VirusTotal
Better representation of flags in YAML output
Many file formats contain integer fields that are really interpreted as flags (each bit has a particular meaning). For instance, the characteristics field in the PE file is one of those fields, where each bit represents a specific characteristic. Currently, when the output of the pe module is outputted in YAML format, it shows the characteristics field as a standard integer:
characteristics: 271
This is not human-readable because 271 value doesn't mean anything by itself. If we show this field in hex form it doesn't help that much:
characteristics: 0x10f
It would be very helpful if we show some thing like:
characteristics: 0x10f # MACHINE_32BIT | LOCAL_SYMS_STRIPPED | LINE_NUMS_STRIPPED | EXECUTABLE_IMAGE | RELOCS_STRIPPED
The comment shows the individual bits that are enabled in the 0x10f value.
This could be implemented by adding a new modifier for fields in the .proto file.
message PE {
...
required uint32 characteristics = 3 [(yaml.field).fmt = "flags:pe.Characteristics"];
...
}
enum Characteristics {
option (yara.enum_options).inline = true;
RELOCS_STRIPPED = 0x0001;
EXECUTABLE_IMAGE = 0x0002;
LINE_NUMS_STRIPPED = 0x0004;
LOCAL_SYMS_STRIPPED = 0x0008;
AGGRESIVE_WS_TRIM = 0x0010;
LARGE_ADDRESS_AWARE = 0x0020;
BYTES_REVERSED_LO = 0x0080;
MACHINE_32BIT = 0x0100;
DEBUG_STRIPPED = 0x0200;
REMOVABLE_RUN_FROM_SWAP = 0x0400;
NET_RUN_FROM_SWAP = 0x0800;
SYSTEM = 0x1000;
DLL = 0x2000;
UP_SYSTEM_ONLY = 0x4000;
BYTES_REVERSED_HI = 0x8000;
}
The annotation [(yaml.field).fmt = "flags:pe.Characteristics"] besides the characteristics field, indicates that this field must be interpreted as a set of flags where the enum defining the flags values is named Characteristics.
NOTE: It's important to check at some point that each value in the enum has one and only one bit set. A enum with values: 1,2,3,4,5 is not suitable to be used as flags.
