diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 82fcd76c71..2cf04e24e7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -146,4 +146,6 @@ jobs: ./configure --disable-proc-scan --enable-macho && make && make check - " \ No newline at end of file + " + - name: Print tests errors + run: cat test-macho.log \ No newline at end of file diff --git a/libyara/modules/macho/macho.c b/libyara/modules/macho/macho.c index da26bfc79d..6837cd3f43 100644 --- a/libyara/modules/macho/macho.c +++ b/libyara/modules/macho/macho.c @@ -441,13 +441,16 @@ void macho_handle_segment( yr_set_integer(sec.size, object, "segments[%i].sections[%i].size", i, j); - yr_set_integer(sec.offset, object, "segments[%i].sections[%i].offset", i, j); + yr_set_integer( + sec.offset, object, "segments[%i].sections[%i].offset", i, j); yr_set_integer(sec.align, object, "segments[%i].sections[%i].align", i, j); - yr_set_integer(sec.reloff, object, "segments[%i].sections[%i].reloff", i, j); + yr_set_integer( + sec.reloff, object, "segments[%i].sections[%i].reloff", i, j); - yr_set_integer(sec.nreloc, object, "segments[%i].sections[%i].nreloc", i, j); + yr_set_integer( + sec.nreloc, object, "segments[%i].sections[%i].nreloc", i, j); yr_set_integer(sec.flags, object, "segments[%i].sections[%i].flags", i, j); @@ -528,13 +531,16 @@ void macho_handle_segment_64( yr_set_integer(sec.size, object, "segments[%i].sections[%i].size", i, j); - yr_set_integer(sec.offset, object, "segments[%i].sections[%i].offset", i, j); + yr_set_integer( + sec.offset, object, "segments[%i].sections[%i].offset", i, j); yr_set_integer(sec.align, object, "segments[%i].sections[%i].align", i, j); - yr_set_integer(sec.reloff, object, "segments[%i].sections[%i].reloff", i, j); + yr_set_integer( + sec.reloff, object, "segments[%i].sections[%i].reloff", i, j); - yr_set_integer(sec.nreloc, object, "segments[%i].sections[%i].nreloc", i, j); + yr_set_integer( + sec.nreloc, object, "segments[%i].sections[%i].nreloc", i, j); yr_set_integer(sec.flags, object, "segments[%i].sections[%i].flags", i, j); @@ -578,6 +584,8 @@ void macho_parse_file( if (should_swap) swap_mach_header(&header); + printf("magic: %x\n", header.magic); + yr_set_integer(header.magic, object, "magic"); yr_set_integer(header.cputype, object, "cputype"); yr_set_integer(header.cpusubtype, object, "cpusubtype"); @@ -652,7 +660,8 @@ void macho_parse_file( switch (command_struct.cmd) { case LC_UNIXTHREAD: - macho_handle_unixthread(command, size - parsed_size, base_address, object, context); + macho_handle_unixthread( + command, size - parsed_size, base_address, object, context); break; case LC_MAIN: macho_handle_main(command, size - parsed_size, object, context); @@ -675,7 +684,8 @@ void macho_load_fat_arch_header( if (macho_fat_is_32(data)) { yr_fat_arch_32_t* arch32 = - (yr_fat_arch_32_t*) (data + sizeof(yr_fat_header_t) + (num * sizeof(yr_fat_arch_32_t))); + (yr_fat_arch_32_t*) (data + sizeof(yr_fat_header_t) + + (num * sizeof(yr_fat_arch_32_t))); arch->cputype = yr_be32toh(arch32->cputype); arch->cpusubtype = yr_be32toh(arch32->cpusubtype); @@ -687,7 +697,8 @@ void macho_load_fat_arch_header( else { yr_fat_arch_64_t* arch64 = - (yr_fat_arch_64_t*) (data + sizeof(yr_fat_header_t) + (num * sizeof(yr_fat_arch_64_t))); + (yr_fat_arch_64_t*) (data + sizeof(yr_fat_header_t) + + (num * sizeof(yr_fat_arch_64_t))); arch->cputype = yr_be32toh(arch64->cputype); arch->cpusubtype = yr_be32toh(arch64->cpusubtype); @@ -810,10 +821,12 @@ void macho_set_definitions(YR_OBJECT* object) yr_set_integer(CPU_SUBTYPE_PENTII_M3, object, "CPU_SUBTYPE_PENTII_M3"); yr_set_integer(CPU_SUBTYPE_PENTII_M5, object, "CPU_SUBTYPE_PENTII_M5"); yr_set_integer(CPU_SUBTYPE_CELERON, object, "CPU_SUBTYPE_CELERON"); - yr_set_integer(CPU_SUBTYPE_CELERON_MOBILE, object, "CPU_SUBTYPE_CELERON_MOBILE"); + yr_set_integer( + CPU_SUBTYPE_CELERON_MOBILE, object, "CPU_SUBTYPE_CELERON_MOBILE"); yr_set_integer(CPU_SUBTYPE_PENTIUM_3, object, "CPU_SUBTYPE_PENTIUM_3"); yr_set_integer(CPU_SUBTYPE_PENTIUM_3_M, object, "CPU_SUBTYPE_PENTIUM_3_M"); - yr_set_integer(CPU_SUBTYPE_PENTIUM_3_XEON, object, "CPU_SUBTYPE_PENTIUM_3_XEON"); + yr_set_integer( + CPU_SUBTYPE_PENTIUM_3_XEON, object, "CPU_SUBTYPE_PENTIUM_3_XEON"); yr_set_integer(CPU_SUBTYPE_PENTIUM_M, object, "CPU_SUBTYPE_PENTIUM_M"); yr_set_integer(CPU_SUBTYPE_PENTIUM_4, object, "CPU_SUBTYPE_PENTIUM_4"); yr_set_integer(CPU_SUBTYPE_PENTIUM_4_M, object, "CPU_SUBTYPE_PENTIUM_4_M"); @@ -843,7 +856,8 @@ void macho_set_definitions(YR_OBJECT* object) yr_set_integer(CPU_SUBTYPE_POWERPC_602, object, "CPU_SUBTYPE_POWERPC_602"); yr_set_integer(CPU_SUBTYPE_POWERPC_603, object, "CPU_SUBTYPE_POWERPC_603"); yr_set_integer(CPU_SUBTYPE_POWERPC_603e, object, "CPU_SUBTYPE_POWERPC_603e"); - yr_set_integer(CPU_SUBTYPE_POWERPC_603ev, object, "CPU_SUBTYPE_POWERPC_603ev"); + yr_set_integer( + CPU_SUBTYPE_POWERPC_603ev, object, "CPU_SUBTYPE_POWERPC_603ev"); yr_set_integer(CPU_SUBTYPE_POWERPC_604, object, "CPU_SUBTYPE_POWERPC_604"); yr_set_integer(CPU_SUBTYPE_POWERPC_604e, object, "CPU_SUBTYPE_POWERPC_604e"); yr_set_integer(CPU_SUBTYPE_POWERPC_620, object, "CPU_SUBTYPE_POWERPC_620"); @@ -881,7 +895,8 @@ void macho_set_definitions(YR_OBJECT* object) yr_set_integer(MH_NOFIXPREBINDING, object, "MH_NOFIXPREBINDING"); yr_set_integer(MH_PREBINDABLE, object, "MH_PREBINDABLE"); yr_set_integer(MH_ALLMODSBOUND, object, "MH_ALLMODSBOUND"); - yr_set_integer(MH_SUBSECTIONS_VIA_SYMBOLS, object, "MH_SUBSECTIONS_VIA_SYMBOLS"); + yr_set_integer( + MH_SUBSECTIONS_VIA_SYMBOLS, object, "MH_SUBSECTIONS_VIA_SYMBOLS"); yr_set_integer(MH_CANONICAL, object, "MH_CANONICAL"); yr_set_integer(MH_WEAK_DEFINES, object, "MH_WEAK_DEFINES"); yr_set_integer(MH_BINDS_TO_WEAK, object, "MH_BINDS_TO_WEAK"); @@ -914,7 +929,8 @@ void macho_set_definitions(YR_OBJECT* object) yr_set_integer(S_CSTRING_LITERALS, object, "S_CSTRING_LITERALS"); yr_set_integer(S_4BYTE_LITERALS, object, "S_4BYTE_LITERALS"); yr_set_integer(S_8BYTE_LITERALS, object, "S_8BYTE_LITERALS"); - yr_set_integer(S_NON_LAZY_SYMBOL_POINTERS, object, "S_NON_LAZY_SYMBOL_POINTERS"); + yr_set_integer( + S_NON_LAZY_SYMBOL_POINTERS, object, "S_NON_LAZY_SYMBOL_POINTERS"); yr_set_integer(S_LAZY_SYMBOL_POINTERS, object, "S_LAZY_SYMBOL_POINTERS"); yr_set_integer(S_LITERAL_POINTERS, object, "S_LITERAL_POINTERS"); yr_set_integer(S_SYMBOL_STUBS, object, "S_SYMBOL_STUBS"); @@ -946,7 +962,8 @@ void macho_set_definitions(YR_OBJECT* object) yr_set_integer(S_ATTR_STRIP_STATIC_SYMS, object, "S_ATTR_STRIP_STATIC_SYMS"); yr_set_integer(S_ATTR_NO_DEAD_STRIP, object, "S_ATTR_NO_DEAD_STRIP"); yr_set_integer(S_ATTR_LIVE_SUPPORT, object, "S_ATTR_LIVE_SUPPORT"); - yr_set_integer(S_ATTR_SELF_MODIFYING_CODE, object, "S_ATTR_SELF_MODIFYING_CODE"); + yr_set_integer( + S_ATTR_SELF_MODIFYING_CODE, object, "S_ATTR_SELF_MODIFYING_CODE"); yr_set_integer(S_ATTR_DEBUG, object, "S_ATTR_DEBUG"); yr_set_integer(S_ATTR_SOME_INSTRUCTIONS, object, "S_ATTR_SOME_INSTRUCTIONS"); yr_set_integer(S_ATTR_EXT_RELOC, object, "S_ATTR_EXT_RELOC"); @@ -1048,9 +1065,12 @@ define_function(ep_for_arch_subtype) uint64_t entry_point = yr_get_integer(module, "file[%i].entry_point", i); uint64_t file_offset = yr_get_integer(module, "fat_arch[%i].offset", i); - if (entry_point == YR_UNDEFINED) { + if (entry_point == YR_UNDEFINED) + { return_integer(YR_UNDEFINED); - } else { + } + else + { return_integer(file_offset + entry_point); } } diff --git a/tests/test-macho.c b/tests/test-macho.c index 8ce3faef1e..42c3767559 100644 --- a/tests/test-macho.c +++ b/tests/test-macho.c @@ -234,12 +234,14 @@ int main(int argc, char** argv) macho.file[1].cputype == macho.fat_arch[1].cputype }", "tests/data/tiny-universal"); + printf("<---------------------\n"); assert_true_rule_file( "import \"macho\" rule test { condition: \ macho.fat_magic == 0xcafebabe and \ macho.file[0].magic == 0xfeedface /* 0xcefaedfe */ and \ macho.file[1].magic == 0xfeedfacf /* 0xcffaedfe */ }", "tests/data/tiny-universal"); + printf("--------------------->\n"); // Entry points for files (LC_MAIN)