Add missing algorithm_oid from PE module

avast · Jan 28, 2022 · e4bd608 · e4bd608
1 parent 0f1abf9
commit e4bd608
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 1 deletion.
diff --git a/modules/module_pe.json b/modules/module_pe.json
@@ -1950,7 +1950,13 @@
                     {
                         "kind": "value",
                         "name": "algorithm",
-                        "documentation": "Algorithm used for this signature. Usually \"sha1WithRSAEncryption\".",
+                        "documentation": "String representation of the algorithm used for this signature. Usually \"sha1WithRSAEncryption\". It depends on the X.509 and PKCS#7 implementationss and possibly their versions, consider using algorithm_oid instead.",
+                        "type": "s"
+                    },
+                    {
+                        "kind": "value",
+                        "name": "algorithm_oid",
+                        "documentation": "Object ID of the algorithm used for this signature, expressed in numeric ASN.1 dot notation. The name contained in algorithm is derived from this value. The object id is expected to be stable across X.509 and PKCS#7 implementations and their versions.",
                         "type": "s"
                     },
                     {

diff --git a/tests/cpp/parser_tests.cpp b/tests/cpp/parser_tests.cpp
@@ -7336,5 +7336,23 @@ rule iequals_expr
 	EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
 }
 
+TEST_F(ParserTests,
+ParsePeSignaturesXAlgorithmOID) {
+	prepareInput(
+R"(import "pe"
+
+rule iequals_expr
+{
+	condition:
+		pe.signatures[0].algorithm_oid == "1.2.840.113549.1.1.11"
+}
+)");
+
+	EXPECT_TRUE(driver.parse(input));
+	ASSERT_EQ(1u, driver.getParsedFile().getRules().size());
+
+	EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
+}
+
 }
 }
diff --git a/tests/python/test_parser.py b/tests/python/test_parser.py
@@ -1986,3 +1986,24 @@ def test_include_file_and_import_in_regular_mode(self):
 }
 '''
         self.assertEqual(expected, yara_file.text_formatted)
+
+
+    def test_parse_pe_signatures_x_algorithm_oid(self):
+        yara_file = yaramod.Yaramod().parse_string(parser_mode=yaramod.ParserMode.Regular, str=r'''import "pe"
+
+rule test_rule {
+    condition:
+        pe.signatures[0].algorithm_oid == "1.2.840.113549.1.1.11"
+}
+''')
+
+        expected = r'''import "pe"
+
+rule test_rule
+{
+	condition:
+		pe.signatures[0].algorithm_oid == "1.2.840.113549.1.1.11"
+}
+'''
+
+        self.assertEqual(expected, yara_file.text_formatted)