From 0f25029c13bda5f51c705af522b825e3a6a93358 Mon Sep 17 00:00:00 2001
From: Still Hsu <dev@stillu.cc>
Date: Thu, 24 Oct 2024 17:43:14 +0800
Subject: [PATCH] Add initial two rules

Signed-off-by: Still Hsu <dev@stillu.cc>
---
 .../linked-against-touchsocket.yml            | 27 +++++++++++++++++++
 runtime/dotnet/compiled-with-dotnet-aot.yml   | 23 ++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 linking/static/touchsocket/linked-against-touchsocket.yml
 create mode 100644 runtime/dotnet/compiled-with-dotnet-aot.yml

diff --git a/linking/static/touchsocket/linked-against-touchsocket.yml b/linking/static/touchsocket/linked-against-touchsocket.yml
new file mode 100644
index 00000000..0ab8f367
--- /dev/null
+++ b/linking/static/touchsocket/linked-against-touchsocket.yml
@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: linked against TouchSocket
+    namespace: linking/static/touchsocket
+    authors:
+      - still@teamt5.org
+    description: TouchSocket is a .NET networking library, supporting a wide variety of protocol types such as WebSocket, RPC, DMTP, Modbus, and more.
+    scopes:
+      static: file
+      dynamic: file
+    references:
+      - https://github.com/RRQM/TouchSocket/
+      - https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html
+    examples:
+      - 3c45678eab01d28a971783263e8d1f73c0e6e989734121c1ae25f99ac6cb4e52
+  features:
+    - and:
+      - or:
+        - match: compiled to the .NET platform
+        - match: compiled with .NET AoT
+      - 3 or more:
+        - substring: "TouchSocket"
+        - substring: "TouchSocket.Core"
+        - substring: "TouchSocket.Dmtp"
+        - substring: "TouchSocket.Modbus"
+        - substring: "BinarySerialize"
+        - substring: "BinaryDeserialize"
diff --git a/runtime/dotnet/compiled-with-dotnet-aot.yml b/runtime/dotnet/compiled-with-dotnet-aot.yml
new file mode 100644
index 00000000..d8fe84e5
--- /dev/null
+++ b/runtime/dotnet/compiled-with-dotnet-aot.yml
@@ -0,0 +1,23 @@
+rule:
+  meta:
+    name: compiled with .NET AoT
+    namespace: runtime/dotnet
+    authors:
+      - still@teamt5.org
+    description: compiled using .NET Ahead-of-Time (AoT) compilation
+    scopes:
+      static: file
+      dynamic: file
+    references:
+      - https://learn.microsoft.com/en-us/dotnet/core/deploying/native-aot/
+    examples:
+      - 3c45678eab01d28a971783263e8d1f73c0e6e989734121c1ae25f99ac6cb4e52
+  features:
+    - and:
+      - substring: ".NETCoreApp,Version="
+      - 2 or more:
+        - substring: "AotAnalysis4IL"
+        - substring: "https://aka.ms/nativeaot-compatibilit"
+        - substring: "removed by the AOT compiler"
+        - substring: "\\native\\"
+          description: During compilation, the output by default contains the path "native," which is then in turn included in the PDB path.