perf(pe): Disable CLR metadata parsing

rabbitstack · rabbitstack · commit c5c131c6483e · 2024-12-03T09:24:22.000+01:00
CLR metadata parsing is not considered useful
for detection purposes so we can safely disable
it.
diff --git a/go.mod b/go.mod
@@ -22,7 +22,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/qmuntal/stateless v1.6.0
 	github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5
-	github.com/saferwall/pe v1.5.4
+	github.com/saferwall/pe v1.5.6
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v0.0.3
 	github.com/spf13/pflag v1.0.5
@@ -87,4 +87,4 @@ require (
 	gopkg.in/yaml.v2 v2.3.0 // indirect
 )
 
-go 1.21
+go 1.23
diff --git a/go.sum b/go.sum
@@ -177,8 +177,8 @@ github.com/rivo/uniseg v0.4.2/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUc
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
-github.com/saferwall/pe v1.5.4 h1:tLmMggEMUfeqrpJ25zS/okUQmyFdD5xWKL2+z9njCqg=
-github.com/saferwall/pe v1.5.4/go.mod h1:mJx+PuptmNpoPFBNhWs/uDMFL/kTHVZIkg0d4OUJFbQ=
+github.com/saferwall/pe v1.5.6 h1:DrRLnoQFxHWJ5lJUmrH7X2L0xeUu6SUS95Dc61eW2Yc=
+github.com/saferwall/pe v1.5.6/go.mod h1:mJx+PuptmNpoPFBNhWs/uDMFL/kTHVZIkg0d4OUJFbQ=
 github.com/sebdah/goldie v1.0.0 h1:9GNhIat69MSlz/ndaBg48vl9dF5fI+NBB6kfOxgfkMc=
 github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4=
 github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d h1:RQqyEogx5J6wPdoxqL132b100j8KjcVHO1c0KLRoIhc=
diff --git a/pkg/pe/parser.go b/pkg/pe/parser.go
@@ -211,6 +211,7 @@ func newParserOpts(opts opts) *peparser.Options {
 		OmitExceptionDirectory:    true,
 		OmitTLSDirectory:          true,
 		OmitCLRHeaderDirectory:    !opts.parseCLR,
+		OmitCLRMetadata:           true,
 		OmitDelayImportDirectory:  true,
 		OmitBoundImportDirectory:  true,
 		OmitArchitectureDirectory: true,
@@ -305,13 +306,8 @@ func parse(path string, data []byte, options ...Option) (*PE, error) {
 		p.EntryPoint = format.UintToHex(uint64(oh32.AddressOfEntryPoint))
 	}
 
-	// CLR directory parsing piggybacks on sections
-	if opts.parseCLR {
-		opts.parseSections = true
-	}
-
 	// parse section header
-	if opts.parseSections || opts.parseResources {
+	if opts.parseSections || opts.parseResources || opts.parseCLR {
 		err = pe.ParseSectionHeader()
 		if err != nil {
 			return nil, err
