diff --git a/lib/src/modules/field_docs.rs b/lib/src/modules/field_docs.rs index 960d0df49..d29d6317a 100644 --- a/lib/src/modules/field_docs.rs +++ b/lib/src/modules/field_docs.rs @@ -1,7 +1,173 @@ // File generated automatically by build.rs. Do not edit. pub const FIELD_DOCS: &[(&str, u64, &str)] = &[ - ("dex.DexHeader", 2, "DEX version (35, 36, 37, ...)"), + ("crx.Crx", 1, "True if the file is a valid Chrome Extension (CRX) package."), + ("crx.Crx", 2, "Format version of the CRX package."), + ("crx.Crx", 3, "Size in bytes of the binary CRX header."), + ("crx.Crx", 4, "Standard 32-character extension ID string."), + ("crx.Crx", 5, "Processed extension name extracted from the manifest."), + ("crx.Crx", 6, "Processed extension description extracted from the manifest."), + ("crx.Crx", 7, "Raw unparsed extension name extracted from the manifest."), + ("crx.Crx", 8, "Raw unparsed extension description extracted from the manifest."), + ("crx.Crx", 9, "Minimum Chrome version requirement string from the manifest."), + ("crx.Crx", 10, "Homepage URL string defined inside the manifest."), + ("crx.Crx", 11, "Required runtime permissions defined inside the manifest."), + ("crx.Crx", 12, "Required host access permissions defined inside the manifest."), + ("crx.Crx", 13, "Optional runtime permissions defined inside the manifest."), + ("crx.Crx", 14, "Optional host access permissions defined inside the manifest."), + ("crx.Crx", 15, "Cryptographic signatures validating the package."), + ("crx.Crx", 16, "Extension version string extracted from the manifest."), + ("crx.CrxSignature", 1, "Public key or identifier string used in the signature."), + ("crx.CrxSignature", 2, "True if the cryptographic signature successfully verified."), + ("dex.ClassItem", 1, "Core descriptor representing the class type."), + ("dex.ClassItem", 2, "Bitwise flags specifying accessibility constraints and attributes."), + ("dex.ClassItem", 3, "Superclass descriptor inherited by this object."), + ("dex.ClassItem", 4, "Source code file name metadata string."), + ("dex.Dex", 1, "True if the file is a valid Dalvik Executable (DEX)."), + ("dex.Dex", 2, "Standard header items parsed from the binary."), + ("dex.Dex", 3, "Array of strings extracted from the string pool."), + ("dex.Dex", 4, "Data types explicitly defined in the type pool."), + ("dex.Dex", 5, "Function prototypes structured from the prototype pool."), + ("dex.Dex", 6, "Distinct class fields extracted from the field list."), + ("dex.Dex", 7, "Specific subroutines and methods defined."), + ("dex.Dex", 8, "Structured class definition objects."), + ("dex.Dex", 9, "Mapping metadata table listing item offsets and sizes."), + ("dex.DexHeader", 1, "Magic identifier characterizing the file type."), + ("dex.DexHeader", 2, "Format version designation (e.g., 35, 36, 37)."), + ("dex.DexHeader", 3, "Standard Adler32 checksum of the remainder of the file."), + ("dex.DexHeader", 4, "Cryptographic SHA-1 signature of the remaining file contents."), + ("dex.DexHeader", 5, "Physical size in bytes of the complete file."), + ("dex.DexHeader", 6, "Combined size in bytes of the binary header block."), + ("dex.DexHeader", 7, "Byte ordering identifier constant."), + ("dex.DexHeader", 8, "Physical size of the link section."), + ("dex.DexHeader", 9, "Offset pointing to the link section data."), + ("dex.DexHeader", 23, "Size in bytes of the main data section."), + ("dex.DexHeader", 24, "File offset pointing to the main data block."), + ("dex.DexHeader", 25, "Combined size constraint allocated for the container."), + ("dex.DexHeader", 26, "File offset marking the beginning of the primary header."), + ("dex.FieldItem", 1, "Name of the parent class defining the field."), + ("dex.FieldItem", 2, "Specific data type categorization of the field."), + ("dex.FieldItem", 3, "Descriptive string identifier assigned to the field."), + ("dex.MapItem", 1, "Standard item classification type code."), + ("dex.MapItem", 2, "Reserved unused padding field."), + ("dex.MapItem", 3, "Total count of individual items in this section."), + ("dex.MapItem", 4, "File offset marking the start of the designated items."), + ("dex.MapList", 1, "Number of specific map item elements tracked."), + ("dex.MapList", 2, "Structured mapping descriptors detailing item positions."), + ("dex.MethodItem", 1, "Parent class descriptor string containing the method."), + ("dex.MethodItem", 2, "Signature prototype defining the function arguments and return value."), + ("dex.MethodItem", 3, "Individual function name assigned to the method."), + ("dex.ProtoItem", 1, "Short-form signature representing the return and argument types."), + ("dex.ProtoItem", 2, "Standard data type descriptor of the return value."), + ("dex.ProtoItem", 3, "Total count of arguments accepted by the prototype."), + ("dex.ProtoItem", 4, "Data type descriptions corresponding to each argument."), + ("dotnet.Assembly", 1, "Name of the active assembly."), + ("dotnet.Assembly", 2, "Standard culture setting applicable to the assembly."), + ("dotnet.Assembly", 3, "Version descriptor assigned to the assembly."), + ("dotnet.AssemblyRef", 1, "Identifier string representing the external assembly."), + ("dotnet.AssemblyRef", 2, "Cryptographic key or access token assigned to the assembly."), + ("dotnet.AssemblyRef", 3, "Standard version requirement for the referenced assembly."), + ("dotnet.Class", 1, "Full namespace and class name descriptor."), + ("dotnet.Class", 2, "Individual class designation name string."), + ("dotnet.Class", 3, "Target namespace string containing the class."), + ("dotnet.Class", 4, "Access visibility modifier applied to the class."), + ("dotnet.Class", 5, "Categorization of the class type."), + ("dotnet.Class", 6, "True if the class is marked as abstract."), + ("dotnet.Class", 7, "True if the class is marked as sealed."), + ("dotnet.Class", 8, "Count of inherited base types declared by the class."), + ("dotnet.Class", 9, "Total count of generic parameters specified."), + ("dotnet.Class", 10, "Number of methods explicitly defined inside the class."), + ("dotnet.Class", 11, "Distinct base types inherited by this class."), + ("dotnet.Class", 12, "Defined generic parameters applicable to the class."), + ("dotnet.Class", 13, "Methods and subroutines implemented within the class."), + ("dotnet.Dotnet", 1, "True if the file is a valid .NET framework executable."), + ("dotnet.Dotnet", 2, "Module name designation extracted from the assembly."), + ("dotnet.Dotnet", 3, "Version string of the embedded module."), + ("dotnet.Dotnet", 4, "Total count of embedded streams inside the file."), + ("dotnet.Dotnet", 5, "Count of unique GUIDs defined within the module."), + ("dotnet.Dotnet", 6, "Total number of individual resources embedded."), + ("dotnet.Dotnet", 7, "Count of generic parameters defined inside the assembly."), + ("dotnet.Dotnet", 10, "Total count of classes extracted from the executable."), + ("dotnet.Dotnet", 11, "Number of external assembly references declared."), + ("dotnet.Dotnet", 12, "Number of external module references defined."), + ("dotnet.Dotnet", 13, "Count of strings defined inside the user string heap."), + ("dotnet.Dotnet", 14, "Number of constant elements stored inside the assembly."), + ("dotnet.Dotnet", 15, "Total count of structured field offsets available."), + ("dotnet.Dotnet", 16, "Core type library representation identifier string."), + ("dotnet.Dotnet", 17, "Individual streams mapped from the metadata root."), + ("dotnet.Dotnet", 18, "Distinct GUID values associated with the executable."), + ("dotnet.Dotnet", 19, "Internal constants extracted from the binary."), + ("dotnet.Dotnet", 20, "Structured metadata describing the primary assembly."), + ("dotnet.Dotnet", 21, "External assembly elements referenced by the program."), + ("dotnet.Dotnet", 22, "Specific resources stored directly inside the module."), + ("dotnet.Dotnet", 23, "Defined classes and types structured from the program."), + ("dotnet.Dotnet", 24, "Relative offsets describing specific fields."), + ("dotnet.Dotnet", 25, "String definitions extracted from the user string pool."), + ("dotnet.Dotnet", 26, "Descriptive names of external modules imported."), + ("dotnet.Method", 1, "Individual function name string."), + ("dotnet.Method", 2, "Access visibility scope applied to the method."), + ("dotnet.Method", 3, "True if the function is an abstract definition."), + ("dotnet.Method", 4, "True if the function is marked as static."), + ("dotnet.Method", 5, "True if the function acts as a virtual method."), + ("dotnet.Method", 6, "True if the function is restricted as final."), + ("dotnet.Method", 7, "Standard return type specification string."), + ("dotnet.Method", 8, "Count of generic parameters explicitly defined for the method."), + ("dotnet.Method", 9, "Number of individual parameters passed to the method."), + ("dotnet.Method", 10, "Distinct generic parameters linked to the method."), + ("dotnet.Method", 11, "Detailed argument definitions accepted by the function."), + ("dotnet.Param", 1, "Target parameter identifier name string."), + ("dotnet.Param", 2, "Designated parameter type string."), + ("dotnet.Resource", 1, "File offset marking the start of the resource data."), + ("dotnet.Resource", 2, "Physical length of the resource inside the binary."), + ("dotnet.Resource", 3, "Descriptive name string of the stored resource."), + ("dotnet.Stream", 1, "Descriptive name of the metadata stream."), + ("dotnet.Stream", 2, "Address or file offset marking the beginning of the stream."), + ("dotnet.Stream", 3, "Exact size of the stream inside the binary."), + ("dotnet.Version", 1, "Major format specification number."), + ("dotnet.Version", 2, "Minor format specification number."), + ("dotnet.Version", 3, "Designated build assignment number."), + ("dotnet.Version", 4, "Internal code revision tracking number."), + ("elf.Dyn", 1, "Classification type of the dynamic entry (e.g., NEEDED, STRTAB)."), + ("elf.Dyn", 2, "Value or address associated with the dynamic entry."), + ("elf.ELF", 1, "Type of the ELF file (e.g., executable, shared object)."), + ("elf.ELF", 2, "Architecture of the machine for which the binary is compiled."), + ("elf.ELF", 3, "Entry point address of the executable."), + ("elf.ELF", 4, "File offset pointing to the section header table."), + ("elf.ELF", 5, "Size in bytes of a single section header entry."), + ("elf.ELF", 6, "File offset pointing to the program header table."), + ("elf.ELF", 7, "Size in bytes of a single program header entry."), + ("elf.ELF", 8, "Number of section header entries in the table."), + ("elf.ELF", 9, "Number of program header entries in the table."), + ("elf.ELF", 10, "Count of symbols stored in the static symbol table."), + ("elf.ELF", 11, "Count of symbols stored in the dynamic symbol table."), + ("elf.ELF", 12, "Count of entries present in the dynamic linking section."), + ("elf.ELF", 13, "Array of sections described by the section header table."), + ("elf.ELF", 14, "Array of segments described by the program header table."), + ("elf.ELF", 15, "Static symbols extracted from the file."), + ("elf.ELF", 16, "Dynamic symbols extracted from the file."), + ("elf.ELF", 17, "Entries extracted from the dynamic linking structure."), + ("elf.ELF", 18, "Operating system and ABI designation of the file."), + ("elf.Section", 1, "Section type classification (e.g., PROGBITS, SYMTAB)."), + ("elf.Section", 2, "Section attributes represented as bitwise flags."), + ("elf.Section", 3, "Virtual address where the section resides in memory."), + ("elf.Section", 4, "Size in bytes of the section data."), + ("elf.Section", 5, "Physical file offset pointing to the section contents."), + ("elf.Section", 6, "Name of the section as a string."), + ("elf.Segment", 1, "Classification of the program segment (e.g., LOAD, DYNAMIC)."), + ("elf.Segment", 2, "Access permissions and flags of the segment."), + ("elf.Segment", 3, "Physical file offset pointing to the beginning of the segment."), + ("elf.Segment", 4, "Virtual address where the segment is loaded in memory."), + ("elf.Segment", 5, "Physical address of the segment, used on systems without virtual memory."), + ("elf.Segment", 6, "Size of the segment inside the file."), + ("elf.Segment", 7, "Size of the segment when mapped into memory."), + ("elf.Segment", 8, "Required alignment boundary of the segment in memory and on disk."), + ("elf.Sym", 1, "Name of the symbol as a string."), + ("elf.Sym", 2, "Value associated with the symbol (typically an address or offset)."), + ("elf.Sym", 3, "Size in bytes of the object referenced by the symbol."), + ("elf.Sym", 4, "Symbol type classification (e.g., FUNC, OBJECT)."), + ("elf.Sym", 5, "Binding attributes of the symbol (e.g., GLOBAL, LOCAL)."), + ("elf.Sym", 6, "Index of the section associated with this symbol."), + ("elf.Sym", 7, "Visibility scope of the symbol (e.g., DEFAULT, HIDDEN)."), ("lnk.Lnk", 1, "True if the file is a LNK file."), ("lnk.Lnk", 2, "A description of the shortcut that is displayed to end users to identify the purpose of the link."), @@ -31,12 +197,262 @@ pub const FIELD_DOCS: &[(&str, u64, &str)] = &[ ("lnk.Lnk", 19, "Size in bytes of any extra data appended to the LNK file."), ("lnk.Lnk", 20, "Offset within the LNK file where the overlay starts."), ("lnk.Lnk", 21, "Distributed link tracker information."), - ("macho.Macho", 1, "Set Mach-O header and basic fields"), - ("macho.Macho", 29, "Add fields for Mach-O fat binary header"), - ("macho.Macho", 32, "Nested Mach-O files"), + ("macho.BuildTool", 1, "Identifier representing the tool utilized."), + ("macho.BuildTool", 2, "Version string corresponding to the tool."), + ("macho.BuildVersion", 1, "Target platform designation."), + ("macho.BuildVersion", 2, "Minimum OS version required as a string."), + ("macho.BuildVersion", 3, "Version string of the SDK utilized."), + ("macho.BuildVersion", 4, "Number of build tools embedded."), + ("macho.BuildVersion", 5, "Information regarding individual tools utilized in the build."), + ("macho.Certificate", 1, "Name of the issuer of the certificate."), + ("macho.Certificate", 2, "Subject designation of the certificate."), + ("macho.Certificate", 3, "True if the certificate is self-signed."), + ("macho.DyldInfo", 1, "File offset to the rebase information."), + ("macho.DyldInfo", 2, "Size in bytes of the rebase payload."), + ("macho.DyldInfo", 3, "File offset to the primary binding info."), + ("macho.DyldInfo", 4, "Size of the binding data in bytes."), + ("macho.DyldInfo", 5, "File offset to weak binding definitions."), + ("macho.DyldInfo", 6, "Size of weak binding definitions."), + ("macho.DyldInfo", 7, "File offset to lazy binding definitions."), + ("macho.DyldInfo", 8, "Size of lazy binding definitions."), + ("macho.DyldInfo", 9, "File offset to exported symbols and data."), + ("macho.DyldInfo", 10, "Size of the export payload."), + ("macho.Dylib", 1, "Library name string."), + ("macho.Dylib", 2, "Build timestamp of the dynamic library."), + ("macho.Dylib", 3, "Compatibility version requirement string."), + ("macho.Dylib", 4, "Current version designation string."), + ("macho.Dysymtab", 3, "Index of the first local symbol."), + ("macho.Dysymtab", 4, "Total number of local symbols."), + ("macho.Dysymtab", 5, "Index of the first externally defined symbol."), + ("macho.Dysymtab", 6, "Total count of externally defined symbols."), + ("macho.Dysymtab", 7, "Index of the first undefined symbol."), + ("macho.Dysymtab", 8, "Total count of undefined symbols."), + ("macho.Dysymtab", 9, "Physical file offset to the table of contents."), + ("macho.Dysymtab", 10, "Total entries within the table of contents."), + ("macho.Dysymtab", 11, "Physical offset to the module table."), + ("macho.Dysymtab", 12, "Total module entries in the module table."), + ("macho.Dysymtab", 13, "File offset to external reference symbol entries."), + ("macho.Dysymtab", 14, "Total entries for external reference symbols."), + ("macho.Dysymtab", 15, "File offset to indirect symbol entries."), + ("macho.Dysymtab", 16, "Count of indirect symbol elements."), + ("macho.Dysymtab", 17, "File offset to external relocation entries."), + ("macho.Dysymtab", 18, "Count of external relocation records."), + ("macho.Dysymtab", 19, "File offset to local relocation elements."), + ("macho.Dysymtab", 20, "Total count of local relocation entries."), + ("macho.FatArch", 1, "Target architecture designation of the embedded binary."), + ("macho.FatArch", 2, "Sub-architecture designation."), + ("macho.FatArch", 3, "File offset referencing the start of the embedded binary."), + ("macho.FatArch", 4, "Size in bytes of the embedded binary payload."), + ("macho.FatArch", 5, "Required byte alignment of the binary payload."), + ("macho.FatArch", 6, "Reserved internal field."), + ("macho.File", 1, "Magic identifier indicating the file architecture."), + ("macho.File", 2, "Primary architecture designation of the embedded binary."), + ("macho.File", 3, "Specific sub-architecture variant."), + ("macho.File", 4, "Binary file type categorization."), + ("macho.File", 5, "Total count of load commands embedded inside the header."), + ("macho.File", 6, "Combined byte size of all load commands."), + ("macho.File", 7, "Bitwise flags characterizing the binary."), + ("macho.File", 8, "Internal reserved field."), + ("macho.File", 9, "Number of segments parsed from the binary."), + ("macho.File", 10, "Standard path of the dynamic linker."), + ("macho.File", 11, "Execution entry point offset or address."), + ("macho.File", 12, "Size of the stack allocated by the loader."), + ("macho.File", 13, "Source version metadata string."), + ("macho.File", 14, "Segments nested inside the binary."), + ("macho.File", 15, "External dynamic libraries referenced."), + ("macho.File", 16, "Standard run paths utilized to locate libraries."), + ("macho.File", 17, "App entitlement strings defined within the binary."), + ("macho.File", 18, "Basic symbol table definitions."), + ("macho.File", 19, "Detailed dynamic symbol table definitions."), + ("macho.File", 20, "Dynamic linker information payload."), + ("macho.File", 21, "Linked code signature data representation."), + ("macho.File", 22, "Certificates verifying the code signature."), + ("macho.File", 23, "Standard UUID assigned to the binary."), + ("macho.File", 24, "Standard build version metadata."), + ("macho.File", 25, "Minimum OS requirement specifications."), + ("macho.File", 26, "Exported symbol descriptors."), + ("macho.File", 27, "Imported symbol descriptors."), + ("macho.File", 28, "Linker options passed during binary assembly."), + ("macho.LinkedItData", 1, "File offset pointing to the linked data."), + ("macho.LinkedItData", 2, "Size in bytes of the linked data payload."), + ("macho.Macho", 1, "Magic identifier indicating the file architecture."), + ("macho.Macho", 2, "Target architecture designation."), + ("macho.Macho", 3, "Specific sub-architecture variant."), + ("macho.Macho", 4, "Categorization of the Mach-O executable."), + ("macho.Macho", 5, "Number of load commands defined inside the binary."), + ("macho.Macho", 6, "Combined byte size of all load commands."), + ("macho.Macho", 7, "Global bitwise flags characterizing the binary."), + ("macho.Macho", 8, "Reserved padding element."), + ("macho.Macho", 9, "Number of segments parsed."), + ("macho.Macho", 10, "Standard dynamic linker specification path."), + ("macho.Macho", 11, "Execution entry point address."), + ("macho.Macho", 12, "Stack size allocation requested."), + ("macho.Macho", 13, "Build source version metadata string."), + ("macho.Macho", 14, "Standard symbol table block."), + ("macho.Macho", 15, "Detailed dynamic symbol table block."), + ("macho.Macho", 16, "Code signature data payload block."), + ("macho.Macho", 17, "Top-level segments parsed from the binary."), + ("macho.Macho", 18, "Linked external libraries."), + ("macho.Macho", 19, "Dynamic loader metadata information block."), + ("macho.Macho", 20, "Executable run path definition strings."), + ("macho.Macho", 21, "Defined app entitlement descriptor strings."), + ("macho.Macho", 22, "Cryptographic certificates validating the signature."), + ("macho.Macho", 23, "Binary UUID descriptor string."), + ("macho.Macho", 24, "General build version metadata block."), + ("macho.Macho", 25, "Minimum OS version requirements."), + ("macho.Macho", 26, "Standard exported symbol strings."), + ("macho.Macho", 27, "Standard imported symbol strings."), + ("macho.Macho", 28, "Custom options passed directly to the linker."), + ("macho.Macho", 29, "Magic constant identifying the file as a Fat binary."), + ("macho.Macho", 30, "Total count of different architectures embedded in the Fat binary."), + ("macho.Macho", 31, "Individual descriptors for each embedded architecture."), + ("macho.Macho", 32, "Independent Mach-O binaries extracted from the universal Fat payload."), + ("macho.MinVersion", 1, "Target device type (e.g., MACOSX, IPHONEOS)."), + ("macho.MinVersion", 2, "Minimum OS version string required to run the binary."), + ("macho.MinVersion", 3, "Version string of the SDK used to build the binary."), + ("macho.Nlist", 