Skip to content

Commit

Permalink
Add initial two rules
Browse files Browse the repository at this point in the history
Signed-off-by: Still Hsu <[email protected]>
  • Loading branch information
Still34 committed Oct 24, 2024
1 parent 125419b commit 0f25029
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 0 deletions.
27 changes: 27 additions & 0 deletions linking/static/touchsocket/linked-against-touchsocket.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
rule:
meta:
name: linked against TouchSocket
namespace: linking/static/touchsocket
authors:
- [email protected]
description: TouchSocket is a .NET networking library, supporting a wide variety of protocol types such as WebSocket, RPC, DMTP, Modbus, and more.
scopes:
static: file
dynamic: file
references:
- https://github.com/RRQM/TouchSocket/
- https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html
examples:
- 3c45678eab01d28a971783263e8d1f73c0e6e989734121c1ae25f99ac6cb4e52
features:
- and:
- or:
- match: compiled to the .NET platform
- match: compiled with .NET AoT
- 3 or more:
- substring: "TouchSocket"
- substring: "TouchSocket.Core"
- substring: "TouchSocket.Dmtp"
- substring: "TouchSocket.Modbus"
- substring: "BinarySerialize"
- substring: "BinaryDeserialize"
23 changes: 23 additions & 0 deletions runtime/dotnet/compiled-with-dotnet-aot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
rule:
meta:
name: compiled with .NET AoT
namespace: runtime/dotnet
authors:
- [email protected]
description: compiled using .NET Ahead-of-Time (AoT) compilation
scopes:
static: file
dynamic: file
references:
- https://learn.microsoft.com/en-us/dotnet/core/deploying/native-aot/
examples:
- 3c45678eab01d28a971783263e8d1f73c0e6e989734121c1ae25f99ac6cb4e52
features:
- and:
- substring: ".NETCoreApp,Version="
- 2 or more:
- substring: "AotAnalysis4IL"
- substring: "https://aka.ms/nativeaot-compatibilit"
- substring: "removed by the AOT compiler"
- substring: "\\native\\"
description: During compilation, the output by default contains the path "native," which is then in turn included in the PDB path.

0 comments on commit 0f25029

Please sign in to comment.