MCPcopy
hub / github.com/mandiant/flare-floss / verify_pclntab

Function verify_pclntab

floss/language/identify.py:187–198  ·  view source on GitHub ↗

Parse headers of pclntab to verify it is legit used in go parser itself https://go.dev/src/debug/gosym/pclntab.go

(section, pclntab_va: int)

Source from the content-addressed store, hash-verified

185
186
187def verify_pclntab(section, pclntab_va: int) -> bool:
188 """
189 Parse headers of pclntab to verify it is legit
190 used in go parser itself https://go.dev/src/debug/gosym/pclntab.go
191 """
192 try:
193 pc_quanum = section.get_data(pclntab_va + 6, 1)[0]
194 pointer_size = section.get_data(pclntab_va + 7, 1)[0]
195 except:
196 logger.error("Error parsing pclntab header")
197 return False
198 return True if pc_quanum in {1, 2, 4} and pointer_size in {4, 8} else False
199
200
201def is_dotnet_bin(pe: pefile.PE) -> bool:

Callers 1

get_if_go_and_versionFunction · 0.85

Calls 1

errorMethod · 0.80

Tested by

no test coverage detected