EditAttachPrintable
r2 - 11 Jul 2008 - 15:05:28 - MattJonkmanYou are here: TWiki >  Main Web > MalwareDocs > WinPEHeaders

Windows PE Headers

This page covers all of our Windows PE Header signatures. Jonathan Gross has done a good deal of work here, as have others. We're trying to mature these signatures, so please give feedback on how they perform on your network.

Some of these signatures are intended to detect just a PE header, which may well be a legitimate executable in transit. Others are intended to detect executables packed with known malicious packers, or in streams where they were purported to be something else (such as an image in an http stream).

Attached are some reference materials on structure and format.

PE HEader Related:

2010282 TWikiGuest 12 Oct 2011 - 23:29
2003615 TWikiGuest 12 Oct 2011 - 23:13
2003614 TWikiGuest 12 Oct 2011 - 23:13
WinPEHeaders MattJonkman 11 Jul 2008 - 15:05

Signatures looking for MZ:

2013962 TWikiGuest 24 Jan 2012 - 01:19
2012684 TWikiGuest 17 Jan 2012 - 00:46
2014019 TWikiGuest 16 Dec 2011 - 23:54
2013442 TWikiGuest 07 Dec 2011 - 02:59
2013441 TWikiGuest 07 Dec 2011 - 02:59
2013036 TWikiGuest 07 Dec 2011 - 02:59
2009897 TWikiGuest 07 Dec 2011 - 02:59
2013037 TWikiGuest 07 Dec 2011 - 02:59
2010869 TWikiGuest 07 Dec 2011 - 02:59
2000427 TWikiGuest 07 Dec 2011 - 02:59
2007671 TWikiGuest 07 Dec 2011 - 02:59
2000419 TWikiGuest 07 Dec 2011 - 02:59
2013437 TWikiGuest 12 Oct 2011 - 23:36
2013414 TWikiGuest 12 Oct 2011 - 23:36
2012634 TWikiGuest 12 Oct 2011 - 23:34
2012633 TWikiGuest 12 Oct 2011 - 23:34
2012591 TWikiGuest 12 Oct 2011 - 23:34
2012523 TWikiGuest 12 Oct 2011 - 23:34
2012524 TWikiGuest 12 Oct 2011 - 23:34
2012292 TWikiGuest 12 Oct 2011 - 23:33
2012291 TWikiGuest 12 Oct 2011 - 23:33
2012195 TWikiGuest 12 Oct 2011 - 23:33
2011803 TWikiGuest 12 Oct 2011 - 23:32
2011457 TWikiGuest 12 Oct 2011 - 23:32
2010463 TWikiGuest 12 Oct 2011 - 23:29
2009988 TWikiGuest 12 Oct 2011 - 23:28
2009909 TWikiGuest 12 Oct 2011 - 23:28
2009581 TWikiGuest 12 Oct 2011 - 23:27
2009035 TWikiGuest 12 Oct 2011 - 23:26
2009034 TWikiGuest 12 Oct 2011 - 23:26
2009033 TWikiGuest 12 Oct 2011 - 23:26
2009028 TWikiGuest 12 Oct 2011 - 23:26
2008367 TWikiGuest 12 Oct 2011 - 23:24
2003185 TWikiGuest 12 Oct 2011 - 23:13
2003186 TWikiGuest 12 Oct 2011 - 23:13
2003184 TWikiGuest 12 Oct 2011 - 23:12
2001685 TWikiGuest 12 Oct 2011 - 23:10
2001684 TWikiGuest 12 Oct 2011 - 23:10
2001683 TWikiGuest 12 Oct 2011 - 23:10
2001047 TWikiGuest 12 Oct 2011 - 23:10
2000426 TWikiGuest 12 Oct 2011 - 23:09
2000424 TWikiGuest 12 Oct 2011 - 23:09
2000425 TWikiGuest 12 Oct 2011 - 23:09
2000423 TWikiGuest 12 Oct 2011 - 23:09
2013224 JohnSnider 22 Sep 2011 - 13:58
2001046 NlKiw 10 Jan 2011 - 01:08
2008438 IanR 12 Oct 2010 - 15:02
2011459 TWikiGuest 11 Sep 2010 - 03:36
2010504 FrankEargle 04 Jan 2010 - 12:52
2009523 DarrenSpruell 30 Oct 2009 - 22:05
2007594 MattJonkman 31 Mar 2009 - 04:17
2009006 TWikiGuest 07 Feb 2009 - 02:39
Scalability VictorJulien 09 Dec 2008 - 08:19
2008576 MikeWazowski 21 Sep 2008 - 11:36
WinPEHeaders MattJonkman 11 Jul 2008 - 15:05
DropperWin32VBcn MattJonkman 11 Jul 2008 - 15:03
2001693 TWikiGuest 08 Jan 2008 - 22:35
2001694 TWikiGuest 08 Jan 2008 - 22:35
2006385 MattJonkman 09 Jul 2007 - 04:14
SnortSamREADMEnetscreen MattJonkman 09 Mar 2007 - 14:32
SnortSamFAQ MattJonkman 09 Mar 2007 - 14:12

-- MattJonkman - 25 Apr 2007

Topic attachments
I Attachment Action Size Date Who Comment
txttxt Portable_Executable_Format.txt manage 37.6 K 25 Apr 2007 - 23:59 MattJonkman  
Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r2 < r1 | More topic actions
 
Emerging Threats
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback