search

chainguard-dev / bincapz

detect malicious program behaviors
Apache License 2.0
379 stars 24 forks source link

Improve Kiteshield rule #254

Closed egibs closed 3 weeks ago

egibs commented 4 weeks ago

This PR is a follow-up to https://github.com/chainguard-dev/bincapz/pull/240 and implements both suggestions:

  1. Removes import "elf"
  2. Supports aarch64 in addition to x86_64

I did a bit of xxd and Endianness work to help populate these, e.g.: x86_64 (0x003e):

1cedc8fb2e76:/# xxd -e -l 64 /bin/sh
00000000: 464c457f 00010102 00000000 00000000   .ELF............
00000010: 003e0003 00000001 0000b5b0 00000000   ..>.............
00000020: 00000040 00000000 00087358 00000000   @.......Xs......
00000030: 00000000 00380040 0040000d 001a001b   ....@.8...@.....

aarch64 (0x00b7):

8c95055dbbb5:/# xxd -e -l 64 /bin/sh
00000000: 464c457f 00010102 00000000 00000000   .ELF............
00000010: 00b70003 00000001 0000a780 00000000   ................
00000020: 00000040 00000000 000a0348 00000000   @.......H.......
00000030: 00000000 00380040 00400009 00180019   ....@.8...@.....

ET_EXEC (0x0002):

8c95055dbbb5:/# xxd -e -l 64 /usr/bin/go
00000000: 464c457f 00010102 00000000 00000000   .ELF............
00000010: 00b70002 00000001 000878b0 00000000   .........x......
00000020: 00000040 00000000 00b8d4e8 00000000   @...............
00000030: 00000000 00380040 00400006 000f0010   ....@.8...@.....
egibs commented 3 weeks ago

Looks good. Do you mind also moving this rule to evasion/packer?

Moved in 7514889 (#254).