ELF module - Add additional elf.machine values

[jtothej]

Is your feature request related to a problem? Please describe.

Yara ELF module currently supports only a small subset of supported ELF e_machine values via elf.machine.

Describe the solution you'd like

binutils readelf v2.44 currently defines around 282 supported ELF architectures. Based on my recent review of corpus of ELF samples I'd like to suggest adding at least the following target architectures which seem to be relatively common:

#define EM_PARISC	 15	/* HPPA */
#define EM_SPARC32PLUS	 18	/* Sun's "v8plus" */
#define EM_S390		 22	/* IBM S/390 */
#define EM_RCE		 39	/* Old name for MCore */
#define EM_SH		 42	/* Renesas (formerly Hitachi) / SuperH SH */
#define EM_SPARCV9	 43	/* SPARC v9 64-bit */
#define EM_ARC_COMPACT	 93	/* ARC International ARCompact processor */
#define EM_BPF		247	/* Linux BPF – in-kernel virtual machine.  */
#define EM_LOONGARCH	258	/* LoongArch */

Describe alternatives you've considered

• Alternative 1 - Use plain Yara

ELFs compiled for less common architectures can be still matched without use of the ELF module, e.g.

uint32(0) == 0x464c457f and
(
  (
    // ELFDATA2LSB = 1
    uint8(5) == 1 and
    // EM_68HC05 = 72
    uint16(18) == 72
  ) or 
  (
    // ELFDATA2MSB = 2
    uint8(5) == 2 and
    // EM_68HC05 = 72
    uint16be(18) == 72
  )
)

• Alternative 2 - Expose ELF e_machine as a numerical value

Maintaining and keeping up to date large number of e_machine / elf.machine values may not be convenient in a long run.
Expose ELF header e_machine as a numerical value e.g.

elf.machine_id == 247 // EM_BPF