Documentation
¶
Index ¶
- func DetectFormat(path string) string
- func IsFatMachOMagic(b []byte) bool
- func IsMachOMagic(b []byte) bool
- func Scan(ctx context.Context, path string) ([]findings.UnifiedFinding, error)
- func ScanFatMachO(ctx context.Context, path string) ([]findings.UnifiedFinding, error)
- type ConstantMatch
- type DynLibMatch
- type SymbolMatch
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DetectFormat ¶
DetectFormat reads the magic bytes at path and returns the binary format ("elf", "pe", "macho", "macho-fat") or an empty string for unrecognised formats.
func IsFatMachOMagic ¶
isFatMachOMagic returns true when b begins with the Mach-O fat binary magic 0xCAFEBABE (big-endian) or 0xBEBAFECA (little-endian) AND the following four bytes, read as a big-endian uint32, represent an architecture count that is plausible for a fat binary (≤ 30).
The 0xCAFEBABE value is shared with Java class files. The disambiguation heuristic is reliable because:
- Java class files store the major version number (45–65 for Java 1–21) in bytes 6–7 of the file header. The combined 4-byte field at bytes 4–7 always produces values ≥ 40 when interpreted as a big-endian uint32.
- Fat binaries store the architecture count at bytes 4–7, which is always small (typically 2–4, maximum ~10 for universal builds).
A threshold of 30 safely separates the two: any value > 30 is treated as a Java class file (or other non-fat-binary format).
func IsMachOMagic ¶
isMachOMagic returns true for any of the four Mach-O magic values:
0xFEEDFACF (64-bit LE), 0xFEEDFACE (32-bit LE) 0xCFFAEDFE (64-bit BE), 0xCEFAEDFE (32-bit BE)
func Scan ¶
Scan analyses the binary at path and returns all cryptographic findings. It detects the binary format, then runs:
- Byte constant scanning (entire file data)
- Symbol table scanning (format-specific)
- Dynamic library dependency scanning
Confidence is promoted per promoteConfidence rules.
func ScanFatMachO ¶
ScanFatMachO analyses a Mach-O fat (universal) binary at path and returns all cryptographic findings. It iterates each architecture slice and:
- Scans symbols from each arch's Symtab.
- Scans byte-constant patterns against the file data (once for all arches).
- Scans dynamic library dependencies from each arch.
Findings from multiple architecture slices are deduplicated: the same (algorithm, primitive, rawIdentifier) tuple produces a single finding. ArtifactType is set to "macho-fat" to distinguish from regular "macho".
Types ¶
type ConstantMatch ¶
type ConstantMatch struct {
// Algorithm is the canonical algorithm name (e.g. "AES").
Algorithm string
// Primitive is the primitive class (e.g. "symmetric").
Primitive string
// Offset is the byte offset within the scanned data.
Offset int
// PatternName is the human-readable description of the matched pattern.
PatternName string
}
ConstantMatch records a found crypto constant in scanned data.
func ScanConstants ¶
func ScanConstants(data []byte) []ConstantMatch
ScanConstants searches data for known cryptographic byte constant patterns. It returns one ConstantMatch per unique occurrence found.
type DynLibMatch ¶
type DynLibMatch struct {
// Library is the raw library name as found in the binary (e.g. "libssl.so.3").
Library string
// Algorithm is the representative algorithm associated with this library.
Algorithm string
// Primitive is the primitive class (e.g. "symmetric", "hash").
Primitive string
}
DynLibMatch describes a crypto-related dynamic library dependency found in a binary.
func ScanDynamicLibraries ¶
func ScanDynamicLibraries(path string) ([]DynLibMatch, error)
ScanDynamicLibraries detects the binary format at path, then reads its dynamic library dependency list and matches against knownCryptoLibs.
type SymbolMatch ¶
type SymbolMatch struct {
// Name is the normalised symbol name (lowercase, leading underscores stripped).
Name string
// Library is the source library family (e.g. "openssl", "bcrypt").
Library string
// Algorithm is the canonical algorithm name implied by this symbol.
Algorithm string
// Primitive is the primitive class (e.g. "symmetric", "hash").
Primitive string
// IsDynamic is true when the symbol appears in the dynamic symbol table
// (.dynsym / import table), confirming runtime linkage.
IsDynamic bool
}
SymbolMatch describes a crypto symbol found in a binary's symbol table.
func ScanELFSymbols ¶
func ScanELFSymbols(path string) ([]SymbolMatch, error)
ScanELFSymbols opens an ELF binary at path and searches both the static (.symtab) and dynamic (.dynsym) symbol tables for known crypto symbols.
func ScanMachOSymbols ¶
func ScanMachOSymbols(path string) ([]SymbolMatch, error)
ScanMachOSymbols opens a Mach-O binary at path and searches the symbol table for known crypto function names.
func ScanPESymbols ¶
func ScanPESymbols(path string) ([]SymbolMatch, error)
ScanPESymbols opens a PE (Windows) binary at path and searches the import directory for known crypto function names.
Source Files