public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { PE portableExecutable = target.PE; AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget; reasonForNotAnalyzing = MetadataConditions.ImageIsNot32BitBinary; if (portableExecutable.Machine != Machine.I386) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsXBoxBinary; if (portableExecutable.IsXBox) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary; if (portableExecutable.IsResourceOnly) { return(result); } reasonForNotAnalyzing = null; return(AnalysisApplicability.ApplicableToSpecifiedTarget); }
public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { PE portableExecutable = target.PE; AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget; reasonForNotAnalyzing = MetadataConditions.ImageIsNot64BitBinary; if (portableExecutable.PEHeaders.PEHeader.Magic != PEMagic.PE32Plus) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsILOnlyAssembly; if (portableExecutable.IsILOnly) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeBinary; if (portableExecutable.IsKernelMode) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary; if (portableExecutable.IsResourceOnly) { return(result); } reasonForNotAnalyzing = null; return(AnalysisApplicability.ApplicableToSpecifiedTarget); }
public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { PE portableExecutable = target.PE; AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget; reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeBinary; if (portableExecutable.IsKernelMode) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageLikelyLoads32BitProcess; if (portableExecutable.PEHeaders.PEHeader.Magic != PEMagic.PE32Plus) { // If the image's magic bytes are 'PE32', it is either a 32 bit binary (rule does not apply), or it is a managed binary compiled as AnyCpu. // If it's an AnyCPU managed binary, we need to do a bit more checking--if it has 'Prefers32Bit'/'Requires32Bit' flagged, it will probably // load as a 32 bit process. If it doesn't, we're likely to load in a 64 bit process space on a 64 bit arch & want to ensure HighEntropyVA is enabled. if (!portableExecutable.IsManaged || portableExecutable.IsManaged && portableExecutable.PEHeaders.CorHeader.Flags.HasFlag(CorFlags.Requires32Bit)) { return(result); } } reasonForNotAnalyzing = MetadataConditions.ImageIsNotExe; if (!portableExecutable.PEHeaders.IsExe) { return(result); } reasonForNotAnalyzing = null; return(AnalysisApplicability.ApplicableToSpecifiedTarget); }
public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { PE portableExecutable = target.PE; AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget; reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary; if (portableExecutable.IsResourceOnly) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsILOnlyAssembly; if (portableExecutable.IsILOnly) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsMixedModeBinary; if (portableExecutable.IsMixedMode) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeAndNot64Bit; if (portableExecutable.IsKernelMode && !portableExecutable.Is64Bit) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsBootBinary; if (portableExecutable.IsBoot) { return(result); } Version minimumRequiredLinkerVersion = policy.GetProperty(MinimumRequiredLinkerVersion); if (portableExecutable.LinkerVersion < minimumRequiredLinkerVersion) { reasonForNotAnalyzing = string.Format( MetadataConditions.ImageCompiledWithOutdatedTools, portableExecutable.LinkerVersion, minimumRequiredLinkerVersion); return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsWixBinary; if (portableExecutable.IsWixBinary) { return(result); } reasonForNotAnalyzing = null; return(AnalysisApplicability.ApplicableToSpecifiedTarget); }
public override AnalysisApplicability CanAnalyzeElf(ELFBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { IELF elf = target.ELF; if (elf.Type == FileType.Core || elf.Type == FileType.None || elf.Type == FileType.Relocatable) { reasonForNotAnalyzing = reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrObject; return(AnalysisApplicability.NotApplicableToSpecifiedTarget); } reasonForNotAnalyzing = null; return(AnalysisApplicability.ApplicableToSpecifiedTarget); }
public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { PE portableExecutable = target.PE; AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget; reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeBinary; if (portableExecutable.IsKernelMode) { return(result); } reasonForNotAnalyzing = null; return(AnalysisApplicability.ApplicableToSpecifiedTarget); }
public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { PE portableExecutable = target.PE; AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget; reasonForNotAnalyzing = MetadataConditions.ImageIs64BitBinary; if (target.PE.PEHeaders.PEHeader.Magic == PEMagic.PE32Plus) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeBinary; if (portableExecutable.IsKernelMode) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsXBoxBinary; if (portableExecutable.IsXBox) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary; if (portableExecutable.IsResourceOnly) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsPreVersion7WindowsCEBinary; if (OSVersions.IsWindowsCEPriorToV7(portableExecutable)) { return(result); } reasonForNotAnalyzing = MetadataConditions.ImageIsBootBinary; if (portableExecutable.IsBoot) { return(result); } reasonForNotAnalyzing = null; return(AnalysisApplicability.ApplicableToSpecifiedTarget); }
public override AnalysisApplicability CanAnalyzeElf(ELFBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { IELF elf = target.ELF; if (elf.Type == FileType.Core || elf.Type == FileType.None || elf.Type == FileType.Relocatable) { reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrObject; return(AnalysisApplicability.NotApplicableToSpecifiedTarget); } // We check for "any usage of non-gcc" as a default/standard compilation with clang leads to [GCC, Clang] // either because it links with a gcc-compiled object (cstdlib) or the linker also reading as GCC. // This has a potential for a False Negative if teams are using GCC and other tools. if (target.Compilers.Any(c => c.Compiler != ELFCompilerType.GCC)) { reasonForNotAnalyzing = MetadataConditions.ElfNotBuiltWithGcc; return(AnalysisApplicability.NotApplicableToSpecifiedTarget); } reasonForNotAnalyzing = null; return(AnalysisApplicability.ApplicableToSpecifiedTarget); }
public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { PE portableExecutable = target.PE; AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget; // Review the range of metadata conditions and return NotApplicableToSpecifiedTarget // from this method for all cases where a binary is detected that is not valid to scan. // reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary; if (portableExecutable.IsResourceOnly) { return(result); } // Here's an example of parameterizing a rule from input XML. In this example, // we enforce that the linker is of a minimal version, otherwise the scan will // not occur (because the toolset producing the binary is not sufficiently // current to enable the security mitigation). // Version minimumRequiredLinkerVersion = policy.GetProperty(MinimumRequiredLinkerVersion); if (portableExecutable.LinkerVersion < minimumRequiredLinkerVersion) { reasonForNotAnalyzing = string.Format( MetadataConditions.ImageCompiledWithOutdatedTools, portableExecutable.LinkerVersion, minimumRequiredLinkerVersion); return(result); } // If we get to this location, we've determined the binary is valid to analyze. // We clear the 'reasonForNotAnalyzing' output variable and return // ApplicableToSpecifiedTarget. // reasonForNotAnalyzing = null; return(AnalysisApplicability.ApplicableToSpecifiedTarget); }
public abstract AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing);
public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { return(StackProtectionUtilities.CommonCanAnalyze(target, out reasonForNotAnalyzing)); }
public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { reasonForNotAnalyzing = ""; return(AnalysisApplicability.ApplicableToSpecifiedTarget); }