Skip BA2021 Analysis on .NET R2R & NativeAOT PE on non-Windows Platforms

This change skips analysis when it finds non-Windows .NET R2R & NativeAOT PE's. The reason for this is the DoNotMarkWritableSectionsAsExecutable is Windows specific and R2R/NativeAOT do not follow Windows layout rules on non-Windows platforms. Fixes microsoft#970
steveisok · Oct 4, 2024 · dad86d0 · dad86d0
1 parent aa28314
commit dad86d0
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 0 deletions.
diff --git a/src/BinSkim.Rules/PERules/BA2021.DoNotMarkWritableSectionsAsExecutable.cs b/src/BinSkim.Rules/PERules/BA2021.DoNotMarkWritableSectionsAsExecutable.cs
@@ -47,6 +47,18 @@ public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyz
  PE portableExecutable = target.PE;
  AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;
 
+ PEBinary target = context.PEBinary();
+ if (target.PE.PEHeaders.CorHeader != null)
+ {
+ CoffHeader coffHeader = target.PE.PEHeaders.CoffHeader;
+
+ // .NET does not follow Windows layout rules on non-Windows platforms.
+ // The Machine value in the CoffHeader for Windows ARM64 will not be the same for Linux ARM64.
+ // As a result, we can detect .NET PE's that are non-Windows and skip.
+ reasonForNotAnalyzing = MetadataConditions.ImageIsNonWindowsDotNetAssembly;
+ if (IsNonWindowsMachineTarget(coffHeader.Machine)) { return result; }
+ }
+
  reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeBinary;
  if (portableExecutable.IsKernelMode) { return result; }
 
@@ -116,5 +128,10 @@ public override void Analyze(BinaryAnalyzerContext context)
  context.CurrentTarget.Uri.GetFileName(),
  badSectionsText));
  }
+
+ private bool IsNonWindowsMachineTarget(Machine machine)
+ {
+ return (machine & (Machine.Amd64 | Machine.Arm | Machine.Arm64));
+ }
  }
 }
diff --git a/src/BinSkim.Sdk/MetadataConditions.cs b/src/BinSkim.Sdk/MetadataConditions.cs
@@ -41,6 +41,7 @@ public static class MetadataConditions
  public static readonly string ImageIsDotNetCoreEntryPointDll = SdkResources.MetadataCondition_ImageIsDotNetCoreEntryPointDll;
  public static readonly string ImageCompiledWithOutdatedTools = SdkResources.MetadataCondition_ImageCompiledWithOutdatedTools;
  public static readonly string ImageIsDotNetNativeBootstrapExe = SdkResources.MetadataCondition_ImageIsDotNetNativeBootstrapExe;
+ public static readonly string ImageIsNonWindowsDotNetAssembly = SdkResources.MetadataCondition_ImageIsNonWindowsDotNetAssembly;
  public static readonly string ImageIsPreVersion7WindowsCEBinary = SdkResources.MetadataCondition_ImageIsPreVersion7WindowsCEBinary;
  public static readonly string MachOIsNotExecutableDynamicLibraryOrObject = SdkResources.MetadataCondition_MachOIsNotExecutableDynamicLibraryOrObject;
  public static readonly string ImageIsNativeUniversalWindowsPlatformBinary = SdkResources.MetadataCondition_ImageIsNativeUniversalWindowsPlatformBinary;

diff --git a/src/BinSkim.Sdk/SdkResources.Designer.cs b/src/BinSkim.Sdk/SdkResources.Designer.cs
diff --git a/src/BinSkim.Sdk/SdkResources.resx b/src/BinSkim.Sdk/SdkResources.resx
@@ -222,6 +222,9 @@
  <data name="MetadataCondition_ImageIsDotNetNativeBootstrapExe" xml:space="preserve">
  <value>image is a .NET native bootstrap exe</value>
  </data>
+ <data name="MetadataCondition_ImageIsNonWindowsDotNetAssembly" xml:space="preserve">
+ <value>image is a non-Windows .NET R2R or NativeAOT assembly</value>
+ </data>
  <data name="Verbose_ReplaceWithLevelAndKind" xml:space="preserve">
  <value>use --level and --kind</value>
  </data>