Skip BA2021 Analysis on .NET R2R & NativeAOT PE on non-Windows Platforms

steveisok · steveisok · commit dad86d0403c4 · 2024-10-04T11:44:03.000-04:00
This change skips analysis when it finds non-Windows .NET R2R & NativeAOT PE's. The reason for this is the DoNotMarkWritableSectionsAsExecutable is Windows specific and R2R/NativeAOT do not follow Windows layout rules on non-Windows platforms. Fixes microsoft#970
diff --git a/src/BinSkim.Rules/PERules/BA2021.DoNotMarkWritableSectionsAsExecutable.cs b/src/BinSkim.Rules/PERules/BA2021.DoNotMarkWritableSectionsAsExecutable.cs
@@ -47,6 +47,18 @@ public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyz
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;
 
+            PEBinary target = context.PEBinary();
+            if (target.PE.PEHeaders.CorHeader != null)
+            {
+                CoffHeader coffHeader = target.PE.PEHeaders.CoffHeader;
+
+                // .NET does not follow Windows layout rules on non-Windows platforms.
+                // The Machine value in the CoffHeader for Windows ARM64 will not be the same for Linux ARM64.
+                // As a result, we can detect .NET PE's that are non-Windows and skip.
+                reasonForNotAnalyzing = MetadataConditions.ImageIsNonWindowsDotNetAssembly;
+                if (IsNonWindowsMachineTarget(coffHeader.Machine)) { return result; }
+            }
+
             reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeBinary;
             if (portableExecutable.IsKernelMode) { return result; }
 
@@ -116,5 +128,10 @@ public override void Analyze(BinaryAnalyzerContext context)
                     context.CurrentTarget.Uri.GetFileName(),
                     badSectionsText));
         }
+
+        private bool IsNonWindowsMachineTarget(Machine machine)
+        {
+            return (machine & (Machine.Amd64 | Machine.Arm | Machine.Arm64));
+        }
     }
 }
diff --git a/src/BinSkim.Sdk/MetadataConditions.cs b/src/BinSkim.Sdk/MetadataConditions.cs
@@ -41,6 +41,7 @@ public static class MetadataConditions
         public static readonly string ImageIsDotNetCoreEntryPointDll = SdkResources.MetadataCondition_ImageIsDotNetCoreEntryPointDll;
         public static readonly string ImageCompiledWithOutdatedTools = SdkResources.MetadataCondition_ImageCompiledWithOutdatedTools;
         public static readonly string ImageIsDotNetNativeBootstrapExe = SdkResources.MetadataCondition_ImageIsDotNetNativeBootstrapExe;
+        public static readonly string ImageIsNonWindowsDotNetAssembly = SdkResources.MetadataCondition_ImageIsNonWindowsDotNetAssembly;
         public static readonly string ImageIsPreVersion7WindowsCEBinary = SdkResources.MetadataCondition_ImageIsPreVersion7WindowsCEBinary;
         public static readonly string MachOIsNotExecutableDynamicLibraryOrObject = SdkResources.MetadataCondition_MachOIsNotExecutableDynamicLibraryOrObject;
         public static readonly string ImageIsNativeUniversalWindowsPlatformBinary = SdkResources.MetadataCondition_ImageIsNativeUniversalWindowsPlatformBinary;
diff --git a/src/BinSkim.Sdk/SdkResources.Designer.cs b/src/BinSkim.Sdk/SdkResources.Designer.cs
diff --git a/src/BinSkim.Sdk/SdkResources.resx b/src/BinSkim.Sdk/SdkResources.resx
@@ -222,6 +222,9 @@
   <data name="MetadataCondition_ImageIsDotNetNativeBootstrapExe" xml:space="preserve">
     <value>image is a .NET native bootstrap exe</value>
   </data>
+  <data name="MetadataCondition_ImageIsNonWindowsDotNetAssembly" xml:space="preserve">
+    <value>image is a non-Windows .NET R2R or NativeAOT assembly</value>
+  </data>
   <data name="Verbose_ReplaceWithLevelAndKind" xml:space="preserve">
     <value>use --level and --kind</value>
   </data>
