Crate malwaredb_types

Expand description

§MalwareDB Types

Note: These parsers are designed to extract potentially useful features from various file types. They are in no way designed to be complete representations of their respective file format. That said, contributions are welcome to extract additional features/information, to add support for a new file format, or to make general improvements!

This crate contains the logic for parsing some executable and document datatypes, and for determining if a Zip file is an MS Office document or an archive of files.

Executable Types:

ELF (feature flag elf, default)
Mach-O and Fat Mach-O (feature flag macho, default). Fat Mach-O’s embedded Mach-O binaries are extracted and processed as child elements.
PE32 (feature flag pe32, default)
PEF (feature flag pef, not default and probably not useful)

For each executable, the goal is to extract:

Section information: names, sizes, entropy
Import data
Target: architecture, operating system, endianness, pointer size (32 vs 64-bit)
Binary type (object file, executable, library, etc.)

Some complications:

How to get the imports for ELFs? Go has this figured out, but I haven’t been able to replicate. Goblin issue #363.
Should I ditch the custom parsers for Goblin? It would allow me to get Authenticode data from PE32 files, but I worry it won’t be tolerant to malformed files (as malware tends to be).

Document Types:

PDF via pdf (feature flag pdf, default)
RTF currently incomplete (feature flag rtf, default)

There should be a simple way to represent the needed data so the component which stores the data in the database doesn’t have to be aware of file formats.

Modules§

doc: Document types
exec: Executable types
utils: Convenience functions to aid with parsing

Enums§

KnownType: Types known to MalwareDB
Ordering: Byte ordering

Constants§

MDB_VERSION: MDB version

Traits§