/tests/testdata/macho_x86_file.out | 6 ++++++ .../modules/macho/tests/testdata/tiny_universal.out | 12 ++++++++++++ 4 files changed, 36 insertions(+) diff --git a/yara-x/src/modules/macho/tests/testdata/macho_ppc_file.out b/yara-x/src/modules/macho/tests/testdata/macho_ppc_file.out index 37265e749..1798e72ce 100644 --- a/yara-x/src/modules/macho/tests/testdata/macho_ppc_file.out +++ b/yara-x/src/modules/macho/tests/testdata/macho_ppc_file.out @@ -227,4 +227,10 @@ segments { nsects: 0 flags: 4 } +dylibs { + name: "/usr/lib/libSystem.B.dylib" + timestamp: 1111112572 + compatibility_version: 65536 + current_version: 4653313 +} entry_point: 3768 diff --git a/yara-x/src/modules/macho/tests/testdata/macho_x86_64_dylib_file.out b/yara-x/src/modules/macho/tests/testdata/macho_x86_64_dylib_file.out index 6ad8d7593..e7d9595c8 100644 --- a/yara-x/src/modules/macho/tests/testdata/macho_x86_64_dylib_file.out +++ b/yara-x/src/modules/macho/tests/testdata/macho_x86_64_dylib_file.out @@ -75,3 +75,15 @@ segments { nsects: 0 flags: 0 } +dylibs { + name: "fact_x86_64.dylib" + timestamp: 1 + compatibility_version: 0 + current_version: 0 +} +dylibs { + name: "/usr/lib/libSystem.B.dylib" + timestamp: 2 + compatibility_version: 65536 + current_version: 79495168 +} diff --git a/yara-x/src/modules/macho/tests/testdata/macho_x86_file.out b/yara-x/src/modules/macho/tests/testdata/macho_x86_file.out index bfa09b461..e8ebc004b 100644 --- a/yara-x/src/modules/macho/tests/testdata/macho_x86_file.out +++ b/yara-x/src/modules/macho/tests/testdata/macho_x86_file.out @@ -149,5 +149,11 @@ segments { nsects: 0 flags: 0 } +dylibs { + name: "/usr/lib/libSystem.B.dylib" + timestamp: 2 + compatibility_version: 65536 + current_version: 79495168 +} entry_point: 3728 stack_size: 0 diff --git a/yara-x/src/modules/macho/tests/testdata/tiny_universal.out b/yara-x/src/modules/macho/tests/testdata/tiny_universal.out index 95e97770f..34befd9fc 100644 --- a/yara-x/src/modules/macho/tests/testdata/tiny_universal.out +++ b/yara-x/src/modules/macho/tests/testdata/tiny_universal.out @@ -166,6 +166,12 @@ file { nsects: 0 flags: 0 } + dylibs { + name: "/usr/lib/libSystem.B.dylib" + timestamp: 2 + compatibility_version: 65536 + current_version: 79495168 + } entry_point: 3808 stack_size: 0 } @@ -343,6 +349,12 @@ file { nsects: 0 flags: 0 } + dylibs { + name: "/usr/lib/libSystem.B.dylib" + timestamp: 2 + compatibility_version: 65536 + current_version: 79495168 + } entry_point: 3808 stack_size: 0 }