From 5bf72f2fb04e5fd8eaad5ca4ee5c283314b9fd08 Mon Sep 17 00:00:00 2001 From: "Victor M. Alvarez" Date: Mon, 18 Mar 2024 20:21:12 +0100 Subject: [PATCH] Fix issue while parsing .NET resources .NET resources can be found outside the current file. Before this change those resources were being ignored, but now they are included in the `resources` array. The `name` and `length` fields are kept undefined though. So, external resources have only the `name` field set. --- libyara/modules/dotnet/dotnet.c | 51 ++++++++++++--------------------- 1 file changed, 18 insertions(+), 33 deletions(-) diff --git a/libyara/modules/dotnet/dotnet.c b/libyara/modules/dotnet/dotnet.c index 3f6aa9c9b8..a44cc4f29e 100644 --- a/libyara/modules/dotnet/dotnet.c +++ b/libyara/modules/dotnet/dotnet.c @@ -2932,10 +2932,6 @@ void dotnet_parse_tilde_2( index_size = 2; row_size = (4 + 4 + index_sizes.string + index_size); - - // Using 'i' is insufficent since we may skip certain resources and - // it would give an inaccurate count in that case. - counter = 0; row_ptr = table_offset; // First DWORD is the offset. @@ -2945,11 +2941,7 @@ void dotnet_parse_tilde_2( break; manifestresource_table = (PMANIFESTRESOURCE_TABLE) row_ptr; - resource_offset = yr_le32toh(manifestresource_table->Offset); - // Only set offset if it is in this file (implementation != 0). - // Can't use manifestresource_table here because the Name and - // Implementation fields are variable size. if (index_size == 4) implementation = yr_le32toh( *(DWORD*) (row_ptr + 4 + 4 + index_sizes.string)); @@ -2957,53 +2949,46 @@ void dotnet_parse_tilde_2( implementation = yr_le16toh( *(WORD*) (row_ptr + 4 + 4 + index_sizes.string)); + row_ptr += row_size; + + name = pe_get_dotnet_string( + pe, + string_offset, + str_heap_size, + DOTNET_STRING_INDEX(manifestresource_table->Name)); + + if (name != NULL) + yr_set_string(name, pe->object, "resources[%i].name", i); + + // Only set offset and length if it is in this file, otherwise continue + // with the next resource. if (implementation != 0) - { - row_ptr += row_size; continue; - } + + resource_offset = yr_le32toh(manifestresource_table->Offset); if (!fits_in_pe( pe, pe->data + resource_base + resource_offset, sizeof(DWORD))) - { - row_ptr += row_size; continue; - } resource_size = yr_le32toh( *(DWORD*) (pe->data + resource_base + resource_offset)); if (!fits_in_pe( pe, pe->data + resource_base + resource_offset, resource_size)) - { - row_ptr += row_size; continue; - } // Add 4 to skip the size. yr_set_integer( resource_base + resource_offset + 4, pe->object, "resources[%i].offset", - counter); - - yr_set_integer( - resource_size, pe->object, "resources[%i].length", counter); - - name = pe_get_dotnet_string( - pe, - string_offset, - str_heap_size, - DOTNET_STRING_INDEX(manifestresource_table->Name)); - - if (name != NULL) - yr_set_string(name, pe->object, "resources[%i].name", counter); + i); - row_ptr += row_size; - counter++; + yr_set_integer(resource_size, pe->object, "resources[%i].length", i); } - yr_set_integer(counter, pe->object, "number_of_resources"); + yr_set_integer(i, pe->object, "number_of_resources"); table_offset += row_size * num_rows; break;