1, "Index into the string table representing the symbol name."), + ("macho.Nlist", 2, "Symbol type flag designation."), + ("macho.Nlist", 3, "Section index associated with the symbol."), + ("macho.Nlist", 4, "Description attributes of the symbol."), + ("macho.Nlist", 5, "Value or address of the symbol."), + ("macho.Section", 1, "Segment name the section belongs to."), + ("macho.Section", 2, "Individual section designation string."), + ("macho.Section", 3, "Address where the section is mapped in virtual memory."), + ("macho.Section", 4, "Total virtual memory size occupied by the section."), + ("macho.Section", 5, "File offset pointing to the section data."), + ("macho.Section", 6, "Memory alignment constraint of the section."), + ("macho.Section", 7, "File offset to relocation entries."), + ("macho.Section", 8, "Total count of relocation entries."), + ("macho.Section", 9, "Bitwise flags and attributes characterizing the section."), + ("macho.Section", 10, "First reserved padding field."), + ("macho.Section", 11, "Second reserved padding field."), + ("macho.Section", 12, "Third reserved padding field."), + ("macho.Segment", 3, "Text identifier of the segment."), + ("macho.Segment", 4, "Virtual memory address where the segment is mapped."), + ("macho.Segment", 5, "Total size of the mapped segment in virtual memory."), + ("macho.Segment", 6, "File offset pointing to the segment contents on disk."), + ("macho.Segment", 7, "Total physical length of the segment inside the file."), + ("macho.Segment", 8, "Maximum virtual memory protection state applicable."), + ("macho.Segment", 9, "Initial virtual memory protection applied at load time."), + ("macho.Segment", 10, "Number of sections contained inside the segment."), + ("macho.Segment", 11, "Bitwise flags controlling segment properties."), + ("macho.Segment", 12, "Array of sections nested within the segment."), + ("macho.Symtab", 1, "Physical offset to the start of the symbol table."), + ("macho.Symtab", 2, "Count of total symbols stored."), + ("macho.Symtab", 3, "Physical offset to the string table data."), + ("macho.Symtab", 4, "Size in bytes of the string table."), + ("macho.Symtab", 5, "Individual entries stored in the table."), + ("macho.Symtab", 6, "Descriptive nlist entries for symbols."), + ("pe.Certificate", 1, "Issuer of this individual certificate."), + ("pe.Certificate", 2, "Intended subject of this certificate."), + ("pe.Certificate", 3, "Thumbprint identifying the certificate."), + ("pe.Certificate", 4, "Internal format version of the certificate."), + ("pe.Certificate", 5, "Public key cryptographic algorithm string."), + ("pe.Certificate", 6, "Public key cryptographic algorithm OID."), + ("pe.Certificate", 7, "Unique serial number of the certificate."), + ("pe.Certificate", 8, "Start date of the certificate validity period."), + ("pe.Certificate", 9, "End date of the certificate validity period."), + ("pe.CounterSignature", 1, "True if the countersignature successfully verified."), + ("pe.CounterSignature", 2, "Unix timestamp indicating when the signature was countersigned."), + ("pe.CounterSignature", 3, "Algorithm used to compute the countersignature digest."), + ("pe.CounterSignature", 4, "Certificate chain associated with the countersigning entity."), + ("pe.CounterSignature", 12, "Hash digest of the countersignature payload."), + ("pe.DirEntry", 1, "Relative virtual address of the data directory structure."), + ("pe.DirEntry", 2, "Size in bytes of the data directory structure."), + ("pe.Export", 1, "Name of the exported function."), + ("pe.Export", 2, "Ordinal index of the exported function."), + ("pe.Export", 3, "Relative virtual address (RVA) pointing to the exported function."), + ("pe.Export", 4, "Physical file offset of the exported function."), + ("pe.Export", 5, "Forwarder string, if the export resolves to a function in another library."), + ("pe.Function", 1, "Name of the imported function."), + ("pe.Function", 2, "Ordinal index of the function."), + ("pe.Function", 3, "Relative virtual address (RVA) or offset pointing to the function import thunk."), + ("pe.Import", 1, "Target library filename (e.g., \"kernel32.dll\")."), + ("pe.Import", 2, "Total count of functions imported from this library."), + ("pe.Import", 3, "Individual functions imported from the library."), + ("pe.KeyValue", 1, "Key identifying the entry."), + ("pe.KeyValue", 2, "String value associated with the key."), + ("pe.Overlay", 1, "File offset marking the start of the appended overlay content."), + ("pe.Overlay", 2, "Total size in bytes of the overlay data."), + ("pe.PE", 1, "True if the file is a valid PE binary."), + ("pe.PE", 2, "Target architecture of the executable (e.g., x86, x64, ARM)."), + ("pe.PE", 3, "Subsystem required to run this binary (e.g., GUI, CUI)."), + ("pe.PE", 4, "Minimum operating system version required to run the binary."), + ("pe.PE", 5, "Minimum subsystem version required to run the binary."), + ("pe.PE", 6, "User-defined version of the binary image."), + ("pe.PE", 7, "Version of the linker used to generate the binary."), + ("pe.PE", 8, "Magic number used to identify the optional header structure."), + ("pe.PE", 9, "Bitwise flags indicating attributes of the file (e.g., executable, DLL)."), + ("pe.PE", 10, "Bitwise flags indicating DLL characteristics (e.g., ASLR, DEP)."), + ("pe.PE", 11, "Creation timestamp of the image, stored as a Unix epoch time."), + ("pe.PE", 12, "Preferred load address of the image when placed in memory."), + ("pe.PE", 13, "Checksum of the image file."), + ("pe.PE", 14, "Relative virtual address (RVA) of the beginning of the code section."), + ("pe.PE", 15, "Relative virtual address (RVA) of the beginning of the data section."), ("pe.PE", 16, "Entry point as a file offset."), ("pe.PE", 17, "Entry point as it appears in the PE header (RVA)."), - ("pe.Section", 1, "The section's name as listed in the section table. The data type is `bytes` + ("pe.PE", 18, "Filename of the dynamic-link library, if the image is a DLL."), + ("pe.PE", 19, "Export table timestamp, stored as a Unix epoch time."), + ("pe.PE", 20, "Alignment factor used for sections loaded in memory (usually 4096 bytes)."), + ("pe.PE", 21, "Alignment factor used for raw section data on disk (usually 512 bytes)."), + ("pe.PE", 22, "Flags used by obsolete loaders."), + ("pe.PE", 23, "Size of the optional header structure in bytes."), + ("pe.PE", 24, "Total size of all sections containing executable code."), + ("pe.PE", 25, "Total size of all sections containing initialized data."), + ("pe.PE", 26, "Total size of all sections containing uninitialized data (BSS)."), + ("pe.PE", 27, "Overall size of the image loaded in memory, including all headers."), + ("pe.PE", 28, "Combined size of all headers up to the first section."), + ("pe.PE", 29, "Total amount of virtual memory reserved for the stack."), + ("pe.PE", 30, "Initial amount of physical memory committed for the stack."), + ("pe.PE", 31, "Total amount of virtual memory reserved for the default heap."), + ("pe.PE", 32, "Initial amount of physical memory committed for the default heap."), + ("pe.PE", 33, "File offset pointing to the COFF symbol table."), + ("pe.PE", 34, "Reserved field, must be set to zero."), + ("pe.PE", 35, "Number of entries found in the COFF symbol table."), + ("pe.PE", 36, "Number of entries present in the data directories array."), + ("pe.PE", 37, "Number of sections in the PE file."), + ("pe.PE", 38, "Number of imported functions across all imported libraries."), + ("pe.PE", 39, "Number of delayed imported functions across all delayed libraries."), + ("pe.PE", 40, "Number of resources contained within the file."), + ("pe.PE", 41, "Number of string-value pairs within the version info resource."), + ("pe.PE", 42, "Number of imported libraries."), + ("pe.PE", 43, "Number of delayed imported libraries."), + ("pe.PE", 44, "Number of exported symbols."), + ("pe.PE", 45, "Number of digital signatures found in the file."), + ("pe.PE", 46, "Map representation of file version information attributes."), + ("pe.PE", 47, "List containing version information attributes as key-value elements."), + ("pe.PE", 48, "Rich header signature containing toolchain usage information."), + ("pe.PE", 49, "File path referencing the associated PDB symbol file."), + ("pe.PE", 50, "Collection of sections making up the binary."), + ("pe.PE", 51, "Standard data directories array (e.g., Imports, Exports, Resources)."), + ("pe.PE", 52, "Unix epoch timestamp of the resource directory."), + ("pe.PE", 53, "Version structure for the resource directory."), + ("pe.PE", 54, "Individual resources defined within the binary."), + ("pe.PE", 55, "Standard library and function import descriptions."), + ("pe.PE", 56, "Delayed library and function import descriptions."), + ("pe.PE", 57, "Exported functions and symbol descriptions."), + ("pe.PE", 58, "True if the executable contains a recognized digital signature."), + ("pe.PE", 59, "Set of digital signatures extracted from the file."), + ("pe.PE", 60, "Information regarding trailing data not mapped by sections."), + ("pe.Resource", 1, "Size of the resource content in bytes."), + ("pe.Resource", 2, "Relative virtual address (RVA) of the resource data."), + ("pe.Resource", 3, "File offset pointing to the resource data."), + ("pe.Resource", 4, "Standard resource type classification (e.g., ICON, VERSION)."), + ("pe.Resource", 5, "Unique numeric identifier of the resource."), + ("pe.Resource", 6, "Language code assigned to the resource."), + ("pe.Resource", 7, "Text representation of the resource type for custom classifications."), + ("pe.Resource", 8, "Text representation of the resource name."), + ("pe.Resource", 9, "Text representation of the resource language."), + ("pe.RichSignature", 1, "Relative file offset marking the start of the Rich signature."), + ("pe.RichSignature", 2, "Total length in bytes of the Rich signature block."), + ("pe.RichSignature", 3, "Numerical XOR key utilized to decrypt the Rich signature."), + ("pe.RichSignature", 4, "Obfuscated binary bytes of the Rich signature."), + ("pe.RichSignature", 5, "Cleartext decrypted bytes of the Rich signature."), + ("pe.RichSignature", 6, "Individual tools and build utilities referenced in the signature."), + ("pe.RichTool", 1, "Identifier corresponding to the compilation tool."), + ("pe.RichTool", 2, "Internal version of the tool."), + ("pe.RichTool", 3, "Number of times the tool was invoked to build objects in the final binary."), + ("pe.Section", 1, "Section name as listed in the section table. The