feat: add pe.export_details[*].rva value

This mirrors the changes done in YARA's PR #1882.
vthib · Feb 16, 2024 · 7597d3f · 7597d3f
1 parent 1a8a8cd
commit 7597d3f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/boreal/src/module/pe.rs b/boreal/src/module/pe.rs
@@ -954,6 +954,7 @@ impl Module for Pe {
                     ("name", Type::Bytes),
                     ("forward_name", Type::Bytes),
                     ("ordinal", Type::Integer),
+                    ("rva", Type::Integer),
                 ])),
             ),
             (
@@ -1667,6 +1668,7 @@ fn add_exports(
                         },
                     ),
                     ("forward_name", forward_name.into()),
+                    ("rva", address.into()),
                 ])
             })
             .collect();

diff --git a/boreal/tests/it/libyara_compat/pe.rs b/boreal/tests/it/libyara_compat/pe.rs
@@ -545,6 +545,10 @@ fn test_pe() {
           pe.export_details[0].offset == 1072 and
           pe.export_details[0].name == \"DllGetClassObject\" and
           pe.export_details[0].ordinal == 1 and
+          pe.export_details[0].rva == 0x1030 and
+          pe.export_details[1].rva == 0x267d and
+          pe.export_details[2].rva == 0x26a8 and
+          pe.export_details[3].rva == 0x26ca and
           pe.export_details[1].forward_name == \"COMSVCS.GetObjectContext\"
       }",
         "tests/assets/libyara/data/mtxex.dll",
@@ -599,7 +603,8 @@ fn test_pe() {
         "import \"pe\"
       rule test {
         condition:
-          pe.export_details[0].name == \"CP_PutItem\"
+          pe.export_details[0].name == \"CP_PutItem\" and
+          pe.export_details[0].rva == 0x106c
       }",
         "tests/assets/libyara/data/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885.upx",
         true,