Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LNK module #1732

Merged
merged 148 commits into from
Aug 24, 2023
Merged

LNK module #1732

merged 148 commits into from
Aug 24, 2023

Conversation

BitsOfBinary
Copy link
Contributor

This module will parse the Windows Shell Link (LNK) file format, and make a lot of it's data accessible via YARA. The motivation for creating this module is that the LNK file format is non-standard to parse, and would be difficult to do so within a YARA rule itself (see the documentation here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943). I hope by making this module that it makes life easier to write YARA rules for LNK files.

This module allows for rules like this to be possible:

import "lnk"

rule is_lnk
{
    condition:
        lnk.is_lnk
}

rule machine_id_tracking
{
    condition:
        lnk.tracker_data.machine_id == "chris-xps"
}

rule local_base_path
{
    condition:
        lnk.link_info.local_base_path == "C:\\test\\a.txt"
}

I'd be very interested to hear feedback on the code itself, or the structure of the data surfaced by the module (e.g. is it easy to access/use).

@BitsOfBinary
LNK module initial commit
8d43f43
@BitsOfBinary
Update atom logic to properly score [A-Z]
bf7130f 
The documentation says `Bytes [a-zA-Z] contribute 18 points each`, but it looks like in the code that only `[a-z]` is given 18 points, whereas `[A-Z]` is given 20 points. This commit will make sure these ranges have the proper scoring as expected.
@BitsOfBinary
Add test for comparing atom quality ABCD == abcd
181dbf2 
Add test entry which compares the atom quality of "ABCD" and "abcd" and asserts that they are equal.
@BitsOfBinary
Update test-atoms.c
8123903
@BitsOfBinary
Revert "Update atom logic to properly score [A-Z]"
f01c684 
This reverts commit bf7130f.
@BitsOfBinary
Revert "Add test for comparing atom quality ABCD == abcd"
c47306f 
This reverts commit 181dbf2.
@BitsOfBinary
Revert "Update test-atoms.c"
2a7a7d9 
This reverts commit 8123903.
@BitsOfBinary
Merge branch 'master' of https://github.com/VirusTotal/yara into Viru…
22b4294 
…sTotal-master
@BitsOfBinary
Test
1c53212
@BitsOfBinary
Revert "Test"
250d9f3 
This reverts commit 1c53212.
@BitsOfBinary
Merge branch 'VirusTotal:master' into master
fa889fa
@BitsOfBinary
Merge branch 'master' into lnk-module
834d62f
@BitsOfBinary
Add objects for LinkFlags parsing
f0d1940 
Also fixed `DWORD` compiling error, and replaced with `uint32_t` types.
@BitsOfBinary
Add file attribute flags
1ff7f0e
@BitsOfBinary
Start hotkey parsing code
5c4a429
@BitsOfBinary
Add the rest of the hotkey values
fd2e303
@BitsOfBinary
Add initial test case for LNK module
51f8ca0 
Using the sample LNK from the MS standard for LNK files for testing, and putting in an initial test:
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/%5bMS-SHLLINK%5d.pdf
@BitsOfBinary
Add initial LNK tests
062b893
@BitsOfBinary
Add has_hotkey variable
16673dd
@BitsOfBinary
Formatting
a453409
@BitsOfBinary
Fix timestamps set
556171a 
Previous version always seemed to be an hour (3600 seconds) off what it should have been. This commit adds a test to make sure it's getting the right value.

I don't know why its always an hour off, but this should fix it!
@BitsOfBinary
Refactor hotkey char select into its own function
1be62f2
@BitsOfBinary
Add a couple of comments
f4378b4
@BitsOfBinary
Add min size for parsing LNK
7e2d0c3 
All the mandatory LNK header bytes add up to 76 bytes, and as such we won't parse an LNK file unless it is at least 76 bytes in length
@BitsOfBinary
Add LinkTargetIDList parsing
c133daa
@BitsOfBinary
Begin working on code for LinkInfo parsing
5a0cc78
@BitsOfBinary
Refactor code into header + util files
285f726 
Moving a lot of the definitions over to a separate header file to keep the main code clean.

Also following the PE module's structure of having a separate `lnk_utils` file to deal with some of the convenient functions it provides.
@BitsOfBinary
Starting VolumeID parsing
182ade5
@BitsOfBinary
Adding free statement
47fff35
@BitsOfBinary
Add some VolumeID tests and fix free error
c7de234
@BitsOfBinary
Add LNK module tests
5848220
@BitsOfBinary
Fix up LNK test in Makefile
6a27388
@BitsOfBinary
Fix typo in test LNK
be24c54
@BitsOfBinary
Attempt to fix bazel build
92d3ec0
@BitsOfBinary
Testing to see why Bazel build fails
2a95895
@BitsOfBinary
Revert removing tests
4401389 
It seems even one test gives the error `There were tests whose specified size is too big. Use the --test_verbose_timeout_warnings command line option to see which ones these are.`
@BitsOfBinary
Include LNK module in BUILD.bazel
b96fa41
@BitsOfBinary
Add missing deps line
bc90a83
@BitsOfBinary
Add lnk.h to Makefile
f2d8f56
@BitsOfBinary
Add lnk.h to yara.bzl
bd65078
@BitsOfBinary
Add lnk_utils.h to yara.bzl
a7dd280
@BitsOfBinary
Revert automatic changes
9ffed36 
Change some C/header files that got automatically changed while compiling YARA to the same that they are on the main branch
@BitsOfBinary
Include lnk_utils in Makefile
bc25af5
@BitsOfBinary
Convert some console data variables to signed and update docs
3608567 
Some variables in the console data section are actually signed variables. So I've converted them to `int16_t` instead of `uint16_t`, added some test cases to make sure these values are properly parsed, and added some examples in the docs.
@BitsOfBinary
Fix typo for window_size_y
adc4420
@camptatopenmars camptatopenmars mentioned this pull request Jan 5, 2023
Closed
@BitsOfBinary
Copy link
Contributor Author

Updated this branch to be compatible with YARA 4.3.0. At time of this comment, all tests pass as expected.

@plusvic plusvic added this to the v4.4 milestone Apr 17, 2023
@BitsOfBinary
Copy link
Contributor Author

Updated for compatibility with YARA v4.3.2; tests passing as expected.

@plusvic plusvic merged commit 97fd691 into VirusTotal:master Aug 24, 2023
9 checks passed
plusvic pushed a commit that referenced this pull request Aug 24, 2023
@BitsOfBinary @plusvic
Revert "LNK module (#1732)"
c41906b 
This reverts commit 97fd691.
@plusvic
Copy link
Member

plusvic commented Aug 24, 2023

I tried to merge this PR but it turns out that the tests are failing in big endian platforms: https://github.com/VirusTotal/yara/actions/runs/5960808590/job/16168792006

@BitsOfBinary
Copy link
Contributor Author

I tried to merge this PR but it turns out that the tests are failing in big endian platforms: https://github.com/VirusTotal/yara/actions/runs/5960808590/job/16168792006

That's weird @plusvic , they seemed to be working before (https://github.com/VirusTotal/yara/actions/runs/5772402091/job/15647348631). I'll debug what is failing in the tests and get back to you.

@BitsOfBinary BitsOfBinary mentioned this pull request Aug 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@plusvic plusvic plusvic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v4.4
Development

Successfully merging this pull request may close these issues.
2 participants
@BitsOfBinary @plusvic