More tests

VirusTotal · Jan 30, 2024 · f7be2c0 · f7be2c0
1 parent 69b6afd
commit f7be2c0
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 18 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -146,4 +146,6 @@ jobs:
           ./configure --disable-proc-scan --enable-macho &&
           make &&
           make check
-          "
+          "
+    - name: Print tests errors
+      run: cat test-macho.log
diff --git a/libyara/modules/macho/macho.c b/libyara/modules/macho/macho.c
@@ -441,13 +441,16 @@ void macho_handle_segment(
 
     yr_set_integer(sec.size, object, "segments[%i].sections[%i].size", i, j);
 
-    yr_set_integer(sec.offset, object, "segments[%i].sections[%i].offset", i, j);
+    yr_set_integer(
+        sec.offset, object, "segments[%i].sections[%i].offset", i, j);
 
     yr_set_integer(sec.align, object, "segments[%i].sections[%i].align", i, j);
 
-    yr_set_integer(sec.reloff, object, "segments[%i].sections[%i].reloff", i, j);
+    yr_set_integer(
+        sec.reloff, object, "segments[%i].sections[%i].reloff", i, j);
 
-    yr_set_integer(sec.nreloc, object, "segments[%i].sections[%i].nreloc", i, j);
+    yr_set_integer(
+        sec.nreloc, object, "segments[%i].sections[%i].nreloc", i, j);
 
     yr_set_integer(sec.flags, object, "segments[%i].sections[%i].flags", i, j);
 
@@ -528,13 +531,16 @@ void macho_handle_segment_64(
 
     yr_set_integer(sec.size, object, "segments[%i].sections[%i].size", i, j);
 
-    yr_set_integer(sec.offset, object, "segments[%i].sections[%i].offset", i, j);
+    yr_set_integer(
+        sec.offset, object, "segments[%i].sections[%i].offset", i, j);
 
     yr_set_integer(sec.align, object, "segments[%i].sections[%i].align", i, j);
 
-    yr_set_integer(sec.reloff, object, "segments[%i].sections[%i].reloff", i, j);
+    yr_set_integer(
+        sec.reloff, object, "segments[%i].sections[%i].reloff", i, j);
 
-    yr_set_integer(sec.nreloc, object, "segments[%i].sections[%i].nreloc", i, j);
+    yr_set_integer(
+        sec.nreloc, object, "segments[%i].sections[%i].nreloc", i, j);
 
     yr_set_integer(sec.flags, object, "segments[%i].sections[%i].flags", i, j);
 
@@ -578,6 +584,8 @@ void macho_parse_file(
   if (should_swap)
     swap_mach_header(&header);
 
+  printf("magic: %x\n", header.magic);
+
   yr_set_integer(header.magic, object, "magic");
   yr_set_integer(header.cputype, object, "cputype");
   yr_set_integer(header.cpusubtype, object, "cpusubtype");
@@ -652,7 +660,8 @@ void macho_parse_file(
     switch (command_struct.cmd)
     {
     case LC_UNIXTHREAD:
-      macho_handle_unixthread(command, size - parsed_size, base_address, object, context);
+      macho_handle_unixthread(
+          command, size - parsed_size, base_address, object, context);
       break;
     case LC_MAIN:
       macho_handle_main(command, size - parsed_size, object, context);
@@ -675,7 +684,8 @@ void macho_load_fat_arch_header(
   if (macho_fat_is_32(data))
   {
     yr_fat_arch_32_t* arch32 =
-        (yr_fat_arch_32_t*) (data + sizeof(yr_fat_header_t) + (num * sizeof(yr_fat_arch_32_t)));
+        (yr_fat_arch_32_t*) (data + sizeof(yr_fat_header_t) +
+                             (num * sizeof(yr_fat_arch_32_t)));
 
     arch->cputype = yr_be32toh(arch32->cputype);
     arch->cpusubtype = yr_be32toh(arch32->cpusubtype);
@@ -687,7 +697,8 @@ void macho_load_fat_arch_header(
   else
   {
     yr_fat_arch_64_t* arch64 =
-        (yr_fat_arch_64_t*) (data + sizeof(yr_fat_header_t) + (num * sizeof(yr_fat_arch_64_t)));
+        (yr_fat_arch_64_t*) (data + sizeof(yr_fat_header_t) +
+                             (num * sizeof(yr_fat_arch_64_t)));
 
     arch->cputype = yr_be32toh(arch64->cputype);
     arch->cpusubtype = yr_be32toh(arch64->cpusubtype);
@@ -810,10 +821,12 @@ void macho_set_definitions(YR_OBJECT* object)
   yr_set_integer(CPU_SUBTYPE_PENTII_M3, object, "CPU_SUBTYPE_PENTII_M3");
   yr_set_integer(CPU_SUBTYPE_PENTII_M5, object, "CPU_SUBTYPE_PENTII_M5");
   yr_set_integer(CPU_SUBTYPE_CELERON, object, "CPU_SUBTYPE_CELERON");
-  yr_set_integer(CPU_SUBTYPE_CELERON_MOBILE, object, "CPU_SUBTYPE_CELERON_MOBILE");
+  yr_set_integer(
+      CPU_SUBTYPE_CELERON_MOBILE, object, "CPU_SUBTYPE_CELERON_MOBILE");
   yr_set_integer(CPU_SUBTYPE_PENTIUM_3, object, "CPU_SUBTYPE_PENTIUM_3");
   yr_set_integer(CPU_SUBTYPE_PENTIUM_3_M, object, "CPU_SUBTYPE_PENTIUM_3_M");
-  yr_set_integer(CPU_SUBTYPE_PENTIUM_3_XEON, object, "CPU_SUBTYPE_PENTIUM_3_XEON");
+  yr_set_integer(
+      CPU_SUBTYPE_PENTIUM_3_XEON, object, "CPU_SUBTYPE_PENTIUM_3_XEON");
   yr_set_integer(CPU_SUBTYPE_PENTIUM_M, object, "CPU_SUBTYPE_PENTIUM_M");
   yr_set_integer(CPU_SUBTYPE_PENTIUM_4, object, "CPU_SUBTYPE_PENTIUM_4");
   yr_set_integer(CPU_SUBTYPE_PENTIUM_4_M, object, "CPU_SUBTYPE_PENTIUM_4_M");
@@ -843,7 +856,8 @@ void macho_set_definitions(YR_OBJECT* object)
   yr_set_integer(CPU_SUBTYPE_POWERPC_602, object, "CPU_SUBTYPE_POWERPC_602");
   yr_set_integer(CPU_SUBTYPE_POWERPC_603, object, "CPU_SUBTYPE_POWERPC_603");
   yr_set_integer(CPU_SUBTYPE_POWERPC_603e, object, "CPU_SUBTYPE_POWERPC_603e");
-  yr_set_integer(CPU_SUBTYPE_POWERPC_603ev, object, "CPU_SUBTYPE_POWERPC_603ev");
+  yr_set_integer(
+      CPU_SUBTYPE_POWERPC_603ev, object, "CPU_SUBTYPE_POWERPC_603ev");
   yr_set_integer(CPU_SUBTYPE_POWERPC_604, object, "CPU_SUBTYPE_POWERPC_604");
   yr_set_integer(CPU_SUBTYPE_POWERPC_604e, object, "CPU_SUBTYPE_POWERPC_604e");
   yr_set_integer(CPU_SUBTYPE_POWERPC_620, object, "CPU_SUBTYPE_POWERPC_620");
@@ -881,7 +895,8 @@ void macho_set_definitions(YR_OBJECT* object)
   yr_set_integer(MH_NOFIXPREBINDING, object, "MH_NOFIXPREBINDING");
   yr_set_integer(MH_PREBINDABLE, object, "MH_PREBINDABLE");
   yr_set_integer(MH_ALLMODSBOUND, object, "MH_ALLMODSBOUND");
-  yr_set_integer(MH_SUBSECTIONS_VIA_SYMBOLS, object, "MH_SUBSECTIONS_VIA_SYMBOLS");
+  yr_set_integer(
+      MH_SUBSECTIONS_VIA_SYMBOLS, object, "MH_SUBSECTIONS_VIA_SYMBOLS");
   yr_set_integer(MH_CANONICAL, object, "MH_CANONICAL");
   yr_set_integer(MH_WEAK_DEFINES, object, "MH_WEAK_DEFINES");
   yr_set_integer(MH_BINDS_TO_WEAK, object, "MH_BINDS_TO_WEAK");
@@ -914,7 +929,8 @@ void macho_set_definitions(YR_OBJECT* object)
   yr_set_integer(S_CSTRING_LITERALS, object, "S_CSTRING_LITERALS");
   yr_set_integer(S_4BYTE_LITERALS, object, "S_4BYTE_LITERALS");
   yr_set_integer(S_8BYTE_LITERALS, object, "S_8BYTE_LITERALS");
-  yr_set_integer(S_NON_LAZY_SYMBOL_POINTERS, object, "S_NON_LAZY_SYMBOL_POINTERS");
+  yr_set_integer(
+      S_NON_LAZY_SYMBOL_POINTERS, object, "S_NON_LAZY_SYMBOL_POINTERS");
   yr_set_integer(S_LAZY_SYMBOL_POINTERS, object, "S_LAZY_SYMBOL_POINTERS");
   yr_set_integer(S_LITERAL_POINTERS, object, "S_LITERAL_POINTERS");
   yr_set_integer(S_SYMBOL_STUBS, object, "S_SYMBOL_STUBS");
@@ -946,7 +962,8 @@ void macho_set_definitions(YR_OBJECT* object)
   yr_set_integer(S_ATTR_STRIP_STATIC_SYMS, object, "S_ATTR_STRIP_STATIC_SYMS");
   yr_set_integer(S_ATTR_NO_DEAD_STRIP, object, "S_ATTR_NO_DEAD_STRIP");
   yr_set_integer(S_ATTR_LIVE_SUPPORT, object, "S_ATTR_LIVE_SUPPORT");
-  yr_set_integer(S_ATTR_SELF_MODIFYING_CODE, object, "S_ATTR_SELF_MODIFYING_CODE");
+  yr_set_integer(
+      S_ATTR_SELF_MODIFYING_CODE, object, "S_ATTR_SELF_MODIFYING_CODE");
   yr_set_integer(S_ATTR_DEBUG, object, "S_ATTR_DEBUG");
   yr_set_integer(S_ATTR_SOME_INSTRUCTIONS, object, "S_ATTR_SOME_INSTRUCTIONS");
   yr_set_integer(S_ATTR_EXT_RELOC, object, "S_ATTR_EXT_RELOC");
@@ -1048,9 +1065,12 @@ define_function(ep_for_arch_subtype)
       uint64_t entry_point = yr_get_integer(module, "file[%i].entry_point", i);
       uint64_t file_offset = yr_get_integer(module, "fat_arch[%i].offset", i);
 
-      if (entry_point == YR_UNDEFINED) {
+      if (entry_point == YR_UNDEFINED)
+      {
         return_integer(YR_UNDEFINED);
-      } else {
+      }
+      else
+      {
         return_integer(file_offset + entry_point);
       }
     }

diff --git a/tests/test-macho.c b/tests/test-macho.c
@@ -234,12 +234,14 @@ int main(int argc, char** argv)
     macho.file[1].cputype == macho.fat_arch[1].cputype }",
       "tests/data/tiny-universal");
 
+  printf("<---------------------\n");
   assert_true_rule_file(
       "import \"macho\" rule test { condition: \
     macho.fat_magic == 0xcafebabe and \
     macho.file[0].magic == 0xfeedface /* 0xcefaedfe */ and \
     macho.file[1].magic == 0xfeedfacf /* 0xcffaedfe */ }",
       "tests/data/tiny-universal");
+  printf("--------------------->\n");
 
   // Entry points for files (LC_MAIN)