public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
{
PE portableExecutable = target.PE;
AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;
reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary;
if (portableExecutable.IsResourceOnly)
{
return(result);
}
reasonForNotAnalyzing = MetadataConditions.ImageIsILOnlyAssembly;
if (portableExecutable.IsILOnly)
{
return(result);
}
reasonForNotAnalyzing = MetadataConditions.ImageIsMixedModeBinary;
if (portableExecutable.IsMixedMode)
{
return(result);
}
reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeAndNot64Bit;
if (portableExecutable.IsKernelMode && !portableExecutable.Is64Bit)
{
return(result);
}
reasonForNotAnalyzing = MetadataConditions.ImageIsBootBinary;
if (portableExecutable.IsBoot)
{
return(result);
}
Version minimumRequiredLinkerVersion = policy.GetProperty(MinimumRequiredLinkerVersion);
if (portableExecutable.LinkerVersion < minimumRequiredLinkerVersion)
{
reasonForNotAnalyzing = string.Format(
MetadataConditions.ImageCompiledWithOutdatedTools,
portableExecutable.LinkerVersion,
minimumRequiredLinkerVersion);
return(result);
}
reasonForNotAnalyzing = MetadataConditions.ImageIsWixBinary;
if (portableExecutable.IsWixBinary)
{
return(result);
}
reasonForNotAnalyzing = null;
return(AnalysisApplicability.ApplicableToSpecifiedTarget);
}
public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
{
PE portableExecutable = target.PE;
AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;
// Review the range of metadata conditions and return NotApplicableToSpecifiedTarget
// from this method for all cases where a binary is detected that is not valid to scan.
//
reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary;
if (portableExecutable.IsResourceOnly)
{
return(result);
}
// Here's an example of parameterizing a rule from input XML. In this example,
// we enforce that the linker is of a minimal version, otherwise the scan will
// not occur (because the toolset producing the binary is not sufficiently
// current to enable the security mitigation).
//
Version minimumRequiredLinkerVersion = policy.GetProperty(MinimumRequiredLinkerVersion);
if (portableExecutable.LinkerVersion < minimumRequiredLinkerVersion)
{
reasonForNotAnalyzing = string.Format(
MetadataConditions.ImageCompiledWithOutdatedTools,
portableExecutable.LinkerVersion,
minimumRequiredLinkerVersion);
return(result);
}
// If we get to this location, we've determined the binary is valid to analyze.
// We clear the 'reasonForNotAnalyzing' output variable and return
// ApplicableToSpecifiedTarget.
//
reasonForNotAnalyzing = null;
return(AnalysisApplicability.ApplicableToSpecifiedTarget);
}