From b4072f6f67699e702785276475bba5e129ac2e1d Mon Sep 17 00:00:00 2001 From: Vincent Thiberville Date: Thu, 25 Apr 2024 01:18:15 +0200 Subject: [PATCH 1/2] fix signature and magic strings in dex module Several bytestring values in the dex module were not set properly, and were cut short due to the presence of a nul byte. This happened on: - all the dex.DEX_FILE_MAGIC_* constants, which were cut short by one byte (the last one is the nul byte). - the magic and signature field in the "header" object of the module. For all of those, the size is fixed and known, so use the right length and do not cut it short if a nul byte is present. --- libyara/modules/dex/dex.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/libyara/modules/dex/dex.c b/libyara/modules/dex/dex.c index f850d20a7b..a1efdd0a8a 100644 --- a/libyara/modules/dex/dex.c +++ b/libyara/modules/dex/dex.c @@ -492,19 +492,13 @@ dex_header_t* dex_get_header(const uint8_t* data, size_t data_size) void dex_parse_header(dex_header_t* dex_header, YR_OBJECT* module_object) { yr_set_sized_string( - (char*) dex_header->magic, - strnlen((char*) dex_header->magic, 8 * sizeof(char)), - module_object, - "header.magic"); + (char*) dex_header->magic, 8, module_object, "header.magic"); yr_set_integer( yr_le32toh(dex_header->checksum), module_object, "header.checksum"); yr_set_sized_string( - (char*) dex_header->signature, - strnlen((char*) dex_header->signature, 20 * sizeof(char)), - module_object, - "header.signature"); + (char*) dex_header->signature, 20, module_object, "header.signature"); yr_set_integer( yr_le32toh(dex_header->file_size), module_object, "header.file_size"); @@ -1461,11 +1455,16 @@ int module_load( dex_header_t* dex_header; - yr_set_string(DEX_FILE_MAGIC_035, module_object, "DEX_FILE_MAGIC_035"); - yr_set_string(DEX_FILE_MAGIC_036, module_object, "DEX_FILE_MAGIC_036"); - yr_set_string(DEX_FILE_MAGIC_037, module_object, "DEX_FILE_MAGIC_037"); - yr_set_string(DEX_FILE_MAGIC_038, module_object, "DEX_FILE_MAGIC_038"); - yr_set_string(DEX_FILE_MAGIC_039, module_object, "DEX_FILE_MAGIC_039"); + yr_set_sized_string( + DEX_FILE_MAGIC_035, 8, module_object, "DEX_FILE_MAGIC_035"); + yr_set_sized_string( + DEX_FILE_MAGIC_036, 8, module_object, "DEX_FILE_MAGIC_036"); + yr_set_sized_string( + DEX_FILE_MAGIC_037, 8, module_object, "DEX_FILE_MAGIC_037"); + yr_set_sized_string( + DEX_FILE_MAGIC_038, 8, module_object, "DEX_FILE_MAGIC_038"); + yr_set_sized_string( + DEX_FILE_MAGIC_039, 8, module_object, "DEX_FILE_MAGIC_039"); yr_set_integer(0x12345678, module_object, "ENDIAN_CONSTANT"); yr_set_integer(0x78563412, module_object, "REVERSE_ENDIAN_CONSTANT"); From cff2fcd49940834f910165f680b357e535ef8768 Mon Sep 17 00:00:00 2001 From: Vincent Thiberville Date: Thu, 25 Apr 2024 01:21:18 +0200 Subject: [PATCH 2/2] fix declared fields in the dex module There was some mismatch between the declared fields and the ones filled by the module: - `dex.field[*].static` and `dex.field[*].instance` were defined, but not declared, making their use impossible. They are now properly declared. - several fields in `dex.method[*].code_item` were declared but never defined: `padding`, `tries` and `handlers`. Those are removed since they couldn't have been used. --- libyara/modules/dex/dex.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/libyara/modules/dex/dex.c b/libyara/modules/dex/dex.c index a1efdd0a8a..690c00fe87 100644 --- a/libyara/modules/dex/dex.c +++ b/libyara/modules/dex/dex.c @@ -328,6 +328,8 @@ begin_declarations declare_string("class_name"); declare_string("name"); declare_string("proto"); + declare_integer("static"); + declare_integer("instance"); declare_integer("field_idx_diff"); declare_integer("access_flags"); end_struct_array("field") @@ -358,11 +360,6 @@ begin_declarations declare_integer("debug_info_off"); declare_integer("insns_size"); declare_string("insns"); - declare_integer("padding"); - begin_struct("tries") - end_struct("tries"); - begin_struct_array("handlers") - end_struct_array("handlers"); end_struct("code_item") end_struct_array("method") end_declarations