Skip to content

fix: improve ELF OS detection with Linux fallback#15

Merged
marirs merged 3 commits intomarirs:masterfrom
jorgeaduran:master
Jul 12, 2025
Merged

fix: improve ELF OS detection with Linux fallback#15
marirs merged 3 commits intomarirs:masterfrom
jorgeaduran:master

Conversation

@jorgeaduran
Copy link
Contributor

@jorgeaduran jorgeaduran commented Jul 12, 2025
edited
Loading

Change UNDEFINED (0x00) ELF OS identifier to default to Linux instead

  • Add Linux fallback for unknown/unsupported ELF OS values
  • Improve detection accuracy for ELF binaries without clear OS markers
  • Better support for Android and other Linux-based systems

feat: add lazy static regex compilation for performance

  • Pre-compile frequently used regex patterns at startup
  • Add RE_NUMBER_HEX_SPACED, RE_NUMBER_INT_SPACED and variants
  • Reduce regex compilation overhead in number parsing hot paths
  • Improve overall parsing performance for large rule sets

refactor: enhance statement parsing with CommandType enum

  • Add CommandType enum to categorize different statement types
  • Extract common logic into extract_elements_and_description helper
  • Simplify subscope creation with wrap_and_subscope helper function
  • Improve code maintainability and reduce duplication in rule parsing

fix: handle negative numbers properly in feature extraction

  • Mask negative values to u32 for consistent representation
  • Maintain original signed values for OperandNumber features
  • Prevent overflow issues during feature processing
  • Ensure deterministic behavior across different architectures

feat: improve API resolution with highest address lookup

  • Add find_highest_address_for_symbol method for better symbol resolution
  • Implement smarter API candidate selection logic using highest addresses
  • Enhance thunk chain resolution with proper termination conditions
  • More accurate API feature extraction for complex binaries

@jorgeaduran
feat: add lazy static regex compilation
8e7924b 
- fix: improve ELF OS detection fallback to Linux
- feat: add global features to instruction extraction
- feat: support LEA instructions in offset parsing
- refactor: improve number parsing from operands
- fix: handle negative numbers in features
- feat: improve API resolution with highest address
- refactor: clean DLL names and improve symbol generation
- feat: add newlines to string detection charset
- fix: correct absolute positioning in PE carving
@jorgeaduran
-add explicit HashMap and -HashSet imports
77fce1a 
-add SubscopeInstructionEvaluator for instruction-level matching
-implement instruction scope evaluation logic
-update SubscopeStatement to handle different scope types
- standardize Hash trait imports and - implementations
enable regex error debugging output

add global and format features to dotnet instruction extraction
@jorgeaduran
- add Android OS support
8545a30 
- add Error MatchRuleNotFound with better dependency handling
- improve thread join error handling for rule loading
- simplify file capabilities matching logic
- refactor statement parsing with CommandType enum and helper functions
- add instruction rules getter function
- optimize namespace path generation with scan iterator
- upgrade version goblin
@jorgeaduran
Copy link
Contributor Author

jorgeaduran commented Jul 12, 2025
edited
Loading

Depends on SMDA PR to make addr_to_api field public. This PR needs self.report.addr_to_api.get() access for the improved API resolution feature.

@marirs marirs merged commit 7158e88 into marirs:master Jul 12, 2025
0 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jorgeaduran @marirs