forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathModifiedFnvFunctionDetection.ql
More file actions
26 lines (23 loc) · 1004 Bytes
/
ModifiedFnvFunctionDetection.ql
File metadata and controls
26 lines (23 loc) · 1004 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
/**
* @name Detects a modified FNV function
* @description Possible indication of Solorigate. Detects a modified FNV1 function, where there is an additional xor using a literal after the regular FNV hash
* @kind problem
* @tags security
* solorigate
* @precision high
* @id cs/solorigate/modified-fnv-function-detection
* @problem.severity error
*/
import csharp
import Solorigate
import experimental.code.csharp.Cryptography.NonCryptographicHashes
ControlFlowNode loopExitNode(LoopStmt loop) { result.isAfter(loop) }
from Variable v, Literal l, LoopStmt loop, Expr additional_xor
where
maybeUsedInFnvFunction(v, _, _, loop) and
exists(BitwiseXorOperation xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
loopExitNode(loop).getASuccessor*() = xor2.getAControlFlowNode() and
xor2.getAnOperand() = v.getAnAccess()
)
select l, "This literal is used in an $@ after an FNV-like hash calculation with variable $@.",
additional_xor, "additional xor", v, v.toString()