Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package yara for openSUSE:Factory checked in at 2021-02-15 23:16:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yara (Old) and /work/SRC/openSUSE:Factory/.yara.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yara" Mon Feb 15 23:16:13 2021 rev:10 rq:871395 version:4.0.5 Changes: -------- --- /work/SRC/openSUSE:Factory/yara/yara.changes 2021-01-30 13:57:58.962418840 +0100 +++ /work/SRC/openSUSE:Factory/.yara.new.28504/yara.changes 2021-02-15 23:18:23.695583516 +0100 @@ -1,0 +2,6 @@ +Mon Feb 8 22:17:41 UTC 2021 - Dirk M??ller <[email protected]> + +- update to 4.0.5: + * Fix bug in "macho" module introduced in v4.0.4. + +------------------------------------------------------------------- Old: ---- v4.0.4.tar.gz New: ---- v4.0.5.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yara.spec ++++++ --- /var/tmp/diff_new_pack.LTZBMx/_old 2021-02-15 23:18:24.367584520 +0100 +++ /var/tmp/diff_new_pack.LTZBMx/_new 2021-02-15 23:18:24.371584525 +0100 @@ -18,7 +18,7 @@ %define soname 4 Name: yara -Version: 4.0.4 +Version: 4.0.5 Release: 0 Summary: A malware identification and classification tool License: Apache-2.0 ++++++ v4.0.4.tar.gz -> v4.0.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.0.4/configure.ac new/yara-4.0.5/configure.ac --- old/yara-4.0.4/configure.ac 2021-01-27 15:41:45.000000000 +0100 +++ new/yara-4.0.5/configure.ac 2021-02-05 13:28:35.000000000 +0100 @@ -1,4 +1,4 @@ -AC_INIT([yara], [4.0.4], [[email protected]]) +AC_INIT([yara], [4.0.5], [[email protected]]) AM_SILENT_RULES([yes]) AC_CONFIG_SRCDIR([cli/yara.c]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.0.4/docs/conf.py new/yara-4.0.5/docs/conf.py --- old/yara-4.0.4/docs/conf.py 2021-01-27 15:41:45.000000000 +0100 +++ new/yara-4.0.5/docs/conf.py 2021-02-05 13:28:35.000000000 +0100 @@ -53,7 +53,7 @@ # The short X.Y version. version = '4.0' # The full version, including alpha/beta/rc tags. -release = '4.0.2' +release = '4.0.5' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.0.4/libyara/Makefile.am new/yara-4.0.5/libyara/Makefile.am --- old/yara-4.0.4/libyara/Makefile.am 2021-01-27 15:41:45.000000000 +0100 +++ new/yara-4.0.5/libyara/Makefile.am 2021-02-05 13:28:35.000000000 +0100 @@ -144,7 +144,7 @@ lib_LTLIBRARIES = libyara.la -libyara_la_LDFLAGS = -version-number 4:0:4 +libyara_la_LDFLAGS = -version-number 4:0:5 BUILT_SOURCES = \ lexer.c \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.0.4/libyara/include/yara/libyara.h new/yara-4.0.5/libyara/include/yara/libyara.h --- old/yara-4.0.4/libyara/include/yara/libyara.h 2021-01-27 15:41:45.000000000 +0100 +++ new/yara-4.0.5/libyara/include/yara/libyara.h 2021-02-05 13:28:35.000000000 +0100 @@ -34,7 +34,7 @@ #define YR_MAJOR_VERSION 4 #define YR_MINOR_VERSION 0 -#define YR_MICRO_VERSION 4 +#define YR_MICRO_VERSION 5 #define version_str(s) _version_str(s) #define _version_str(s) #s diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.0.4/libyara/modules/macho/macho.c new/yara-4.0.5/libyara/modules/macho/macho.c --- old/yara-4.0.4/libyara/modules/macho/macho.c 2021-01-27 15:41:45.000000000 +0100 +++ new/yara-4.0.5/libyara/modules/macho/macho.c 2021-02-05 13:28:35.000000000 +0100 @@ -36,7 +36,7 @@ // Check for Mach-O binary magic constant. -int is_macho_file_block(const uint32_t *magic) +int is_macho_file_block(const uint32_t* magic) { return *magic == MH_MAGIC || *magic == MH_CIGAM || *magic == MH_MAGIC_64 || *magic == MH_CIGAM_64; @@ -44,7 +44,7 @@ // Check if file is for 32-bit architecture. -int macho_is_32(const uint8_t *magic) +int macho_is_32(const uint8_t* magic) { // Magic must be [CE]FAEDFE or FEEDFA[CE]. return magic[0] == 0xce || magic[3] == 0xce; @@ -52,7 +52,7 @@ // Check if file is for big-endian architecture. -int macho_is_big(const uint8_t *magic) +int macho_is_big(const uint8_t* magic) { // Magic must be [FE]EDFACE or [FE]EDFACF. return magic[0] == 0xfe; @@ -60,7 +60,7 @@ // Check for Mach-O fat binary magic constant. -int is_fat_macho_file_block(const uint32_t *magic) +int is_fat_macho_file_block(const uint32_t* magic) { return *magic == FAT_MAGIC || *magic == FAT_CIGAM || *magic == FAT_MAGIC_64 || *magic == FAT_CIGAM_64; @@ -68,7 +68,7 @@ // Check if file is 32-bit fat file. -int macho_fat_is_32(const uint8_t *magic) +int macho_fat_is_32(const uint8_t* magic) { // Magic must be CAFEBA[BE]. return magic[3] == 0xbe; @@ -80,7 +80,7 @@ magic == FAT_CIGAM_64; } -static void swap_mach_header(yr_mach_header_64_t *mh) +static void swap_mach_header(yr_mach_header_64_t* mh) { // Don't swap the magic number so we can tell if swapping is needed mh->cputype = yr_bswap32(mh->cputype); @@ -90,17 +90,17 @@ mh->sizeofcmds = yr_bswap32(mh->sizeofcmds); mh->flags = yr_bswap32(mh->flags); - if (!macho_is_32((const uint8_t *) &mh->magic)) + if (!macho_is_32((const uint8_t*) &mh->magic)) mh->reserved = yr_bswap32(mh->reserved); } -static void swap_load_command(yr_load_command_t *lc) +static void swap_load_command(yr_load_command_t* lc) { lc->cmd = yr_bswap32(lc->cmd); lc->cmdsize = yr_bswap32(lc->cmdsize); } -static void swap_segment_command(yr_segment_command_32_t *sg) +static void swap_segment_command(yr_segment_command_32_t* sg) { sg->cmd = yr_bswap32(sg->cmd); sg->cmdsize = yr_bswap32(sg->cmdsize); @@ -114,7 +114,7 @@ sg->flags = yr_bswap32(sg->flags); } -static void swap_segment_command_64(yr_segment_command_64_t *sg) +static void swap_segment_command_64(yr_segment_command_64_t* sg) { sg->cmd = yr_bswap32(sg->cmd); sg->cmdsize = yr_bswap32(sg->cmdsize); @@ -128,7 +128,7 @@ sg->flags = yr_bswap32(sg->flags); } -static void swap_section(yr_section_32_t *sec) +static void swap_section(yr_section_32_t* sec) { sec->addr = yr_bswap32(sec->addr); sec->size = yr_bswap32(sec->size); @@ -141,7 +141,7 @@ sec->reserved2 = yr_bswap32(sec->reserved2); } -static void swap_section_64(yr_section_64_t *sec) +static void swap_section_64(yr_section_64_t* sec) { sec->addr = yr_bswap64(sec->addr); sec->size = yr_bswap64(sec->size); @@ -155,7 +155,7 @@ sec->reserved3 = yr_bswap32(sec->reserved3); } -static void swap_entry_point_command(yr_entry_point_command_t *ep_command) +static void swap_entry_point_command(yr_entry_point_command_t* ep_command) { ep_command->cmd = yr_bswap32(ep_command->cmd); ep_command->cmdsize = yr_bswap32(ep_command->cmdsize); @@ -165,7 +165,7 @@ // Convert virtual address to file offset. Segments have to be already loaded. -bool macho_rva_to_offset(uint64_t address, uint64_t *result, YR_OBJECT *object) +bool macho_rva_to_offset(uint64_t address, uint64_t* result, YR_OBJECT* object) { uint64_t segment_count = get_integer(object, "number_of_segments"); @@ -187,7 +187,7 @@ // Convert file offset to virtual address. Segments have to be already loaded. -int macho_offset_to_rva(uint64_t offset, uint64_t *result, YR_OBJECT *object) +int macho_offset_to_rva(uint64_t offset, uint64_t* result, YR_OBJECT* object) { uint64_t segment_count = get_integer(object, "number_of_segments"); @@ -209,14 +209,14 @@ // Get entry point address from LC_UNIXTHREAD load command. void macho_handle_unixthread( - const uint8_t *command, - YR_OBJECT *object, - YR_SCAN_CONTEXT *context) + const uint8_t* command, + YR_OBJECT* object, + YR_SCAN_CONTEXT* context) { int should_swap = should_swap_bytes(get_integer(object, "magic")); bool is64 = false; - uint32_t command_size = ((yr_thread_command_t *) command)->cmdsize; + uint32_t command_size = ((yr_thread_command_t*) command)->cmdsize; // cmd_size includes the size of yr_thread_command_t and the thread // state structure that follows, let's compute the size of the thread state @@ -225,7 +225,7 @@ // The structure that contains the thread state starts where // yr_thread_command_t ends. - const void *thread_state = command + sizeof(yr_thread_command_t); + const void* thread_state = command + sizeof(yr_thread_command_t); uint64_t address = 0; @@ -234,57 +234,57 @@ case CPU_TYPE_MC680X0: { if (thread_state_size >= sizeof(yr_m68k_thread_state_t)) - address = ((yr_m68k_thread_state_t *) thread_state)->pc; + address = ((yr_m68k_thread_state_t*) thread_state)->pc; break; } case CPU_TYPE_MC88000: { if (thread_state_size >= sizeof(yr_m88k_thread_state_t)) - address = ((yr_m88k_thread_state_t *) thread_state)->xip; + address = ((yr_m88k_thread_state_t*) thread_state)->xip; break; } case CPU_TYPE_SPARC: { if (thread_state_size >= sizeof(yr_sparc_thread_state_t)) - address = ((yr_sparc_thread_state_t *) thread_state)->pc; + address = ((yr_sparc_thread_state_t*) thread_state)->pc; break; } case CPU_TYPE_POWERPC: { if (thread_state_size >= sizeof(yr_ppc_thread_state_t)) - address = ((yr_ppc_thread_state_t *) thread_state)->srr0; + address = ((yr_ppc_thread_state_t*) thread_state)->srr0; break; } case CPU_TYPE_X86: { if (thread_state_size >= sizeof(yr_x86_thread_state_t)) - address = ((yr_x86_thread_state_t *) thread_state)->eip; + address = ((yr_x86_thread_state_t*) thread_state)->eip; break; } case CPU_TYPE_ARM: { if (thread_state_size >= sizeof(yr_arm_thread_state_t)) - address = ((yr_arm_thread_state_t *) thread_state)->pc; + address = ((yr_arm_thread_state_t*) thread_state)->pc; break; } case CPU_TYPE_X86_64: { if (thread_state_size >= sizeof(yr_x86_thread_state64_t)) - address = ((yr_x86_thread_state64_t *) thread_state)->rip; + address = ((yr_x86_thread_state64_t*) thread_state)->rip; is64 = true; break; } case CPU_TYPE_ARM64: { if (thread_state_size >= sizeof(yr_arm_thread_state64_t)) - address = ((yr_arm_thread_state64_t *) thread_state)->pc; + address = ((yr_arm_thread_state64_t*) thread_state)->pc; is64 = true; break; } case CPU_TYPE_POWERPC64: { if (thread_state_size >= sizeof(yr_ppc_thread_state64_t)) - address = ((yr_ppc_thread_state64_t *) thread_state)->srr0; + address = ((yr_ppc_thread_state64_t*) thread_state)->srr0; is64 = true; break; } @@ -318,9 +318,9 @@ // Get entry point offset and stack-size from LC_MAIN load command. void macho_handle_main( - void *command, - YR_OBJECT *object, - YR_SCAN_CONTEXT *context) + void* command, + YR_OBJECT* object, + YR_SCAN_CONTEXT* context) { yr_entry_point_command_t ep_command; @@ -347,9 +347,9 @@ // Load segment and its sections. void macho_handle_segment( - const uint8_t *command, + const uint8_t* command, const unsigned i, - YR_OBJECT *object) + YR_OBJECT* object) { int should_swap = should_swap_bytes(get_integer(object, "magic")); @@ -375,8 +375,8 @@ uint64_t parsed_size = sizeof(yr_segment_command_32_t); // The array of yr_section_32_t starts where yr_segment_command_32_t ends. - yr_section_32_t *sections = - (yr_section_32_t *) (command + sizeof(yr_segment_command_32_t)); + yr_section_32_t* sections = + (yr_section_32_t*) (command + sizeof(yr_segment_command_32_t)); for (unsigned j = 0; j < sg.nsects; ++j) { @@ -431,9 +431,9 @@ } void macho_handle_segment_64( - const uint8_t *command, + const uint8_t* command, const unsigned i, - YR_OBJECT *object) + YR_OBJECT* object) { int should_swap = should_swap_bytes(get_integer(object, "magic")); @@ -519,10 +519,10 @@ // Parse Mach-O file. void macho_parse_file( - const uint8_t *data, + const uint8_t* data, const uint64_t size, - YR_OBJECT *object, - YR_SCAN_CONTEXT *context) + YR_OBJECT* object, + YR_SCAN_CONTEXT* context) { // Size must be large enough the hold yr_mach_header_64_t, which is larger // than yr_mach_header_32_t. @@ -554,17 +554,12 @@ // The "reserved" field exists only in 64 bits files. if (!macho_is_32(data)) - { - yr_mach_header_64_t *header64 = (yr_mach_header_64_t *) data; - if (should_swap) - header64->reserved = yr_bswap32(header64->reserved); - set_integer(header64->reserved, object, "reserved"); - } + set_integer(header.reserved, object, "reserved"); - /* The first command parsing pass handles only segments. */ + // The first command parsing pass handles only segments. uint64_t seg_count = 0; uint64_t parsed_size = header_size; - uint8_t *command = (uint8_t *) (data + header_size); + uint8_t* command = (uint8_t*) (data + header_size); yr_load_command_t command_struct; @@ -604,7 +599,7 @@ // The second command parsing pass handles others, who use segment count. parsed_size = header_size; - command = (uint8_t *) (data + header_size); + command = (uint8_t*) (data + header_size); for (unsigned i = 0; i < header.ncmds; i++) { @@ -642,16 +637,15 @@ // Parse Mach-O fat file. void macho_load_fat_arch_header( - const uint8_t *data, + const uint8_t* data, const uint64_t size, uint32_t num, - yr_fat_arch_64_t *arch) + yr_fat_arch_64_t* arch) { if (macho_fat_is_32(data)) { - yr_fat_arch_32_t *arch32 = - (yr_fat_arch_32_t - *) (data + sizeof(yr_fat_header_t) + (num * sizeof(yr_fat_arch_32_t))); + yr_fat_arch_32_t* arch32 = + (yr_fat_arch_32_t*) (data + sizeof(yr_fat_header_t) + (num * sizeof(yr_fat_arch_32_t))); arch->cputype = yr_be32toh(arch32->cputype); arch->cpusubtype = yr_be32toh(arch32->cpusubtype); @@ -662,9 +656,8 @@ } else { - yr_fat_arch_64_t *arch64 = - (yr_fat_arch_64_t - *) (data + sizeof(yr_fat_header_t) + (num * sizeof(yr_fat_arch_64_t))); + yr_fat_arch_64_t* arch64 = + (yr_fat_arch_64_t*) (data + sizeof(yr_fat_header_t) + (num * sizeof(yr_fat_arch_64_t))); arch->cputype = yr_be32toh(arch64->cputype); arch->cpusubtype = yr_be32toh(arch64->cpusubtype); @@ -676,10 +669,10 @@ } void macho_parse_fat_file( - const uint8_t *data, + const uint8_t* data, const uint64_t size, - YR_OBJECT *object, - YR_SCAN_CONTEXT *context) + YR_OBJECT* object, + YR_SCAN_CONTEXT* context) { size_t fat_arch_sz = sizeof(yr_fat_arch_64_t); @@ -691,7 +684,7 @@ /* All data in Mach-O fat binary headers are in big-endian byte order. */ - const yr_fat_header_t *header = (yr_fat_header_t *) data; + const yr_fat_header_t* header = (yr_fat_header_t*) data; set_integer(yr_be32toh(header->magic), object, "fat_magic"); uint32_t count = yr_be32toh(header->nfat_arch); @@ -734,7 +727,7 @@ // Sets all necessary Mach-O constants and definitions. -void macho_set_definitions(YR_OBJECT *object) +void macho_set_definitions(YR_OBJECT* object) { // Magic constants @@ -932,7 +925,7 @@ define_function(file_index_type) { - YR_OBJECT *module = module(); + YR_OBJECT* module = module(); int64_t type_arg = integer_argument(1); uint64_t nfat = get_integer(module, "nfat_arch"); @@ -954,7 +947,7 @@ define_function(file_index_subtype) { - YR_OBJECT *module = module(); + YR_OBJECT* module = module(); int64_t type_arg = integer_argument(1); int64_t subtype_arg = integer_argument(2); uint64_t nfat = get_integer(module, "nfat_arch"); @@ -980,7 +973,7 @@ define_function(ep_for_arch_type) { - YR_OBJECT *module = module(); + YR_OBJECT* module = module(); int64_t type_arg = integer_argument(1); uint64_t nfat = get_integer(module, "nfat_arch"); @@ -1005,7 +998,7 @@ define_function(ep_for_arch_subtype) { - YR_OBJECT *module = module(); + YR_OBJECT* module = module(); int64_t type_arg = integer_argument(1); int64_t subtype_arg = integer_argument(2); uint64_t nfat = get_integer(module, "nfat_arch"); @@ -1312,40 +1305,41 @@ declare_function("entry_point_for_arch", "ii", "i", ep_for_arch_subtype); end_declarations -int module_initialize(YR_MODULE *module) +int module_initialize(YR_MODULE* module) { return ERROR_SUCCESS; } -int module_finalize(YR_MODULE *module) +int module_finalize(YR_MODULE* module) { return ERROR_SUCCESS; } int module_load( - YR_SCAN_CONTEXT *context, - YR_OBJECT *module_object, - void *module_data, + YR_SCAN_CONTEXT* context, + YR_OBJECT* module_object, + void* module_data, size_t module_data_size) { - YR_MEMORY_BLOCK *block; - YR_MEMORY_BLOCK_ITERATOR *iterator = context->iterator; + YR_MEMORY_BLOCK* block; + YR_MEMORY_BLOCK_ITERATOR* iterator = context->iterator; foreach_memory_block(iterator, block) { - const uint8_t *block_data = block->fetch_data(block); + const uint8_t* block_data = block->fetch_data(block); + if (block_data == NULL || block->size < 4) continue; // Parse Mach-O binary. - if (is_macho_file_block((uint32_t *) block_data)) + if (is_macho_file_block((uint32_t*) block_data)) { macho_parse_file(block_data, block->size, module_object, context); break; } // Parse fat Mach-O binary. - if (is_fat_macho_file_block((uint32_t *) block_data)) + if (is_fat_macho_file_block((uint32_t*) block_data)) { macho_parse_fat_file(block_data, block->size, module_object, context); break; @@ -1356,7 +1350,7 @@ return ERROR_SUCCESS; } -int module_unload(YR_OBJECT *module_object) +int module_unload(YR_OBJECT* module_object) { return ERROR_SUCCESS; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.0.4/tests/blob.h new/yara-4.0.5/tests/blob.h --- old/yara-4.0.4/tests/blob.h 2021-01-27 15:41:45.000000000 +0100 +++ new/yara-4.0.5/tests/blob.h 2021-02-05 13:28:35.000000000 +0100 @@ -2560,11 +2560,13 @@ }; + + uint8_t MACHO_X86_64_DYLIB_FILE[] = { 0xcf, 0xfa, 0xed, 0xfe, 0x07, 0x00, 0x00, 0x01, 0x03, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0xe8, 0x02, 0x00, 0x00, - 0x85, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x85, 0x00, 0x10, 0x00, 0x01, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x38, 0x01, 0x00, 0x00, 0x5f, 0x5f, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.0.4/tests/test-macho.c new/yara-4.0.5/tests/test-macho.c --- old/yara-4.0.4/tests/test-macho.c 2021-01-27 15:41:45.000000000 +0100 +++ new/yara-4.0.5/tests/test-macho.c 2021-02-05 13:28:35.000000000 +0100 @@ -1,12 +1,14 @@ -#include <yara.h> #include <stdlib.h> #include <unistd.h> -#include "util.h" +#include <yara.h> + #include "blob.h" +#include "util.h" int main(int argc, char** argv) { - char *top_srcdir = getenv("TOP_SRCDIR"); + char* top_srcdir = getenv("TOP_SRCDIR"); + if (top_srcdir) chdir(top_srcdir); @@ -14,78 +16,118 @@ // Tests for executable files - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.cputype == macho.CPU_TYPE_X86 }", MACHO_X86_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.filetype == macho.MH_EXECUTE }", MACHO_X86_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.flags & macho.MH_PIE }", MACHO_X86_FILE); + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.cputype == macho.CPU_TYPE_X86 }", + MACHO_X86_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.filetype == macho.MH_EXECUTE }", + MACHO_X86_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.flags & macho.MH_PIE }", + MACHO_X86_FILE); // Segments - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.number_of_segments == 4 }", MACHO_X86_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.number_of_segments == 4 }", + MACHO_X86_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ macho.segments[0].segname == \"__PAGEZERO\" and \ macho.segments[1].segname == \"__TEXT\" and \ macho.segments[2].segname == \"__DATA\" and \ - macho.segments[3].segname == \"__LINKEDIT\" }", MACHO_X86_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ + macho.segments[3].segname == \"__LINKEDIT\" }", + MACHO_X86_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ macho.segments[0].vmaddr == 0 and \ macho.segments[0].vmsize == 0x1000 and \ macho.segments[2].nsects == 2 and \ - macho.segments[3].fsize == 0x118 }", MACHO_X86_FILE); - assert_true_rule_file("import \"macho\" rule test { condition: \ - macho.number_of_segments == 1 }", "tests/data/tiny-macho"); + macho.segments[3].fsize == 0x118 }", + MACHO_X86_FILE); + + assert_true_rule_file( + "import \"macho\" rule test { condition: \ + macho.number_of_segments == 1 }", + "tests/data/tiny-macho"); // Sections - assert_true_rule_blob("import \"macho\" rule test { condition: \ + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ macho.segments[1].sections[0].addr == 0x1e90 and \ macho.segments[1].sections[0].size == 0xa6 and \ - macho.segments[1].sections[0].offset == 0x0e90 }", MACHO_X86_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ + macho.segments[1].sections[0].offset == 0x0e90 }", + MACHO_X86_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ macho.segments[1].sections[0].sectname == \"__text\" and \ - macho.segments[1].sections[0].segname == \"__TEXT\" }", MACHO_X86_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ + macho.segments[1].sections[0].segname == \"__TEXT\" }", + MACHO_X86_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ macho.segments[1].sections[1].sectname == \"__symbol_stub\" and \ macho.segments[1].sections[2].sectname == \"__stub_helper\" and \ macho.segments[1].sections[3].sectname == \"__cstring\" and \ macho.segments[1].sections[4].sectname == \"__unwind_info\" and \ macho.segments[2].sections[0].sectname == \"__nl_symbol_ptr\" and \ macho.segments[2].sections[1].sectname == \"__la_symbol_ptr\" }", - MACHO_X86_FILE); + MACHO_X86_FILE); // Entry point (LC_MAIN) - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.entry_point == 0xe90 }", MACHO_X86_FILE); + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.entry_point == 0xe90 }", + MACHO_X86_FILE); // Tests for object files - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.cputype == macho.CPU_TYPE_X86 }", MACHO_X86_OBJECT_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.filetype == macho.MH_OBJECT }", MACHO_X86_OBJECT_FILE); + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.cputype == macho.CPU_TYPE_X86 }", + MACHO_X86_OBJECT_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.filetype == macho.MH_OBJECT }", + MACHO_X86_OBJECT_FILE); // Segments and sections - assert_true_rule_blob("import \"macho\" rule test { condition: \ + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ macho.number_of_segments == 1 and macho.segments[0].segname == \"\" and \ macho.segments[0].sections[0].sectname == \"__text\" and \ macho.segments[0].sections[0].segname == \"__TEXT\" }", - MACHO_X86_OBJECT_FILE); + MACHO_X86_OBJECT_FILE); // Tests for big-endian byte order - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.cputype == macho.CPU_TYPE_POWERPC }", MACHO_PPC_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.filetype == macho.MH_EXECUTE }", MACHO_PPC_FILE); + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.cputype == macho.CPU_TYPE_POWERPC }", + MACHO_PPC_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.filetype == macho.MH_EXECUTE }", + MACHO_PPC_FILE); // Segments - assert_true_rule_blob("import \"macho\" rule test { condition: \ + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ macho.number_of_segments == 4 and \ macho.segments[0].segname == \"__PAGEZERO\" and \ macho.segments[2].segname == \"__DATA\" and \ @@ -93,108 +135,161 @@ macho.segments[0].vmaddr == 0 and \ macho.segments[0].vmsize == 0x1000 and \ macho.segments[3].fileoff == 65536 and \ - macho.segments[3].fsize == 46032 }", MACHO_PPC_FILE); + macho.segments[3].fsize == 46032 }", + MACHO_PPC_FILE); // Entry point (LC_UNIXTHREAD) - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.entry_point == 0xeb8 }", MACHO_PPC_FILE); + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.entry_point == 0xeb8 }", + MACHO_PPC_FILE); // Tests for 64-bit and shared library files - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.cputype == macho.CPU_TYPE_X86_64 }", MACHO_X86_64_DYLIB_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.filetype == macho.MH_DYLIB }", MACHO_X86_64_DYLIB_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.flags == 0x0000100085 }", + MACHO_X86_64_DYLIB_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.reserved == 0x00000001 }", + MACHO_X86_64_DYLIB_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.cputype == macho.CPU_TYPE_X86_64 }", + MACHO_X86_64_DYLIB_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.filetype == macho.MH_DYLIB }", + MACHO_X86_64_DYLIB_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ macho.flags & macho.MH_DYLDLINK and \ macho.flags & macho.MH_NOUNDEFS and \ macho.flags & macho.MH_NO_REEXPORTED_DYLIBS and \ - macho.flags & macho.MH_TWOLEVEL }", MACHO_X86_64_DYLIB_FILE); + macho.flags & macho.MH_TWOLEVEL }", + MACHO_X86_64_DYLIB_FILE); // Segments and sections - assert_true_rule_blob("import \"macho\" rule test { condition: \ - macho.number_of_segments == 2 }", MACHO_X86_64_DYLIB_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ + macho.number_of_segments == 2 }", + MACHO_X86_64_DYLIB_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ macho.segments[0].segname == \"__TEXT\" and \ - macho.segments[1].segname == \"__LINKEDIT\" }", MACHO_X86_64_DYLIB_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ + macho.segments[1].segname == \"__LINKEDIT\" }", + MACHO_X86_64_DYLIB_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ macho.segments[1].vmaddr == 0x0000000000001000 and \ macho.segments[1].vmsize == 0x0000000000001000 and \ macho.segments[1].nsects == 0 and \ - macho.segments[1].fsize == 128 }", MACHO_X86_64_DYLIB_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ + macho.segments[1].fsize == 128 }", + MACHO_X86_64_DYLIB_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ macho.segments[0].sections[0].sectname == \"__text\" and \ macho.segments[0].sections[0].segname == \"__TEXT\" }", - MACHO_X86_64_DYLIB_FILE); - assert_true_rule_blob("import \"macho\" rule test { condition: \ + MACHO_X86_64_DYLIB_FILE); + + assert_true_rule_blob( + "import \"macho\" rule test { condition: \ macho.segments[0].sections[1].addr == 0x0000000000000f98 and \ macho.segments[0].sections[1].size == 0x0000000000000048 and \ - macho.segments[0].sections[1].offset == 3992 }", MACHO_X86_64_DYLIB_FILE); + macho.segments[0].sections[1].offset == 3992 }", + MACHO_X86_64_DYLIB_FILE); // Mach-O Universal Binaries tests - assert_true_rule_file("import \"macho\" rule test { condition: \ + assert_true_rule_file( + "import \"macho\" rule test { condition: \ macho.fat_magic == macho.FAT_MAGIC and macho.nfat_arch == 2 }", - "tests/data/tiny-universal"); - assert_true_rule_file("import \"macho\" rule test { condition: \ + "tests/data/tiny-universal"); + + assert_true_rule_file( + "import \"macho\" rule test { condition: \ macho.fat_arch[0].cputype == macho.CPU_TYPE_I386 and \ macho.fat_arch[0].cpusubtype == macho.CPU_SUBTYPE_I386_ALL and \ macho.fat_arch[0].offset == 4096 and \ macho.fat_arch[1].cputype == macho.CPU_TYPE_X86_64 and \ macho.fat_arch[1].cpusubtype == macho.CPU_SUBTYPE_X86_64_ALL | \ macho.CPU_SUBTYPE_LIB64 and macho.fat_arch[1].align == 12 }", - "tests/data/tiny-universal"); - assert_true_rule_file("import \"macho\" rule test { condition: \ + "tests/data/tiny-universal"); + + assert_true_rule_file( + "import \"macho\" rule test { condition: \ macho.file[0].cputype == macho.fat_arch[0].cputype and \ macho.file[1].cputype == macho.fat_arch[1].cputype }", - "tests/data/tiny-universal"); + "tests/data/tiny-universal"); // Entry points for files (LC_MAIN) - assert_true_rule_file("import \"macho\" rule test { \ + assert_true_rule_file( + "import \"macho\" rule test { \ strings: $1 = { 55 89 e5 56 83 ec 34 } \ condition: $1 at macho.file[0].entry_point + macho.fat_arch[0].offset }", - "tests/data/tiny-universal"); + "tests/data/tiny-universal"); - assert_true_rule_file("import \"macho\" rule test { \ + assert_true_rule_file( + "import \"macho\" rule test { \ strings: $1 = { 55 48 89 e5 48 83 ec 20 } \ condition: $1 at macho.file[1].entry_point + macho.fat_arch[1].offset }", - "tests/data/tiny-universal"); + "tests/data/tiny-universal"); // Helper functions - assert_true_rule_file("import \"macho\" rule test { condition: \ + assert_true_rule_file( + "import \"macho\" rule test { condition: \ macho.file[macho.file_index_for_arch(macho.CPU_TYPE_I386)].entry_point == \ - macho.file[0].entry_point }", "tests/data/tiny-universal"); - assert_true_rule_file("import \"macho\" rule test { condition: \ + macho.file[0].entry_point }", + "tests/data/tiny-universal"); + assert_true_rule_file( + "import \"macho\" rule test { condition: \ macho.file[macho.file_index_for_arch(macho.CPU_TYPE_X86_64)].entry_point == \ - macho.file[1].entry_point }", "tests/data/tiny-universal"); + macho.file[1].entry_point }", + "tests/data/tiny-universal"); - assert_true_rule_file("import \"macho\" rule test { condition: \ + assert_true_rule_file( + "import \"macho\" rule test { condition: \ macho.file[macho.file_index_for_arch(macho.CPU_TYPE_I386, \ macho.CPU_SUBTYPE_I386_ALL)].entry_point == \ - macho.file[0].entry_point }", "tests/data/tiny-universal"); - assert_true_rule_file("import \"macho\" rule test { condition: \ + macho.file[0].entry_point }", + "tests/data/tiny-universal"); + + assert_true_rule_file( + "import \"macho\" rule test { condition: \ macho.file[macho.file_index_for_arch(macho.CPU_TYPE_X86_64, \ macho.CPU_SUBTYPE_X86_64_ALL | \ macho.CPU_SUBTYPE_LIB64)].entry_point == \ - macho.file[1].entry_point }", "tests/data/tiny-universal"); + macho.file[1].entry_point }", + "tests/data/tiny-universal"); // Entry point for specific architecture - assert_true_rule_file("import \"macho\" rule test { \ + assert_true_rule_file( + "import \"macho\" rule test { \ strings: $1 = { 55 89 e5 56 83 ec 34 } \ condition: $1 at macho.entry_point_for_arch(macho.CPU_TYPE_I386, \ macho.CPU_SUBTYPE_I386_ALL) }", - "tests/data/tiny-universal"); + "tests/data/tiny-universal"); - assert_true_rule_file("import \"macho\" rule test { \ + assert_true_rule_file( + "import \"macho\" rule test { \ strings: $1 = { 55 48 89 e5 48 83 ec 20 } \ condition: $1 at macho.entry_point_for_arch(macho.CPU_TYPE_X86_64) }", - "tests/data/tiny-universal"); + "tests/data/tiny-universal"); yr_finalize(); + return 0; }
