diff --git a/src/BinSkim.Rules/PERules/BA2021.DoNotMarkWritableSectionsAsExecutable.cs b/src/BinSkim.Rules/PERules/BA2021.DoNotMarkWritableSectionsAsExecutable.cs
index ead85037..d76b3e1d 100644
--- a/src/BinSkim.Rules/PERules/BA2021.DoNotMarkWritableSectionsAsExecutable.cs
+++ b/src/BinSkim.Rules/PERules/BA2021.DoNotMarkWritableSectionsAsExecutable.cs
@@ -47,6 +47,17 @@ public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyz
PE portableExecutable = target.PE;
AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;
+ if (portableExecutable.PEHeaders.CorHeader != null)
+ {
+ CoffHeader coffHeader = portableExecutable.PEHeaders.CoffHeader;
+
+ // .NET does not follow Windows layout rules on non-Windows platforms.
+ // The Machine value in the CoffHeader for Windows ARM64 will not be the same for Linux ARM64.
+ // As a result, we can detect .NET PE's that are non-Windows and skip.
+ reasonForNotAnalyzing = MetadataConditions.ImageIsNonWindowsDotNetAssembly;
+ if (IsNonWindowsMachineTarget(coffHeader.Machine)) { return result; }
+ }
+
reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeBinary;
if (portableExecutable.IsKernelMode) { return result; }
@@ -116,5 +127,10 @@ public override void Analyze(BinaryAnalyzerContext context)
context.CurrentTarget.Uri.GetFileName(),
badSectionsText));
}
+
+ private bool IsNonWindowsMachineTarget(Machine machine)
+ {
+ return machine != Machine.Amd64 && machine != Machine.I386 && machine != Machine.Arm && machine != Machine.Arm64;
+ }
}
}
diff --git a/src/BinSkim.Sdk/MetadataConditions.cs b/src/BinSkim.Sdk/MetadataConditions.cs
index f83a9ae7..db911f9d 100644
--- a/src/BinSkim.Sdk/MetadataConditions.cs
+++ b/src/BinSkim.Sdk/MetadataConditions.cs
@@ -41,6 +41,7 @@ public static class MetadataConditions
public static readonly string ImageIsDotNetCoreEntryPointDll = SdkResources.MetadataCondition_ImageIsDotNetCoreEntryPointDll;
public static readonly string ImageCompiledWithOutdatedTools = SdkResources.MetadataCondition_ImageCompiledWithOutdatedTools;
public static readonly string ImageIsDotNetNativeBootstrapExe = SdkResources.MetadataCondition_ImageIsDotNetNativeBootstrapExe;
+ public static readonly string ImageIsNonWindowsDotNetAssembly = SdkResources.MetadataCondition_ImageIsNonWindowsDotNetAssembly;
public static readonly string ImageIsPreVersion7WindowsCEBinary = SdkResources.MetadataCondition_ImageIsPreVersion7WindowsCEBinary;
public static readonly string MachOIsNotExecutableDynamicLibraryOrObject = SdkResources.MetadataCondition_MachOIsNotExecutableDynamicLibraryOrObject;
public static readonly string ImageIsNativeUniversalWindowsPlatformBinary = SdkResources.MetadataCondition_ImageIsNativeUniversalWindowsPlatformBinary;
diff --git a/src/BinSkim.Sdk/SdkResources.Designer.cs b/src/BinSkim.Sdk/SdkResources.Designer.cs
index 053e19b4..64551b2c 100644
--- a/src/BinSkim.Sdk/SdkResources.Designer.cs
+++ b/src/BinSkim.Sdk/SdkResources.Designer.cs
@@ -230,6 +230,15 @@ internal static string MetadataCondition_ImageIsDotNetNativeBootstrapExe {
return ResourceManager.GetString("MetadataCondition_ImageIsDotNetNativeBootstrapExe", resourceCulture);
}
}
+
+ ///
+ /// Looks up a localized string similar to image is non Windows .NET assembly.
+ ///
+ internal static string MetadataCondition_ImageIsNonWindowsDotNetAssembly {
+ get {
+ return ResourceManager.GetString("MetadataCondition_ImageIsNonWindowsDotNetAssembly", resourceCulture);
+ }
+ }
///
/// Looks up a localized string similar to image is a managed IL library (i.e., ahead of time compiled) assembly.
diff --git a/src/BinSkim.Sdk/SdkResources.resx b/src/BinSkim.Sdk/SdkResources.resx
index d55ad47f..db0a521a 100644
--- a/src/BinSkim.Sdk/SdkResources.resx
+++ b/src/BinSkim.Sdk/SdkResources.resx
@@ -222,6 +222,9 @@
image is a .NET native bootstrap exe
+
+ image is a non-Windows .NET R2R or NativeAOT assembly
+
use --level and --kind