public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
        {
            PE portableExecutable        = target.PE;
            AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

            reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary;
            if (portableExecutable.IsResourceOnly)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsILOnlyAssembly;
            if (portableExecutable.IsILOnly)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsMixedModeBinary;
            if (portableExecutable.IsMixedMode)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeAndNot64Bit;
            if (portableExecutable.IsKernelMode && !portableExecutable.Is64Bit)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsBootBinary;
            if (portableExecutable.IsBoot)
            {
                return(result);
            }

            Version minimumRequiredLinkerVersion = policy.GetProperty(MinimumRequiredLinkerVersion);

            if (portableExecutable.LinkerVersion < minimumRequiredLinkerVersion)
            {
                reasonForNotAnalyzing = string.Format(
                    MetadataConditions.ImageCompiledWithOutdatedTools,
                    portableExecutable.LinkerVersion,
                    minimumRequiredLinkerVersion);

                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsWixBinary;
            if (portableExecutable.IsWixBinary)
            {
                return(result);
            }

            reasonForNotAnalyzing = null;
            return(AnalysisApplicability.ApplicableToSpecifiedTarget);
        }
Exemplo n.º 2
0
        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
        {
            PE portableExecutable        = target.PE;
            AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

            // Review the range of metadata conditions and return NotApplicableToSpecifiedTarget
            // from this method for all cases where a binary is detected that is not valid to scan.
            //
            reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary;
            if (portableExecutable.IsResourceOnly)
            {
                return(result);
            }

            // Here's an example of parameterizing a rule from input XML. In this example,
            // we enforce that the linker is of a minimal version, otherwise the scan will
            // not occur (because the toolset producing the binary is not sufficiently
            // current to enable the security mitigation).
            //
            Version minimumRequiredLinkerVersion = policy.GetProperty(MinimumRequiredLinkerVersion);

            if (portableExecutable.LinkerVersion < minimumRequiredLinkerVersion)
            {
                reasonForNotAnalyzing = string.Format(
                    MetadataConditions.ImageCompiledWithOutdatedTools,
                    portableExecutable.LinkerVersion,
                    minimumRequiredLinkerVersion);

                return(result);
            }

            // If we get to this location, we've determined the binary is valid to analyze.
            // We clear the 'reasonForNotAnalyzing' output variable and return
            // ApplicableToSpecifiedTarget.
            //
            reasonForNotAnalyzing = null;
            return(AnalysisApplicability.ApplicableToSpecifiedTarget);
        }