-
Notifications
You must be signed in to change notification settings - Fork 159
/
linked-against-xzip.yml
33 lines (33 loc) · 1.19 KB
/
linked-against-xzip.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
rule:
meta:
name: linked against XZip
namespace: linking/static/xzip
authors:
- moritz.raabe@mandiant.com
scopes:
static: file
dynamic: file
mbc:
- Data::Compression Library [C0060]
references:
- https://github.com/ValveSoftware/source-sdk-2013/blob/master/sp/src/public/XZip.cpp
features:
- or:
- string: "ct_init: length != 256"
- string: "ct_init: dist != 256"
- string: "ct_init: 256+dist != 512"
- string: "bit length overflow"
- string: "code %d bits %d->%d"
- string: "inconsistent bit counts"
- string: "gen_codes: max_code %d "
- string: "dyn trees: dyn %ld, stat %ld"
- string: "bad pack level"
- string: "Code too clever"
- string: "unknown zip result code"
- string: "Culdn't duplicate handle" # typo in library code
- string: "File not found in the zipfile"
- string: "Still more data to unzip"
- string: "Caller: the file had already been partially unzipped"
- string: "Caller: can only get memory of a memory zipfile"
- string: "Zip-bug: internal initialisation not completed"
- string: "Zip-bug: an internal error during flation"