Fix issue while parsing .NET resources

.NET resources can be found outside the current file. Before this change those resources were being ignored, but now they are included in the `resources` array. The `name` and `length` fields are kept undefined though. So, external resources have only the `name` field set.
VirusTotal · Mar 18, 2024 · 5bf72f2 · 5bf72f2
1 parent c009195
commit 5bf72f2
Showing 1 changed file with 18 additions and 33 deletions.
diff --git a/libyara/modules/dotnet/dotnet.c b/libyara/modules/dotnet/dotnet.c
@@ -2932,10 +2932,6 @@ void dotnet_parse_tilde_2(
         index_size = 2;
 
       row_size = (4 + 4 + index_sizes.string + index_size);
-
-      // Using 'i' is insufficent since we may skip certain resources and
-      // it would give an inaccurate count in that case.
-      counter = 0;
       row_ptr = table_offset;
 
       // First DWORD is the offset.
@@ -2945,65 +2941,54 @@ void dotnet_parse_tilde_2(
           break;
 
         manifestresource_table = (PMANIFESTRESOURCE_TABLE) row_ptr;
-        resource_offset = yr_le32toh(manifestresource_table->Offset);
 
-        // Only set offset if it is in this file (implementation != 0).
-        // Can't use manifestresource_table here because the Name and
-        // Implementation fields are variable size.
         if (index_size == 4)
           implementation = yr_le32toh(
               *(DWORD*) (row_ptr + 4 + 4 + index_sizes.string));
         else
           implementation = yr_le16toh(
               *(WORD*) (row_ptr + 4 + 4 + index_sizes.string));
 
+        row_ptr += row_size;
+
+        name = pe_get_dotnet_string(
+            pe,
+            string_offset,
+            str_heap_size,
+            DOTNET_STRING_INDEX(manifestresource_table->Name));
+
+        if (name != NULL)
+          yr_set_string(name, pe->object, "resources[%i].name", i);
+
+        // Only set offset and length if it is in this file, otherwise continue
+        // with the next resource.
         if (implementation != 0)
-        {
-          row_ptr += row_size;
           continue;
-        }
+
+        resource_offset = yr_le32toh(manifestresource_table->Offset);
 
         if (!fits_in_pe(
                 pe, pe->data + resource_base + resource_offset, sizeof(DWORD)))
-        {
-          row_ptr += row_size;
           continue;
-        }
 
         resource_size = yr_le32toh(
             *(DWORD*) (pe->data + resource_base + resource_offset));
 
         if (!fits_in_pe(
                 pe, pe->data + resource_base + resource_offset, resource_size))
-        {
-          row_ptr += row_size;
           continue;
-        }
 
         // Add 4 to skip the size.
         yr_set_integer(
             resource_base + resource_offset + 4,
             pe->object,
             "resources[%i].offset",
-            counter);
-
-        yr_set_integer(
-            resource_size, pe->object, "resources[%i].length", counter);
-
-        name = pe_get_dotnet_string(
-            pe,
-            string_offset,
-            str_heap_size,
-            DOTNET_STRING_INDEX(manifestresource_table->Name));
-
-        if (name != NULL)
-          yr_set_string(name, pe->object, "resources[%i].name", counter);
+            i);
 
-        row_ptr += row_size;
-        counter++;
+        yr_set_integer(resource_size, pe->object, "resources[%i].length", i);
       }
 
-      yr_set_integer(counter, pe->object, "number_of_resources");
+      yr_set_integer(i, pe->object, "number_of_resources");
 
       table_offset += row_size * num_rows;
       break;