data type is `bytes` instead of `string` so that it can accommodate invalid UTF-8 content. The length is 8 bytes at most."), ("pe.Section", 2, "For section names longer than 8 bytes, the name in the section table (and @@ -50,8 +466,40 @@ pub const FIELD_DOCS: &[(&str, u64, &str)] = &[ field. See: https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_section_header#members"), - ("pe.Version", 1, "Major version."), - ("pe.Version", 2, "Minor version."), + ("pe.Section", 3, "Characteristics and access attributes of the section."), + ("pe.Section", 4, "Physical size of the section stored on disk."), + ("pe.Section", 5, "File offset to the section data on disk."), + ("pe.Section", 6, "Virtual address of the section loaded in memory, relative to the image base."), + ("pe.Section", 7, "Total virtual size occupied by the section in memory."), + ("pe.Section", 8, "File pointer referencing the section's relocation entries."), + ("pe.Section", 9, "File pointer referencing the section's line-number entries."), + ("pe.Section", 10, "Total count of relocation records for the section."), + ("pe.Section", 11, "Total count of line-number records for the section."), + ("pe.Signature", 1, "Subject name specified in the certificate."), + ("pe.Signature", 2, "Issuer name specified in the certificate."), + ("pe.Signature", 3, "Unique thumbprint value of the certificate."), + ("pe.Signature", 4, "Internal version format of the digital signature."), + ("pe.Signature", 5, "Public key algorithm identifier string."), + ("pe.Signature", 6, "OID value representing the public key algorithm."), + ("pe.Signature", 7, "Serial number of the certificate."), + ("pe.Signature", 8, "Unix timestamp representing the start of the validity window."), + ("pe.Signature", 9, "Unix timestamp representing the end of the validity window."), + ("pe.Signature", 10, "True if the cryptographic verification of the signature succeeded."), + ("pe.Signature", 11, "Digest algorithm utilized in the signature process."), + ("pe.Signature", 12, "Content digest generated by the signer."), + ("pe.Signature", 13, "Digest computed directly from the binary payload."), + ("pe.Signature", 14, "Number of certificates embedded in the signature chain."), + ("pe.Signature", 15, "Number of countersignatures associated with this signature."), + ("pe.Signature", 16, "Details regarding the primary signer entity."), + ("pe.Signature", 17, "Certificates making up the signing chain."), + ("pe.Signature", 18, "Countersignatures validating the time and source of the primary signature."), + ("pe.SignerInfo", 1, "Program description extracted from the SpcSpOpusInfo block."), + ("pe.SignerInfo", 2, "URL containing supplemental details about the software."), + ("pe.SignerInfo", 3, "Hash digest calculated by the primary signer."), + ("pe.SignerInfo", 4, "Algorithm used to generate the signer digest."), + ("pe.SignerInfo", 5, "Certificate chain validating the signer."), + ("pe.Version", 1, "Major version number."), + ("pe.Version", 2, "Minor version number."), ("test_proto2.TestProto2", 350, "This field will be visible in YARA as `bool_yara` instead of `bool_proto`."), ("test_proto2.TestProto2", 351, "This field won't be visible to YARA."), ("test_proto2.TestProto2", 500, "This field is accessible only if the features \"foo\" (or \"FOO\") and \"bar\" diff --git a/lib/src/modules/protos/crx.proto b/lib/src/modules/protos/crx.proto index 6fad54947..13283d82c 100644 --- a/lib/src/modules/protos/crx.proto +++ b/lib/src/modules/protos/crx.proto @@ -11,62 +11,66 @@ option (yara.module_options) = { }; message Crx { + // True if the file is a valid Chrome Extension (CRX) package. optional bool is_crx = 1; + // Format version of the CRX package. optional uint32 crx_version = 2; + // Size in bytes of the binary CRX header. optional uint32 header_size = 3; + // Standard 32-character extension ID string. optional string id = 4; + // Extension version string extracted from the manifest. optional string version = 16; + // Processed extension name extracted from the manifest. optional string name = 5; + // Processed extension description extracted from the manifest. optional string description = 6; + // Raw unparsed extension name extracted from the manifest. optional string raw_name = 7; + // Raw unparsed extension description extracted from the manifest. optional string raw_description = 8; + // Minimum Chrome version requirement string from the manifest. optional string minimum_chrome_version = 9; + // Homepage URL string defined inside the manifest. optional string homepage_url = 10; + // Required runtime permissions defined inside the manifest. repeated string permissions = 11; + // Required host access permissions defined inside the manifest. repeated string host_permissions = 12; + // Optional runtime permissions defined inside the manifest. repeated string optional_permissions = 13; + // Optional host access permissions defined inside the manifest. repeated string optional_host_permissions = 14; + // Cryptographic signatures validating the package. repeated CrxSignature signatures = 15; } message CrxSignature { + // Public key or identifier string used in the signature. required string key = 1; + // True if the cryptographic signature successfully verified. required bool verified = 2; } message CrxFileHeader { - // PSS signature with RSA public key. The public key is formatted as a - // X.509 SubjectPublicKeyInfo block, as in CRX₂. In the common case of a - // developer key proof, the first 128 bits of the SHA-256 hash of the - // public key must equal the crx_id. + // PSS signature with RSA public key. repeated AsymmetricKeyProof sha256_with_rsa = 2; - // ECDSA signature, using the NIST P-256 curve. Public key appears in - // named-curve format. - // The pinned algorithm will be this, at least on 2017-01-01. + // ECDSA signature using the NIST P-256 curve. repeated AsymmetricKeyProof sha256_with_ecdsa = 3; - // The binary form of a SignedData message. We do not use a nested - // SignedData message, as handlers of this message must verify the proofs - // on exactly these bytes, so it is convenient to parse in two steps. - // - // All proofs in this CrxFile message are on the value - // "CRX3 SignedData\x00" + signed_header_size + signed_header_data + - // archive, where "\x00" indicates an octet with value 0, "CRX3 SignedData" - // is encoded using UTF-8, signed_header_size is the size in octets of the - // contents of this field and is encoded using 4 octets in little-endian - // order, signed_header_data is exactly the content of this field, and - // archive is the remaining contents of the file following the header. + // Binary form of the SignedData message payload. optional bytes signed_header_data = 10000; } message AsymmetricKeyProof { + // Raw bytes representation of the public key. optional bytes public_key = 1; + // Cryptographic signature bytes validating the payload. optional bytes signature = 2; } message SignedData { - // This is simple binary, not UTF-8 encoded mpdecimal; i.e. it is exactly - // 16 bytes long. + // Raw binary 16-byte extension identifier. optional bytes crx_id = 1; } diff --git a/lib/src/modules/protos/dex.proto b/lib/src/modules/protos/dex.proto index 8e6f6d1f2..9738e60ee 100644 --- a/lib/src/modules/protos/dex.proto +++ b/lib/src/modules/protos/dex.proto @@ -11,70 +11,111 @@ option (yara.module_options) = { }; message Dex { + // True if the file is a valid Dalvik Executable (DEX). optional bool is_dex = 1; + // Standard header items parsed from the binary. optional DexHeader header = 2; + // Array of strings extracted from the string pool. repeated string strings = 3; + // Data types explicitly defined in the type pool. repeated string types = 4; + // Function prototypes structured from the prototype pool. repeated ProtoItem protos = 5; + // Distinct class fields extracted from the field list. repeated FieldItem fields = 6; + // Specific subroutines and methods defined. repeated MethodItem methods = 7; + // Structured class definition objects. repeated ClassItem class_defs = 8; + // Mapping metadata table listing item offsets and sizes. optional MapList map_list = 9; } // See: https://source.android.com/docs/core/runtime/dex-format#header-item message DexHeader { + // Magic identifier characterizing the file type. optional uint32 magic = 1 [(yara.field_options).fmt = "x"]; - // DEX version (35, 36, 37, ...) + // Format version designation (e.g., 35, 36, 37). optional uint32 version = 2; + // Standard Adler32 checksum of the remainder of the file. optional uint32 checksum = 3 [(yara.field_options).fmt = "x"]; + // Cryptographic SHA-1 signature of the remaining file contents. optional string signature = 4; + // Physical size in bytes of the complete file. optional uint32 file_size = 5; + // Combined size in bytes of the binary header block. optional uint32 header_size = 6 [(yara.field_options).fmt = "x"]; + // Byte ordering identifier constant. optional uint32 endian_tag = 7 [(yara.field_options).fmt = "x"]; + // Physical size of the link section. optional uint32 link_size = 8; + // Offset pointing to the link section data. optional uint32 link_off = 9 [(yara.field_options).fmt = "x"]; + // Size in bytes of the main data section. optional uint32 data_size = 23; + // File offset pointing to the main data block. optional uint32 data_off = 24 [(yara.field_options).fmt = "x"]; + // Combined size constraint allocated for the container. optional uint32 container_size = 25; + // File offset marking the beginning of the primary header. optional uint32 header_offset = 26 [(yara.field_options).fmt = "x"]; } message ProtoItem { + // Short-form signature representing the return and argument types. optional string shorty = 1; + // Standard data type descriptor of the return value. optional string return_type = 2; + // Total count of arguments accepted by the prototype. optional uint32 parameters_count = 3; + // Data type descriptions corresponding to each argument. repeated string parameters = 4; } message FieldItem { + // Name of the parent class defining the field. optional string class = 1; + // Specific data type categorization of the field. optional string type = 2; + // Descriptive string identifier assigned to the field. optional string name = 3; } message MethodItem { + // Parent class descriptor string containing the method. optional string class = 1; + // Signature prototype defining the function arguments and return value. optional ProtoItem proto = 2; + // Individual function name assigned to the method. optional string name = 3; } message ClassItem { + // Core descriptor representing the class type. optional string class = 1; + // Bitwise flags specifying accessibility constraints and attributes. optional uint32 access_flags = 2 [(yara.field_options).fmt = "flags:AccessFlag"]; + // Superclass descriptor inherited by this object. optional string superclass = 3; + // Source code file name metadata string. optional string source_file = 4; } message MapList { + // Number of specific map item elements tracked. optional uint32 size = 1; + // Structured mapping descriptors detailing item positions. repeated MapItem items = 2; } message MapItem { + // Standard item classification type code. optional TypeCode type = 1; + // Reserved unused padding field. optional uint32 unused = 2; + // Total count of individual items in this section. optional uint32 size = 3; + // File offset marking the start of the designated items. optional uint32 offset = 4 [(yara.field_options).fmt = "x"]; } diff --git a/lib/src/modules/protos/dotnet.proto b/lib/src/modules/protos/dotnet.proto index 063c5b2da..8b78d7afe 100644 --- a/lib/src/modules/protos/dotnet.proto +++ b/lib/src/modules/protos/dotnet.proto @@ -12,168 +12,234 @@ option (yara.module_options) = { }; message Dotnet { + // True if the file is a valid .NET framework executable. optional bool is_dotnet = 1; + // Module name designation extracted from the assembly. optional string module_name = 2; + // Version string of the embedded module. optional string version = 3; + // Total count of embedded streams inside the file. optional uint64 number_of_streams = 4 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `dotnet.streams.len()` instead", replacement: "streams.len()" }]; + // Count of unique GUIDs defined within the module. optional uint64 number_of_guids = 5 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `dotnet.guids.len()` instead", replacement: "guids.len()" }]; + // Total number of individual resources embedded. optional uint64 number_of_resources = 6 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `dotnet.resources.len()` instead", replacement: "resources.len()" }]; + // Count of generic parameters defined inside the assembly. optional uint64 number_of_generic_parameters = 7; + // Total count of classes extracted from the executable. optional uint64 number_of_classes = 10 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `dotnet.classes.len()` instead", replacement: "classes.len()" }]; + // Number of external assembly references declared. optional uint64 number_of_assembly_refs = 11 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `dotnet.assembly_refs.len()` instead", replacement: "assembly_refs.len()" }]; + // Number of external module references defined. optional uint64 number_of_modulerefs = 12 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `dotnet.modulerefs.len()` instead", replacement: "modulerefs.len()" }]; + // Count of strings defined inside the user string heap. optional uint64 number_of_user_strings = 13 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `dotnet.user_strings.len()` instead", replacement: "user_strings.len()" }]; + // Number of constant elements stored inside the assembly. optional uint64 number_of_constants = 14 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `dotnet.constants.len()` instead", replacement: "constants.len()" }]; + // Total count of structured field offsets available. optional uint64 number_of_field_offsets = 15 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `dotnet.field_offsets.len()` instead", replacement: "field_offsets.len()" }]; + // Core type library representation identifier string. optional string typelib = 16; + // Individual streams mapped from the metadata root. repeated Stream streams = 17; + // Distinct GUID values associated with the executable. repeated string guids = 18; + // Internal constants extracted from the binary. repeated bytes constants = 19; + // Structured metadata describing the primary assembly. optional Assembly assembly = 20; + // External assembly elements referenced by the program. repeated AssemblyRef assembly_refs = 21; + // Specific resources stored directly inside the module. repeated Resource resources = 22; + // Defined classes and types structured from the program. repeated Class classes = 23; + // Relative offsets describing specific fields. repeated uint32 field_offsets = 24; + // String definitions extracted from the user string pool. repeated bytes user_strings = 25; + // Descriptive names of external modules imported. repeated string modulerefs = 26; } message Assembly { + // Name of the active assembly. optional string name = 1; + // Standard culture setting applicable to the assembly. optional string culture = 2; + // Version descriptor assigned to the assembly. required Version version = 3; } message AssemblyRef { + // Identifier string representing the external assembly. optional string name = 1; + // Cryptographic key or access token assigned to the assembly. optional bytes public_key_or_token = 2; + // Standard version requirement for the referenced assembly. required Version version = 3; } message Stream { + // Descriptive name of the metadata stream. optional string name = 1; + // Address or file offset marking the beginning of the stream. required uint32 offset = 2 [(yara.field_options).fmt = "x"]; + // Exact size of the stream inside the binary. required uint32 size = 3 [(yara.field_options).fmt = "x"]; } message Version { + // Major format specification number. required uint32 major = 1; + // Minor format specification number. required uint32 minor = 2; + // Designated build assignment number. required uint32 build_number = 3; + // Internal code revision tracking number. required uint32 revision_number = 4; } message Resource { + // File offset marking the start of the resource data. optional uint32 offset = 1 [(yara.field_options).fmt = "x"]; + // Physical length of the resource inside the binary. optional uint32 length = 2 [(yara.field_options).fmt = "x"]; + // Descriptive name string of the stored resource. optional string name = 3; } message Class { + // Full namespace and class name descriptor. optional string fullname = 1; + // Individual class designation name string. optional string name = 2; + // Target namespace string containing the class. optional string namespace = 3; + // Access visibility modifier applied to the class. optional string visibility = 4; + // Categorization of the class type. optional string type = 5; + // True if the class is marked as abstract. required bool abstract = 6; + // True if the class is marked as sealed. required bool sealed = 7; + // Count of inherited base types declared by the class. required uint64 number_of_base_types = 8 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `base_types.len()` instead", replacement: "base_types.len()" }]; + // Total count of generic parameters specified. required uint64 number_of_generic_parameters = 9 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `generic_parameters.len()` instead", replacement: "generic_parameters.len()" }]; + // Number of methods explicitly defined inside the class. required uint64 number_of_methods = 10 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `methods.len()` instead", replacement: "methods.len()" }]; + // Distinct base types inherited by this class. repeated string base_types = 11; + // Defined generic parameters applicable to the class. repeated string generic_parameters = 12; + // Methods and subroutines implemented within the class. repeated Method methods = 13; } message Method { + // Individual function name string. optional string name = 1; + // Access visibility scope applied to the method. optional string visibility = 2; + // True if the function is an abstract definition. required bool abstract = 3; + // True if the function is marked as static. required bool static = 4; + // True if the function acts as a virtual method. required bool virtual = 5; + // True if the function is restricted as final. required bool final = 6; + // Standard return type specification string. optional string return_type = 7; + // Count of generic parameters explicitly defined for the method. required uint64 number_of_generic_parameters = 8 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `generic_parameters.len()` instead", replacement: "generic_parameters.len()" }]; + // Number of individual parameters passed to the method. required uint64 number_of_parameters = 9 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `parameters.len()` instead", replacement: "parameters.len()" }]; + // Distinct generic parameters linked to the method. repeated string generic_parameters = 10; + // Detailed argument definitions accepted by the function. repeated Param parameters = 11; } message Param { + // Target parameter identifier name string. required string name = 1; + // Designated parameter type string. optional string type = 2; } diff --git a/lib/src/modules/protos/elf.proto b/lib/src/modules/protos/elf.proto index 136e90f68..1847beb74 100644 --- a/lib/src/modules/protos/elf.proto +++ b/lib/src/modules/protos/elf.proto @@ -11,36 +11,54 @@ option (yara.module_options) = { }; message ELF { + // Type of the ELF file (e.g., executable, shared object). optional Type type = 1; + // Architecture of the machine for which the binary is compiled. optional Machine machine = 2; + // Operating system and ABI designation of the file. optional OsAbi osabi = 18; + // Entry point address of the executable. optional uint64 entry_point = 3; + // File offset pointing to the section header table. optional uint64 sh_offset = 4; + // Size in bytes of a single section header entry. optional uint32 sh_entry_size = 5; + // File offset pointing to the program header table. optional uint64 ph_offset = 6; + // Size in bytes of a single program header entry. optional uint32 ph_entry_size = 7; + // Number of section header entries in the table. optional uint64 number_of_sections = 8 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `elf.sections.len()` instead", replacement: "sections.len()" }]; + // Number of program header entries in the table. optional uint64 number_of_segments = 9 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `elf.segments.len()` instead", replacement: "segments.len()" }]; + // Count of symbols stored in the static symbol table. optional uint64 symtab_entries = 10; + // Count of symbols stored in the dynamic symbol table. optional uint64 dynsym_entries = 11; + // Count of entries present in the dynamic linking section. optional uint64 dynamic_section_entries = 12; + // Array of sections described by the section header table. repeated Section sections = 13; + // Array of segments described by the program header table. repeated Segment segments = 14; + // Static symbols extracted from the file. repeated Sym symtab = 15; + // Dynamic symbols extracted from the file. repeated Sym dynsym = 16; + // Entries extracted from the dynamic linking structure. repeated Dyn dynamic = 17; } @@ -101,11 +119,17 @@ enum OsAbi { } message Section { + // Section type classification (e.g., PROGBITS, SYMTAB). required SectionType type = 1; + // Section attributes represented as bitwise flags. required uint64 flags = 2; + // Virtual address where the section resides in memory. required uint64 address = 3; + // Size in bytes of the section data. required uint64 size = 4; + // Physical file offset pointing to the section contents. required uint64 offset = 5; + // Name of the section as a string. optional string name = 6; } @@ -128,13 +152,21 @@ enum SectionType { } message Segment { + // Classification of the program segment (e.g., LOAD, DYNAMIC). required SegmentType type = 1; + // Access permissions and flags of the segment. required uint32 flags = 2 [(yara.field_options).fmt = "flags:SegmentFlags"]; + // Physical file offset pointing to the beginning of the segment. required uint64 offset = 3; + // Virtual address where the segment is loaded in memory. required uint64 virtual_address = 4; + // Physical address of the segment, used on systems without virtual memory. required uint64 physical_address = 5; + // Size of the segment inside the file. required uint64 file_size = 6; + // Size of the segment when mapped into memory. required uint64 memory_size = 7; + // Required alignment boundary of the segment in memory and on disk. required uint64 alignment = 8; } @@ -162,12 +194,19 @@ enum SegmentFlags { } message Sym { + // Name of the symbol as a string. optional string name = 1; + // Value associated with the symbol (typically an address or offset). required uint64 value = 2; + // Size in bytes of the object referenced by the symbol. required uint64 size = 3; + // Symbol type classification (e.g., FUNC, OBJECT). required SymType type = 4; + // Binding attributes of the symbol (e.g., GLOBAL, LOCAL). required SymBind bind = 5; + // Index of the section associated with this symbol. required uint32 shndx = 6; + // Visibility scope of the symbol (e.g., DEFAULT, HIDDEN). required SymVisibility visibility = 7; } @@ -198,7 +237,9 @@ enum SymVisibility { } message Dyn { + // Classification type of the dynamic entry (e.g., NEEDED, STRTAB). optional DynType type = 1; + // Value or address associated with the dynamic entry. optional uint64 val = 2; } diff --git a/lib/src/modules/protos/macho.proto b/lib/src/modules/protos/macho.proto index 95222011b..d7b56a4f6 100644 --- a/lib/src/modules/protos/macho.proto +++ b/lib/src/modules/protos/macho.proto @@ -11,212 +11,353 @@ option (yara.module_options) = { }; message MinVersion { + // Target device type (e.g., MACOSX, IPHONEOS). optional DeviceType device = 1; + // Minimum OS version string required to run the binary. optional string version = 2; + // Version string of the SDK used to build the binary. optional string sdk = 3; } message BuildVersion { + // Target platform designation. optional uint32 platform = 1; + // Minimum OS version required as a string. optional string minos = 2; + // Version string of the SDK utilized. optional string sdk = 3; + // Number of build tools embedded. optional uint32 ntools = 4; + // Information regarding individual tools utilized in the build. repeated BuildTool tools = 5; } message BuildTool { + // Identifier representing the tool utilized. optional uint32 tool = 1; + // Version string corresponding to the tool. optional string version = 2; } message LinkedItData { + // File offset pointing to the linked data. optional uint32 dataoff = 1; + // Size in bytes of the linked data payload. optional uint32 datasize = 2; } message Certificate { + // Name of the issuer of the certificate. required string issuer = 1; + // Subject designation of the certificate. required string subject = 2; + // True if the certificate is self-signed. required bool is_self_signed = 3; } message Dylib { + // Library name string. required bytes name = 1; + // Build timestamp of the dynamic library. required uint32 timestamp = 2 [(yara.field_options).fmt = "t"]; + // Compatibility version requirement string. required string compatibility_version = 3; + // Current version designation string. required string current_version = 4; } message DyldInfo { + // File offset to the rebase information. optional uint32 rebase_off = 1; + // Size in bytes of the rebase payload. optional uint32 rebase_size = 2; + // File offset to the primary binding info. optional uint32 bind_off = 3; + // Size of the binding data in bytes. optional uint32 bind_size = 4; + // File offset to weak binding definitions. optional uint32 weak_bind_off = 5; + // Size of weak binding definitions. optional uint32 weak_bind_size = 6; + // File offset to lazy binding definitions. optional uint32 lazy_bind_off = 7; + // Size of lazy binding definitions. optional uint32 lazy_bind_size = 8; + // File offset to exported symbols and data. optional uint32 export_off = 9; + // Size of the export payload. optional uint32 export_size = 10; } message Nlist { + // Index into the string table representing the symbol name. optional uint32 n_strx = 1; + // Symbol type flag designation. optional uint32 n_type = 2; + // Section index associated with the symbol. optional uint32 n_sect = 3; + // Description attributes of the symbol. optional uint32 n_desc = 4; + // Value or address of the symbol. optional uint64 n_value = 5; } message Symtab { + // Physical offset to the start of the symbol table. optional uint32 symoff = 1; + // Count of total symbols stored. optional uint32 nsyms = 2; + // Physical offset to the string table data. optional uint32 stroff = 3; + // Size in bytes of the string table. optional uint32 strsize = 4; + // Individual entries stored in the table. repeated bytes entries = 5; + // Descriptive nlist entries for symbols. repeated Nlist nlists = 6; } message Dysymtab { + // Index of the first local symbol. optional uint32 ilocalsym = 3; + // Total number of local symbols. optional uint32 nlocalsym = 4; + // Index of the first externally defined symbol. optional uint32 iextdefsym = 5; + // Total count of externally defined symbols. optional uint32 nextdefsym = 6; + // Index of the first undefined symbol. optional uint32 iundefsym = 7; + // Total count of undefined symbols. optional uint32 nundefsym = 8; + // Physical file offset to the table of contents. optional uint32 tocoff = 9; + // Total entries within the table of contents. optional uint32 ntoc = 10; + // Physical offset to the module table. optional uint32 modtaboff = 11; + // Total module entries in the module table. optional uint32 nmodtab = 12; + // File offset to external reference symbol entries. optional uint32 extrefsymoff = 13; + // Total entries for external reference symbols. optional uint32 nextrefsyms = 14; + // File offset to indirect symbol entries. optional uint32 indirectsymoff = 15; + // Count of indirect symbol elements. optional uint32 nindirectsyms = 16; + // File offset to external relocation entries. optional uint32 extreloff = 17; + // Count of external relocation records. optional uint32 nextrel = 18; + // File offset to local relocation elements. optional uint32 locreloff = 19; + // Total count of local relocation entries. optional uint32 nlocrel = 20; } message Section { + // Segment name the section belongs to. optional bytes segname = 1; + // Individual section designation string. optional bytes sectname = 2; + // Address where the section is mapped in virtual memory. optional uint64 addr = 3 [(yara.field_options).fmt = "x"]; + // Total virtual memory size occupied by the section. optional uint64 size = 4 [(yara.field_options).fmt = "x"]; + // File offset pointing to the section data. optional uint32 offset = 5; + // Memory alignment constraint of the section. optional uint32 align = 6; + // File offset to relocation entries. optional uint32 reloff = 7; + // Total count of relocation entries. optional uint32 nreloc = 8; + // Bitwise flags and attributes characterizing the section. optional uint32 flags = 9 [(yara.field_options).fmt = "x"]; + // First reserved padding field. optional uint32 reserved1 = 10; + // Second reserved padding field. optional uint32 reserved2 = 11; + // Third reserved padding field. optional uint32 reserved3 = 12; } message Segment { + // Text identifier of the segment. optional bytes segname = 3; + // Virtual memory address where the segment is mapped. optional uint64 vmaddr = 4 [(yara.field_options).fmt = "x"]; + // Total size of the mapped segment in virtual memory. optional uint64 vmsize = 5 [(yara.field_options).fmt = "x"]; + // File offset pointing to the segment contents on disk. optional uint64 fileoff = 6; + // Total physical length of the segment inside the file. optional uint64 filesize = 7; + // Maximum virtual memory protection state applicable. optional uint32 maxprot = 8 [(yara.field_options).fmt = "x"]; + // Initial virtual memory protection applied at load time. optional uint32 initprot = 9 [(yara.field_options).fmt = "x"]; + // Number of sections contained inside the segment. optional uint32 nsects = 10; + // Bitwise flags controlling segment properties. optional uint32 flags = 11 [(yara.field_options).fmt = "flags:SegmentFlag"]; + // Array of sections nested within the segment. repeated Section sections = 12; } message FatArch { + // Target architecture designation of the embedded binary. optional uint32 cputype = 1 [(yara.field_options).fmt = "x"]; + // Sub-architecture designation. optional uint32 cpusubtype = 2 [(yara.field_options).fmt = "x"]; + // File offset referencing the start of the embedded binary. optional uint64 offset = 3; + // Size in bytes of the embedded binary payload. optional uint64 size = 4; + // Required byte alignment of the binary payload. optional uint32 align = 5; + // Reserved internal field. optional uint32 reserved = 6; } message File { + // Magic identifier indicating the file architecture. optional uint32 magic = 1 [(yara.field_options).fmt = "x"]; + // Primary architecture designation of the embedded binary. optional uint32 cputype = 2 [(yara.field_options).fmt = "x"]; + // Specific sub-architecture variant. optional uint32 cpusubtype = 3 [(yara.field_options).fmt = "x"]; + // Binary