feat: keep in dotnet resources that are not in the file

Only store the name of the resource and keep the other fields unset.
vthib · Jun 6, 2024 · b2fa436 · b2fa436
1 parent 449c5fc
commit b2fa436
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 21 deletions.
diff --git a/boreal/src/module/dotnet.rs b/boreal/src/module/dotnet.rs
@@ -1429,30 +1429,32 @@ impl<'data> TablesData<'data> {
             self.data.skip(4)?;
             let name = self.read_string()?;
             let implementation = read_index(&mut self.data, self.implementation_index_size)?;
-            if implementation != 0 {
-                // Resource is not in this file, so ignore
-                continue;
-            }
 
-            // Offset is relative to the resource entry in this file.
-            let Some(real_offset) = self
-                .resource_base
-                .and_then(|base| base.checked_add(u64::from(offset)))
-            else {
-                continue;
-            };
+            let (real_offset, length) = if implementation == 0 {
+                // Resource is in this file, retrieve offset and length
 
-            // We can get the length from reading into the entry
-            // XXX: this comes from the yara logic, I haven't really understood where
-            // this length comes from
-            let Ok(length) = self.mem.read_at::<U32<LE>>(real_offset) else {
-                continue;
+                // Offset is relative to the resource entry in this file.
+                let real_offset = self
+                    .resource_base
+                    .and_then(|base| base.checked_add(u64::from(offset)));
+
+                // We can get the length from reading into the entry
+                // XXX: this comes from the yara logic, I haven't really understood where
+                // this length comes from
+                let length = real_offset
+                    .and_then(|offset| self.mem.read_at::<U32<LE>>(offset).ok())
+                    .map(|v| v.get(LE));
+
+                // Add 4 to skip the length we just read
+                (real_offset.and_then(|v| v.checked_add(4)), length)
+            } else {
+                (None, None)
             };
 
             resources.push(Value::object([
                 // Add 4 to skip the size we just read
-                ("offset", real_offset.checked_add(4).into()),
-                ("length", length.get(LE).into()),
+                ("offset", real_offset.into()),
+                ("length", length.into()),
                 ("name", name.map(Value::bytes).into()),
             ]));
         }

diff --git a/boreal/tests/it/dotnet.rs b/boreal/tests/it/dotnet.rs
@@ -130,7 +130,16 @@ rule ar4 {
         dotnet.assembly_refs[4].version.minor == 35720 and
         dotnet.assembly_refs[4].version.build_number == 283 and
         dotnet.assembly_refs[4].version.revision_number == 212
-}"##,
+}
+
+rule resources {
+    condition:
+        dotnet.number_of_resources == 1 and
+        dotnet.resources[0].name == "_my.Resource.Public?" and
+        not defined dotnet.resources[0].length and
+        not defined dotnet.resources[0].offset
+}
+"##,
     );
 
     let mem = std::fs::read("tests/assets/dotnet/assembly.dll").unwrap();
@@ -143,6 +152,7 @@ rule ar4 {
             "default:ar2",
             "default:ar3",
             "default:ar4",
+            "default:resources",
         ],
     );
 }
@@ -889,8 +899,6 @@ fn test_coverage_types2() {
 }
 
 #[test]
-// FIXME: Broken compat with YARA 4.5.1
-#[ignore]
 fn test_coverage_assembly() {
     let diffs = [];
     let path = "tests/assets/dotnet/assembly.dll";