Added pe.version_info_list with the list of all version info records (

VirusTotal#1509) Co-authored-by: Victor M. Alvarez <[email protected]>
refractionPOINT · Nov 17, 2022 · 8b8f914 · 8b8f914
1 parent c56bc68
commit 8b8f914
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 0 deletions.
diff --git a/docs/modules/pe.rst b/docs/modules/pe.rst
@@ -792,6 +792,20 @@ Reference
 
     *Example:  pe.version_info["CompanyName"] contains "Microsoft"*
 
+.. c:type:: version_info_list
+
+    Array of structures containing information about the PE's version information.
+
+    .. c:member:: key
+
+        Key of version information.
+
+    .. c:member:: value
+
+        Value of version information.
+
+    *Example:  pe.version_info_list[0].value contains "Microsoft"*
+
 .. c:type:: number_of_signatures
 
     Number of authenticode signatures in the PE.

diff --git a/libyara/include/yara/pe_utils.h b/libyara/include/yara/pe_utils.h
@@ -68,6 +68,7 @@ typedef struct _PE
   IMPORTED_DLL* imported_dlls;
 
   uint32_t resources;
+  uint32_t version_infos;
 
 } PE;
 

diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c
@@ -661,6 +661,12 @@ static void pe_parse_version_info(PIMAGE_RESOURCE_DATA_ENTRY rsrc_data, PE* pe)
             strlcpy_w(value, string_value, sizeof(value));
 
             set_string(value, pe->object, "version_info[%s]", key);
+
+            set_string(
+                key, pe->object, "version_info_list[%i].key", pe->version_infos);
+            set_string(
+                value, pe->object, "version_info_list[%i].value", pe->version_infos);
+            pe->version_infos += 1;
           }
         }
 
@@ -1790,6 +1796,7 @@ static void pe_parse_header(PE* pe, uint64_t base_address, int flags)
       pe, (RESOURCE_CALLBACK_FUNC) pe_collect_resources, (void*) pe);
 
   set_integer(pe->resources, pe->object, "number_of_resources");
+  set_integer(pe->version_infos, pe->object, "number_of_version_infos");
 
   section = IMAGE_FIRST_SECTION(pe->header);
 
@@ -2879,9 +2886,15 @@ begin_declarations
   declare_integer("entry_point_raw");
   declare_integer("image_base");
   declare_integer("number_of_rva_and_sizes");
+  declare_integer("number_of_version_infos");
 
   declare_string_dictionary("version_info");
 
+  begin_struct_array("version_info_list");
+    declare_string("key");
+    declare_string("value");
+  end_struct_array("version_info_list");
+
   declare_integer("opthdr_magic");
   declare_integer("size_of_code");
   declare_integer("size_of_initialized_data");
@@ -3484,6 +3497,7 @@ int module_load(
         pe->header = pe_header;
         pe->object = module_object;
         pe->resources = 0;
+        pe->version_infos = 0;
 
         module_object->data = pe;
 

diff --git a/tests/test-pe.c b/tests/test-pe.c
@@ -359,6 +359,19 @@ int main(int argc, char** argv)
       }",
       "tests/data/mtxex.dll");
 
+  assert_true_rule_file(
+      "import \"pe\" \
+      rule version_info_catch \
+      {\
+          condition:\
+            pe.number_of_version_infos  > 2 and\
+            for any version in pe.version_info_list : ( \
+              version.key == \"FileVersion\" and \
+              version.value == \"27.1.9.33\" \
+          ) \
+      }",
+      "tests/data/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885");
+
   assert_true_rule_file(
       "import \"pe\" \
       rule iequals_comparison { \
-Original file line number
+Diff line change
@@ Expand Up / @@ -68,6 +68,7 @@ typedef struct _PE @@
       IMPORTED_DLL* imported_dlls;
       uint32_t resources;
+      uint32_t version_infos;
     } PE;
@@ Expand Down @@