file type categorization. optional uint32 filetype = 4; + // Total count of load commands embedded inside the header. optional uint32 ncmds = 5; + // Combined byte size of all load commands. optional uint32 sizeofcmds = 6; + // Bitwise flags characterizing the binary. optional uint32 flags = 7 [(yara.field_options).fmt = "flags:FileFlag"]; + // Internal reserved field. optional uint32 reserved = 8; + // Number of segments parsed from the binary. optional uint64 number_of_segments = 9 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `segments.len()` instead", replacement: "segments.len()" }]; + // Standard path of the dynamic linker. optional bytes dynamic_linker = 10; + // Execution entry point offset or address. optional uint64 entry_point = 11; + // Size of the stack allocated by the loader. optional uint64 stack_size = 12; + // Source version metadata string. optional string source_version = 13; + // Segments nested inside the binary. repeated Segment segments = 14; + // External dynamic libraries referenced. repeated Dylib dylibs = 15; + // Standard run paths utilized to locate libraries. repeated bytes rpaths = 16; + // App entitlement strings defined within the binary. repeated string entitlements = 17; + // Basic symbol table definitions. optional Symtab symtab = 18; + // Detailed dynamic symbol table definitions. optional Dysymtab dysymtab = 19; + // Dynamic linker information payload. optional DyldInfo dyld_info = 20; + // Linked code signature data representation. optional LinkedItData code_signature_data = 21; + // Certificates verifying the code signature. repeated Certificate certificates = 22; + // Standard UUID assigned to the binary. optional string uuid = 23; + // Standard build version metadata. optional BuildVersion build_version = 24; + // Minimum OS requirement specifications. optional MinVersion min_version = 25; + // Exported symbol descriptors. repeated string exports = 26; + // Imported symbol descriptors. repeated string imports = 27; + // Linker options passed during binary assembly. repeated bytes linker_options = 28; } message Macho { - // Set Mach-O header and basic fields + // Magic identifier indicating the file architecture. optional uint32 magic = 1 [(yara.field_options).fmt = "x"]; + // Target architecture designation. optional uint32 cputype = 2 [(yara.field_options).fmt = "x"]; + // Specific sub-architecture variant. optional uint32 cpusubtype = 3 [(yara.field_options).fmt = "x"]; + // Categorization of the Mach-O executable. optional uint32 filetype = 4; + // Number of load commands defined inside the binary. optional uint32 ncmds = 5; + // Combined byte size of all load commands. optional uint32 sizeofcmds = 6; + // Global bitwise flags characterizing the binary. optional uint32 flags = 7 [(yara.field_options).fmt = "x"]; + // Reserved padding element. optional uint32 reserved = 8; + // Number of segments parsed. optional uint64 number_of_segments = 9 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `macho.segments.len()` instead", replacement: "segments.len()" }]; + // Standard dynamic linker specification path. optional bytes dynamic_linker = 10; + // Execution entry point address. optional uint64 entry_point = 11; + // Stack size allocation requested. optional uint64 stack_size = 12; + // Build source version metadata string. optional string source_version = 13; + // Standard symbol table block. optional Symtab symtab = 14; + // Detailed dynamic symbol table block. optional Dysymtab dysymtab = 15; + // Code signature data payload block. optional LinkedItData code_signature_data = 16; + // Top-level segments parsed from the binary. repeated Segment segments = 17; + // Linked external libraries. repeated Dylib dylibs = 18; + // Dynamic loader metadata information block. optional DyldInfo dyld_info = 19; + // Executable run path definition strings. repeated bytes rpaths = 20; + // Defined app entitlement descriptor strings. repeated string entitlements = 21; + // Cryptographic certificates validating the signature. repeated Certificate certificates = 22; + // Binary UUID descriptor string. optional string uuid = 23; + // General build version metadata block. optional BuildVersion build_version = 24; + // Minimum OS version requirements. optional MinVersion min_version = 25; + // Standard exported symbol strings. repeated string exports = 26; + // Standard imported symbol strings. repeated string imports = 27; + // Custom options passed directly to the linker. repeated bytes linker_options = 28; - - - // Add fields for Mach-O fat binary header + // Magic constant identifying the file as a Fat binary. optional uint32 fat_magic = 29 [(yara.field_options).fmt = "x"]; + // Total count of different architectures embedded in the Fat binary. optional uint32 nfat_arch = 30; + // Individual descriptors for each embedded architecture. repeated FatArch fat_arch = 31; - // Nested Mach-O files + // Independent Mach-O binaries extracted from the universal Fat payload. repeated File file = 32; } diff --git a/lib/src/modules/protos/pe.proto b/lib/src/modules/protos/pe.proto index fd4cea69b..b9dd5681e 100644 --- a/lib/src/modules/protos/pe.proto +++ b/lib/src/modules/protos/pe.proto @@ -12,20 +12,35 @@ option (yara.module_options) = { }; message PE { + // True if the file is a valid PE binary. required bool is_pe = 1; + // Target architecture of the executable (e.g., x86, x64, ARM). optional Machine machine = 2; + // Subsystem required to run this binary (e.g., GUI, CUI). optional Subsystem subsystem = 3; + // Minimum operating system version required to run the binary. optional Version os_version = 4; + // Minimum subsystem version required to run the binary. optional Version subsystem_version = 5; + // User-defined version of the binary image. optional Version image_version = 6; + // Version of the linker used to generate the binary. optional Version linker_version = 7; + // Magic number used to identify the optional header structure. optional OptionalMagic opthdr_magic = 8; + // Bitwise flags indicating attributes of the file (e.g., executable, DLL). optional uint32 characteristics = 9 [(yara.field_options).fmt = "flags:Characteristics"]; + // Bitwise flags indicating DLL characteristics (e.g., ASLR, DEP). optional uint32 dll_characteristics = 10 [(yara.field_options).fmt = "flags:DllCharacteristics"]; + // Creation timestamp of the image, stored as a Unix epoch time. optional uint32 timestamp = 11 [(yara.field_options).fmt = "t"]; + // Preferred load address of the image when placed in memory. optional uint64 image_base = 12 [(yara.field_options).fmt = "x"]; + // Checksum of the image file. optional uint32 checksum = 13; + // Relative virtual address (RVA) of the beginning of the code section. optional uint32 base_of_code = 14 [(yara.field_options).fmt = "x"]; + // Relative virtual address (RVA) of the beginning of the data section. optional uint32 base_of_data = 15 [(yara.field_options).fmt = "x"]; // Entry point as a file offset. @@ -34,171 +49,275 @@ message PE { // Entry point as it appears in the PE header (RVA). optional uint32 entry_point_raw = 17 [(yara.field_options).fmt = "x"]; + // Filename of the dynamic-link library, if the image is a DLL. optional string dll_name = 18; + // Export table timestamp, stored as a Unix epoch time. optional uint32 export_timestamp = 19 [(yara.field_options).fmt = "t"]; + // Alignment factor used for sections loaded in memory (usually 4096 bytes). optional uint32 section_alignment = 20 [(yara.field_options).fmt = "x"]; + // Alignment factor used for raw section data on disk (usually 512 bytes). optional uint32 file_alignment = 21 [(yara.field_options).fmt = "x"]; + // Flags used by obsolete loaders. optional uint32 loader_flags = 22 [(yara.field_options).fmt = "x"]; + // Size of the optional header structure in bytes. optional uint32 size_of_optional_header = 23 [(yara.field_options).fmt = "x"]; + // Total size of all sections containing executable code. optional uint32 size_of_code = 24 [(yara.field_options).fmt = "x"]; + // Total size of all sections containing initialized data. optional uint32 size_of_initialized_data = 25 [(yara.field_options).fmt = "x"]; + // Total size of all sections containing uninitialized data (BSS). optional uint32 size_of_uninitialized_data = 26 [(yara.field_options).fmt = "x"]; + // Overall size of the image loaded in memory, including all headers. optional uint32 size_of_image = 27 [(yara.field_options).fmt = "x"]; + // Combined size of all headers up to the first section. optional uint32 size_of_headers = 28 [(yara.field_options).fmt = "x"]; + // Total amount of virtual memory reserved for the stack. optional uint64 size_of_stack_reserve = 29 [(yara.field_options).fmt = "x"]; + // Initial amount of physical memory committed for the stack. optional uint64 size_of_stack_commit = 30 [(yara.field_options).fmt = "x"]; + // Total amount of virtual memory reserved for the default heap. optional uint64 size_of_heap_reserve = 31 [(yara.field_options).fmt = "x"]; + // Initial amount of physical memory committed for the default heap. optional uint64 size_of_heap_commit = 32 [(yara.field_options).fmt = "x"]; + // File offset pointing to the COFF symbol table. optional uint32 pointer_to_symbol_table = 33 [(yara.field_options).fmt = "x"]; + // Reserved field, must be set to zero. optional uint32 win32_version_value = 34; + // Number of entries found in the COFF symbol table. optional uint32 number_of_symbols = 35; + // Number of entries present in the data directories array. optional uint32 number_of_rva_and_sizes = 36; + // Number of sections in the PE file. optional uint32 number_of_sections = 37 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `pe.sections.len()` instead", replacement: "sections.len()" }]; + // Number of imported functions across all imported libraries. optional uint64 number_of_imported_functions = 38; + // Number of delayed imported functions across all delayed libraries. optional uint64 number_of_delayed_imported_functions = 39; + // Number of resources contained within the file. optional uint64 number_of_resources = 40 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `pe.resources.len()` instead", replacement: "resources.len()" }]; + // Number of string-value pairs within the version info resource. optional uint64 number_of_version_infos = 41; + // Number of imported libraries. optional uint64 number_of_imports = 42; + // Number of delayed imported libraries. optional uint64 number_of_delayed_imports = 43; + // Number of exported symbols. optional uint64 number_of_exports = 44; + // Number of digital signatures found in the file. optional uint64 number_of_signatures = 45 [(yara.field_options).deprecation_notice = { text: "this field is deprecated", help: "use `pe.signatures.len()` instead", replacement: "signatures.len()" }]; + // Map representation of file version information attributes. map version_info = 46; + // List containing version information attributes as key-value elements. repeated KeyValue version_info_list = 47; + // Rich header signature containing toolchain usage information. optional RichSignature rich_signature = 48; + // File path referencing the associated PDB symbol file. optional bytes pdb_path = 49; + // Collection of sections making up the binary. repeated Section sections = 50; + // Standard data directories array (e.g., Imports, Exports, Resources). repeated DirEntry data_directories = 51; + // Unix epoch timestamp of the resource directory. optional uint64 resource_timestamp = 52 [(yara.field_options).fmt = "t"]; + // Version structure for the resource directory. optional Version resource_version = 53; + // Individual resources defined within the binary. repeated Resource resources = 54; + // Standard library and function import descriptions. repeated Import import_details = 55; + // Delayed library and function import descriptions. repeated Import delayed_import_details = 56; + // Exported functions and symbol descriptions. repeated Export export_details = 57; + // True if the executable contains a recognized digital signature. optional bool is_signed = 58; + // Set of digital signatures extracted from the file. repeated Signature signatures = 59; + // Information regarding trailing data not mapped by sections. optional Overlay overlay = 60; } message Version { - // Major version. + // Major version number. required uint32 major = 1; - // Minor version. + // Minor version number. required uint32 minor = 2; } message KeyValue { + // Key identifying the entry. required string key = 1; + // String value associated with the key. required string value = 2; } message DirEntry { + // Relative virtual address of the data directory structure. required uint32 virtual_address = 1 [(yara.field_options).fmt = "x"]; + // Size in bytes of the data directory structure. required uint32 size = 2 [(yara.field_options).fmt = "x"]; } message Resource { + // Size of the resource content in bytes. required uint32 length = 1 [(yara.field_options).fmt = "x"]; + // Relative virtual address (RVA) of the resource data. required uint32 rva = 2 [(yara.field_options).fmt = "x"]; + // File offset pointing to the resource data. optional uint32 offset = 3 [(yara.field_options).fmt = "x"]; + // Standard resource type classification (e.g., ICON, VERSION). optional ResourceType type = 4; + // Unique numeric identifier of the resource. optional uint32 id = 5; + // Language code assigned to the resource. optional uint32 language = 6; + // Text representation of the resource type for custom classifications. optional bytes type_string = 7; + // Text representation of the resource name. optional bytes name_string = 8; + // Text representation of the resource language. optional bytes language_string = 9; } message Import { + // Target library filename (e.g., "kernel32.dll"). required string library_name = 1; + // Total count of functions imported from this library. required uint64 number_of_functions = 2; + // Individual functions imported from the library. repeated Function functions = 3; } message Export { + // Name of the exported function. optional string name = 1; + // Ordinal index of the exported function. required uint32 ordinal = 2; + // Relative virtual address (RVA) pointing to the exported function. required uint32 rva = 3 [(yara.field_options).fmt = "x"]; + // Physical file offset of the exported function. optional uint32 offset = 4 [(yara.field_options).fmt = "x"]; + // Forwarder string, if the export resolves to a function in another library. optional string forward_name = 5; } message Function { + // Name of the imported function. optional string name = 1; + // Ordinal index of the function. optional uint32 ordinal = 2; + // Relative virtual address (RVA) or offset pointing to the function import thunk. required uint32 rva = 3 [(yara.field_options).fmt = "x"]; } message Signature { + // Subject name specified in the certificate. optional string subject = 1; + // Issuer name specified in the certificate. optional string issuer = 2; + // Unique thumbprint value of the certificate. optional string thumbprint = 3; + // Internal version format of the digital signature. optional int64 version = 4; + // Public key algorithm identifier string. optional string algorithm = 5; + // OID value representing the public key algorithm. optional string algorithm_oid = 6; + // Serial number of the certificate. optional string serial = 7; + // Unix timestamp representing the start of the validity window. optional int64 not_before = 8 [(yara.field_options).fmt = "t"]; + // Unix timestamp representing the end of the validity window. optional int64 not_after = 9 [(yara.field_options).fmt = "t"]; + // True if the cryptographic verification of the signature succeeded. optional bool verified = 10; + // Digest algorithm utilized in the signature process. optional string digest_alg = 11; + // Content digest generated by the signer. optional string digest = 12; + // Digest computed directly from the binary payload. optional string file_digest = 13; + // Number of certificates embedded in the signature chain. optional uint64 number_of_certificates = 14; + // Number of countersignatures associated with this signature. optional uint64 number_of_countersignatures = 15; + // Details regarding the primary signer entity. optional SignerInfo signer_info = 16; + // Certificates making up the signing chain. repeated Certificate certificates = 17; + // Countersignatures validating the time and source of the primary signature. repeated CounterSignature countersignatures = 18; } message SignerInfo { + // Program description extracted from the SpcSpOpusInfo block. optional string program_name = 1; + // URL containing supplemental details about the software. optional string more_info = 2; + // Hash digest calculated by the primary signer. optional string digest = 3; + // Algorithm used to generate the signer digest. optional string digest_alg = 4; + // Certificate chain validating the signer. repeated Certificate chain = 5; } message Certificate { + // Issuer of this individual certificate. optional string issuer = 1; + // Intended subject of this certificate. optional string subject = 2; + // Thumbprint identifying the certificate. optional string thumbprint = 3; + // Internal format version of the certificate. optional int64 version = 4; + // Public key cryptographic algorithm string. optional string algorithm = 5; + // Public key cryptographic algorithm OID. optional string algorithm_oid = 6; + // Unique serial number of the certificate. optional string serial = 7; + // Start date of the certificate validity period. optional int64 not_before = 8 [(yara.field_options).fmt = "t"]; + // End date of the certificate validity period. optional int64 not_after = 9 [(yara.field_options).fmt = "t"]; } message CounterSignature { + // True if the countersignature successfully verified. optional bool verified = 1; + // Unix timestamp indicating when the signature was countersigned. optional int64 sign_time = 2 [(yara.field_options).fmt = "t"]; + // Hash digest of the countersignature payload. optional string digest = 12; + // Algorithm used to compute the countersignature digest. optional string digest_alg = 3; + // Certificate chain associated with the countersigning entity. repeated Certificate chain = 4; } @@ -232,7 +351,7 @@ enum ResourceType { } message Section { - // The section's name as listed in the section table. The data type is `bytes` + // Section name as listed in the section table. The data type is `bytes` // instead of `string` so that it can accommodate invalid UTF-8 content. The // length is 8 bytes at most. required bytes name = 1; @@ -248,34 +367,54 @@ message Section { // // See: https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_section_header#members required bytes full_name = 2; + // Characteristics and access attributes of the section. required uint32 characteristics = 3 [(yara.field_options).fmt = "flags:SectionCharacteristics"]; + // Physical size of the section stored on disk. required uint32 raw_data_size = 4 [(yara.field_options).fmt = "x"]; + // File offset to the section data on disk. required uint32 raw_data_offset = 5 [(yara.field_options).fmt = "x"]; + // Virtual address of the section loaded in memory, relative to the image base. required uint32 virtual_address = 6 [(yara.field_options).fmt = "x"]; + // Total virtual size occupied by the section in memory. required uint32 virtual_size = 7 [(yara.field_options).fmt = "x"]; + // File pointer referencing the section's relocation entries. required uint32 pointer_to_relocations = 8 [(yara.field_options).fmt = "x"]; + // File pointer referencing the section's line-number entries. required uint32 pointer_to_line_numbers = 9 [(yara.field_options).fmt = "x"]; + // Total count of relocation records for the section. required uint32 number_of_relocations = 10; + // Total count of line-number records for the section. required uint32 number_of_line_numbers = 11; } message RichSignature { + // Relative file offset marking the start of the Rich signature. required uint32 offset = 1 [(yara.field_options).fmt = "x"]; + // Total length in bytes of the Rich signature block. required uint32 length = 2 [(yara.field_options).fmt = "x"]; + // Numerical XOR key utilized to decrypt the Rich signature. required uint32 key = 3; + // Obfuscated binary bytes of the Rich signature. required bytes raw_data = 4; + // Cleartext decrypted bytes of the Rich signature. required bytes clear_data = 5; + // Individual tools and build utilities referenced in the signature. repeated RichTool tools = 6; } message RichTool { + // Identifier corresponding to the compilation tool. required uint32 toolid = 1; + // Internal version of the tool. required uint32 version = 2; + // Number of times the tool was invoked to build objects in the final binary. required uint32 times = 3; } message Overlay { + // File offset marking the start of the appended overlay content. required uint64 offset = 1 [(yara.field_options).fmt = "x"]; + // Total size in bytes of the overlay data. required uint64 size = 2 [(yara.field_options).fmt = "x"]; }