avast · mienkofax · Jan 31, 2022 · Jan 28, 2022
diff --git a/modules/module_elf.json b/modules/module_elf.json
@@ -789,6 +789,61 @@
                 ]
             }
         },
+        {
+            "kind": "value",
+            "name": "dynsym_entries",
+            "documentation": "Number of entries in the dynamic symbol table found in the ELF file.",
+            "type": "i"
+        },
+        {
+            "kind": "array",
+            "name": "dynsym",
+            "documentation": "A zero-based array of symbol objects, one for each entry in found in the ELF's DYNSYM. Individual symbol objects can be accessed by using the [] operator.",
+            "structure":
+            {
+                "kind": "struct",
+                "name": "dynsym",
+                "documentation": "",
+                "attributes": [
+                    {
+                        "kind": "value",
+                        "name": "name",
+                        "documentation": "The symbol's name.",
+                        "type": "s"
+                    },
+                    {
+                        "kind": "value",
+                        "name": "value",
+                        "documentation": "A value associated with the symbol. Generally a virtual address.",
+                        "type": "i"
+                    },
+                    {
+                        "kind": "value",
+                        "name": "size",
+                        "documentation": "The symbol's size.",
+                        "type": "i"
+                    },
+                    {
+                        "kind": "value",
+                        "name": "type",
+                        "documentation": "The type of symbol. Built values are: STT_NOTYPE, STT_OBJECT, STT_FUNC, STT_SECTION, STT_FILE, STT_COMMON, STT_TLS.",
+                        "type": "i"
+                    },
+                    {
+                        "kind": "value",
+                        "name": "bind",
+                        "documentation": "The binding of the symbol. Builtin values are: STB_LOCAL, STB_GLOBAL, STB_WEAK.",
+                        "type": "i"
+                    },
+                    {
+                        "kind": "value",
+                        "name": "shndx",
+                        "documentation": "The section index which the symbol is associated with.",
+                        "type": "i"
+                    }
+                ]
+            }
+        },
         {
             "kind": "function",
             "name": "symtab_symbol",

diff --git a/tests/cpp/parser_tests.cpp b/tests/cpp/parser_tests.cpp
@@ -7354,5 +7354,34 @@ rule test_rule
 	EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
 }
 
+TEST_F(ParserTests,
+ParseELFDynsym) {
+	prepareInput(
+		R"(import "elf"
+
+rule test_rule
+{
+	condition:
+		elf.dynsym_entries == 1 or
+		elf.dynsym[0].name == "name" or
+		elf.dynsym[0].value == "value" or
+		elf.dynsym[0].size == 2 or
+		elf.dynsym[0].type == elf.STT_NOTYPE or
+		elf.dynsym[0].type == elf.STT_OBJECT or
+		elf.dynsym[0].type == elf.STT_FUNC or
+		elf.dynsym[0].type == elf.STT_SECTION or
+		elf.dynsym[0].type == elf.STT_FILE or
+		elf.dynsym[0].type == elf.STT_COMMON or
+		elf.dynsym[0].type == elf.STT_TLS or
+		elf.dynsym[0].bind == 3 or
+		elf.dynsym[0].shndx == 3
+}
+)");
+
+	EXPECT_TRUE(driver.parse(input));
+	ASSERT_EQ(1u, driver.getParsedFile().getRules().size());
+
+	EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
+}
 }
 }
diff --git a/tests/python/test_parser.py b/tests/python/test_parser.py
@@ -2004,6 +2004,50 @@ def test_parse_pe_signatures_x_algorithm_oid(self):
 	condition:
 		pe.signatures[0].algorithm_oid == "1.2.840.113549.1.1.11"
 }
+'''
+
+        self.assertEqual(expected, yara_file.text_formatted)
+
+    def test_parse_elf_dynsym(self):
+        yara_file = yaramod.Yaramod().parse_string(parser_mode=yaramod.ParserMode.Regular, str=r'''import "elf"
+
+rule test_rule {
+    condition:
+        elf.dynsym_entries == 1 or
+        elf.dynsym[0].name == "name" or
+        elf.dynsym[0].value == "value" or
+        elf.dynsym[0].size == 2 or
+        elf.dynsym[0].type == elf.STT_NOTYPE or
+        elf.dynsym[0].type == elf.STT_OBJECT or
+        elf.dynsym[0].type == elf.STT_FUNC or
+        elf.dynsym[0].type == elf.STT_SECTION or
+        elf.dynsym[0].type == elf.STT_FILE or
+        elf.dynsym[0].type == elf.STT_COMMON or
+        elf.dynsym[0].type == elf.STT_TLS or
+        elf.dynsym[0].bind == 3 or
+        elf.dynsym[0].shndx == 3
+}
+''')
+
+        expected = r'''import "elf"
+
+rule test_rule
+{
+	condition:
+		elf.dynsym_entries == 1 or
+		elf.dynsym[0].name == "name" or
+		elf.dynsym[0].value == "value" or
+		elf.dynsym[0].size == 2 or
+		elf.dynsym[0].type == elf.STT_NOTYPE or
+		elf.dynsym[0].type == elf.STT_OBJECT or
+		elf.dynsym[0].type == elf.STT_FUNC or
+		elf.dynsym[0].type == elf.STT_SECTION or
+		elf.dynsym[0].type == elf.STT_FILE or
+		elf.dynsym[0].type == elf.STT_COMMON or
+		elf.dynsym[0].type == elf.STT_TLS or
+		elf.dynsym[0].bind == 3 or
+		elf.dynsym[0].shndx == 3
+}
 '''
 
         self.assertEqual(expected, yara_file.text_formatted)