malwaredb-types 0.2.1

Data types and parsers for MalwareDB.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

## Malware DB Types
[![Test](https://github.com/malwaredb/malwaredb-rs/actions/workflows/test.yml/badge.svg)](https://github.com/malwaredb/malwaredb-rs/actions/workflows/test.yml)[![Lint](https://github.com/malwaredb/malwaredb-rs/actions/workflows/lint.yml/badge.svg)](https://github.com/malwaredb/malwaredb-rs/actions/workflows/lint.yml)[![Cross](https://github.com/malwaredb/malwaredb-rs/actions/workflows/release.yml/badge.svg)](https://github.com/malwaredb/malwaredb-rs/actions/workflows/release.yml)[![Documentation](https://docs.rs/malwaredb-types/badge.svg)](https://docs.rs/malwaredb-types/)[![Crates.io Version](https://img.shields.io/crates/v/malwaredb-types)](https://crates.io/crates/malwaredb-types)

**Note:** These parsers are designed to extract potentially useful features from various file types. They are in **no way** designed to be complete representations of their respective file format. That said, contributions are welcome to extract additional features/information, to add support for a new file format, or to make general improvements!

This crate contains the logic for parsing some executable and document datatypes, and for determining if a Zip file is an MS Office document or an archive of files.

Executable Types:
* ELF (feature flag `elf`, default)
* Mach-O and Fat Mach-O (feature flag `macho`, default). Fat Mach-O's embedded Mach-O binaries are extracted and processed as child elements.
* PE32 (feature flag `pe32`, default)
* PEF (feature flag `pef`, not default and probably not useful)

For each executable, the goal is to extract:
* Section information: names, sizes, entropy
* Import data
* Architecture & endianness
* Operating System
* Pointer size (32 vs 64-bit)
* Binary type (object file, executable, library, etc.)

Some complications:
* How to get the imports for ELFs? [Go has this figured out](https://github.com/golang/go/blob/74a9d283e4d498b78521f4a40c23b4c3f5ff7387/src/debug/elf/file.go#L1473), but I haven't been able to replicate. Goblin issue [#363](https://github.com/m4b/goblin/issues/363).
* Should I ditch the custom parsers for [Goblin](https://github.com/m4b/goblin)? It would allow me to get Authenticode data from PE32 files, but I worry it won't be tolerant to malformed files (as malware tends to be).

Document Types:
* PDF via [pdf](https://github.com/pdf-rs/pdf) (feature flag `pdf`, default)
* RTF *currently incomplete* (feature flag `rtf`, default)
* Office95 (docfile) *currently incomplete* (feature flag `office95`, default)
* Office XML (`.docx`, `.xlsx`, etc) *currently incomplete* (feature flag `officexml`, default)