forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
macho.yml
166 lines (147 loc) · 5.37 KB
/
macho.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: macho
title: Mach-O Header
group: 2
description: >
These fields contain Mac OS Mach Object file format (Mach-O) metadata.
beta: >
These fields are in beta and are subject to change.
type: group
reusable:
top_level: false
expected:
- at: file
as: macho
beta: This field reuse is beta and subject to change.
- at: process
as: macho
beta: This field reuse is beta and subject to change.
fields:
- name: go_import_hash
short: A hash of the Go language imports in a Mach-O file.
description: >
A hash of the Go language imports in a Mach-O file excluding standard library imports.
An import hash can be used to fingerprint binaries even after recompilation or other
code-level transformations have occurred, which would change more traditional hash values.
The algorithm used to calculate the Go symbol hash and a reference implementation
are available [here](https://github.com/elastic/toutoumomoma).
example: 10bddcb4cee42080f76c88d9ff964491
type: keyword
level: extended
- name: go_imports_names_entropy
description: >
Shannon entropy calculation from the list of Go imports.
type: long
format: number
level: extended
- name: go_imports_names_var_entropy
description: >
Variance for Shannon entropy calculation from the list of Go imports.
type: long
format: number
level: extended
- name: go_imports
description: >
List of imported Go language element names and types.
type: flattened
level: extended
- name: go_stripped
short: Whether the file is a stripped or obfuscated Go executable.
description: >
Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
type: boolean
level: extended
- name: import_hash
short: A hash of the imports in a Mach-O file.
description: >
A hash of the imports in a Mach-O file. An import hash can be used to
fingerprint binaries even after recompilation or other code-level
transformations have occurred, which would change more traditional hash values.
This is a synonym for symhash.
example: d41d8cd98f00b204e9800998ecf8427e
type: keyword
level: extended
- name: imports
description: >
List of imported element names and types.
type: flattened
level: extended
normalize:
- array
- name: imports_names_entropy
description: >
Shannon entropy calculation from the list of imported element names and types.
format: number
type: long
level: extended
- name: imports_names_var_entropy
description: >
Variance for Shannon entropy calculation from the list of imported element names and types.
format: number
type: long
level: extended
- name: sections
short: Section information of the Mach-O file.
description: >
An array containing an object for each section of the Mach-O file.
The keys that should be present in these objects are defined by sub-fields
underneath `macho.sections.*`.
type: nested
level: extended
normalize:
- "array"
- name: sections.entropy
description: >
Shannon entropy calculation from the section.
format: number
type: long
level: extended
- name: sections.name
description: >
Mach-O Section List name.
type: keyword
level: extended
- name: sections.physical_size
description: >
Mach-O Section List physical size.
format: bytes
type: long
level: extended
- name: sections.var_entropy
description: >
Variance for Shannon entropy calculation from the section.
format: number
type: long
level: extended
- name: sections.virtual_size
description: >
Mach-O Section List virtual size. This is always the same as `physical_size`.
format: string
type: long
level: extended
- name: symhash
short: A hash of the imports in a Mach-O file.
description: >
A hash of the imports in a Mach-O file. An import hash can be used to
fingerprint binaries even after recompilation or other code-level
transformations have occurred, which would change more traditional hash values.
This is a Mach-O implementation of the Windows PE imphash
example: d3ccf195b62a9279c3c19af1080497ec
type: keyword
level: extended