More i386 xrefs

mandiant · Nov 9, 2023 · afe9a48 · afe9a48
1 parent 9405cb8
commit afe9a48
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 2 deletions.
diff --git a/floss/language/rust/extract.py b/floss/language/rust/extract.py
@@ -10,7 +10,13 @@
 import binary2strings as b2s
 
 from floss.results import StaticString, StringEncoding
-from floss.language.utils import find_lea_xrefs, find_mov_xrefs, find_push_xrefs, get_struct_string_candidates
+from floss.language.utils import (
+    find_lea_xrefs,
+    find_mov_xrefs,
+    find_push_xrefs,
+    get_raw_xrefs_rdata_i386,
+    get_struct_string_candidates,
+)
 
 logger = logging.getLogger(__name__)
 
@@ -151,7 +157,8 @@ def get_string_blob_strings(pe: pefile.PE, min_length: int) -> Iterable[StaticSt
         xrefs_lea = find_lea_xrefs(pe)
         xrefs_push = find_push_xrefs(pe)
         xrefs_mov = find_mov_xrefs(pe)
-        xrefs = itertools.chain(struct_string_addrs, xrefs_lea, xrefs_push, xrefs_mov)
+        xrefs_raw_rdata = get_raw_xrefs_rdata_i386(pe, rdata_section.get_data())
+        xrefs = itertools.chain(struct_string_addrs, xrefs_lea, xrefs_push, xrefs_mov, xrefs_raw_rdata)
 
     elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"]:
         xrefs_lea = find_lea_xrefs(pe)

diff --git a/floss/language/utils.py b/floss/language/utils.py
@@ -465,6 +465,34 @@ def get_struct_string_candidates(pe: pefile.PE) -> Iterable[StructString]:
             # dozens of seconds or more (suspect many minutes).
 
 
+def get_raw_xrefs_rdata_i386(pe: pefile.PE, buf: bytes) -> Iterable[VA]:
+    """
+    scan for raw xrefs in .rdata section
+    """
+    format = "I"
+
+    if not buf:
+        return
+
+    low, high = get_image_range(pe)
+
+    # using array module as a high-performance way to access the data as fixed-sized words.
+    words = iter(array.array(format, buf))
+
+    last = next(words)
+    for current in words:
+        address = last
+        last = current
+
+        if address == 0x0:
+            continue
+
+        if not (low <= address < high):
+            continue
+
+        yield address
+
+
 def get_extract_stats(
     pe: pefile, all_ss_strings: List[StaticString], lang_strings: List[StaticString], min_len: int, min_blob_len=0
 ) -> float: