r1 - 26 Apr 2007 - 00:11:32 - MattJonkmanYou are here: TWiki >  Main Web > WinPEHeaders

Windows PE Headers

This page covers all of our Windows PE Header signatures. Jonathan Gross has done a good deal of work here, as have others. We're trying to mature these signatures, so please give feedback on how they perform on your network.

Some of these signatures are intended to detect just a PE header, which may well be a legitimate executable in transit. Others are intended to detect executables packed with known malicious packers, or in streams where they were purported to be something else (such as an image in an http stream).

Attached are some reference materials on structure and format.

PE HEader Related:

2003615 TWikiGuest 31 Jan 2008 - 15:12
2003614 TWikiGuest 31 Jan 2008 - 15:12
WinPEHeaders MattJonkman 26 Apr 2007 - 00:11

Signatures looking for MZ:

2008367 TWikiGuest 03 Jul 2008 - 19:30
2001684 TWikiGuest 03 Jul 2008 - 19:24
2001685 TWikiGuest 03 Jul 2008 - 19:24
2007671 TWikiGuest 07 Jun 2008 - 00:49
2007594 TWikiGuest 22 Mar 2008 - 21:11
DropperWin32VBcn MattJonkman 12 Mar 2008 - 19:33
2000426 TWikiGuest 03 Feb 2008 - 17:54
2000424 TWikiGuest 03 Feb 2008 - 17:54
2000425 TWikiGuest 03 Feb 2008 - 17:54
2000427 TWikiGuest 03 Feb 2008 - 17:54
2000419 TWikiGuest 03 Feb 2008 - 17:54
2000423 TWikiGuest 03 Feb 2008 - 17:54
2001047 TWikiGuest 31 Jan 2008 - 15:12
2001046 TWikiGuest 31 Jan 2008 - 15:12
2003186 TWikiGuest 31 Jan 2008 - 15:12
2003184 TWikiGuest 31 Jan 2008 - 15:12
2003185 TWikiGuest 31 Jan 2008 - 15:12
2001683 TWikiGuest 28 Jan 2008 - 22:24
2001694 TWikiGuest 08 Jan 2008 - 22:35
2001693 TWikiGuest 08 Jan 2008 - 22:35
2006385 MattJonkman 09 Jul 2007 - 04:14
WinPEHeaders MattJonkman 26 Apr 2007 - 00:11
SnortSamREADMEnetscreen MattJonkman 09 Mar 2007 - 14:32
SnortSamFAQ MattJonkman 09 Mar 2007 - 14:12

-- MattJonkman - 25 Apr 2007

Topic attachments
I Attachment Action Size Date Who Comment
txttxt Portable_Executable_Format.txt manage 37.6 K 25 Apr 2007 - 23:59 MattJonkman  
Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r1 | More topic actions
 
Emerging Threats
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback