Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LNK module #1732

Merged
merged 148 commits into from
Aug 24, 2023
Merged

LNK module #1732

merged 148 commits into from
Aug 24, 2023

Conversation

BitsOfBinary
Copy link
Contributor

This module will parse the Windows Shell Link (LNK) file format, and make a lot of it's data accessible via YARA. The motivation for creating this module is that the LNK file format is non-standard to parse, and would be difficult to do so within a YARA rule itself (see the documentation here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943). I hope by making this module that it makes life easier to write YARA rules for LNK files.

This module allows for rules like this to be possible:

import "lnk"

rule is_lnk
{
    condition:
        lnk.is_lnk
}

rule machine_id_tracking
{
    condition:
        lnk.tracker_data.machine_id == "chris-xps"
}

rule local_base_path
{
    condition:
        lnk.link_info.local_base_path == "C:\\test\\a.txt"
}

I'd be very interested to hear feedback on the code itself, or the structure of the data surfaced by the module (e.g. is it easy to access/use).

The documentation says `Bytes [a-zA-Z] contribute 18 points each`, but it looks like in the code that only `[a-z]` is given 18 points, whereas `[A-Z]` is given 20 points. This commit will make sure these ranges have the proper scoring as expected.
Add test entry which compares the atom quality of "ABCD" and "abcd" and asserts that they are equal.
This reverts commit 1c53212.
Also fixed `DWORD` compiling error, and replaced with `uint32_t` types.
Using the sample LNK from the MS standard for LNK files for testing, and putting in an initial test:
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/%5bMS-SHLLINK%5d.pdf
Previous version always seemed to be an hour (3600 seconds) off what it should have been. This commit adds a test to make sure it's getting the right value.

I don't know why its always an hour off, but this should fix it!
All the mandatory LNK header bytes add up to 76 bytes, and as such we won't parse an LNK file unless it is at least 76 bytes in length
Moving a lot of the definitions over to a separate header file to keep the main code clean.

Also following the PE module's structure of having a separate `lnk_utils` file to deal with some of the convenient functions it provides.
It seems even one test gives the error `There were tests whose specified size is too big. Use the --test_verbose_timeout_warnings command line option to see which ones these are.`
Change some C/header files that got automatically changed while compiling YARA to the same that they are on the main branch
Some variables in the console data section are actually signed variables. So I've converted them to `int16_t` instead of `uint16_t`, added some test cases to make sure these values are properly parsed, and added some examples in the docs.
@BitsOfBinary
Copy link
Contributor Author

Updated this branch to be compatible with YARA 4.3.0. At time of this comment, all tests pass as expected.

@plusvic plusvic added this to the v4.4 milestone Apr 17, 2023
@BitsOfBinary
Copy link
Contributor Author

Updated for compatibility with YARA v4.3.2; tests passing as expected.

@plusvic plusvic merged commit 97fd691 into VirusTotal:master Aug 24, 2023
plusvic pushed a commit that referenced this pull request Aug 24, 2023
@plusvic
Copy link
Member

plusvic commented Aug 24, 2023

I tried to merge this PR but it turns out that the tests are failing in big endian platforms: https://github.com/VirusTotal/yara/actions/runs/5960808590/job/16168792006

@BitsOfBinary
Copy link
Contributor Author

I tried to merge this PR but it turns out that the tests are failing in big endian platforms: https://github.com/VirusTotal/yara/actions/runs/5960808590/job/16168792006

That's weird @plusvic , they seemed to be working before (https://github.com/VirusTotal/yara/actions/runs/5772402091/job/15647348631). I'll debug what is failing in the tests and get back to you.

@BitsOfBinary BitsOfBinary mentioned this pull request Aug 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants