From 3a419834f20dd7fdaee958fbc4d18f2d129356c3 Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 17 Oct 2018 17:58:10 +0100 Subject: [PATCH] Add 'RegBinary' behavioural signature to allow detection of PE images written to registry (for #164) --- modules/signatures/CAPE.py | 108 +++++++++++++++++++++++-------------- 1 file changed, 68 insertions(+), 40 deletions(-) diff --git a/modules/signatures/CAPE.py b/modules/signatures/CAPE.py index bb95d9f0a..4f23d35e9 100644 --- a/modules/signatures/CAPE.py +++ b/modules/signatures/CAPE.py @@ -32,6 +32,48 @@ PLUGX_SIGNATURE = 0x5658 +def IsPEImage(buf, size): + dos_header = buf[:DOS_HEADER_LIMIT] + nt_headers = None + + if size < PE_HEADER_LIMIT: + return False + + # Check for sane value in e_lfanew + e_lfanew, = struct.unpack(" PE_HEADER_LIMIT: + offset = 0 + while offset < PE_HEADER_LIMIT-86: + machine_probe = struct.unpack("FileHeader.Machine == 0) || (pNtHeader->FileHeader.SizeOfOptionalHeader == 0 || pNtHeader->OptionalHeader.SizeOfHeaders == 0)) + if struct.unpack("FileHeader.Characteristics & IMAGE_FILE_EXECUTABLE_IMAGE)) + if (struct.unpack("FileHeader.SizeOfOptionalHeader & (sizeof (ULONG_PTR) - 1)) + if struct.unpack("OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC) && (pNtHeader->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC)) + if struct.unpack(" PE_HEADER_LIMIT: - offset = 0 - while offset < PE_HEADER_LIMIT-86: - machine_probe = struct.unpack("FileHeader.Machine == 0) || (pNtHeader->FileHeader.SizeOfOptionalHeader == 0 || pNtHeader->OptionalHeader.SizeOfHeaders == 0)) - if struct.unpack("FileHeader.Characteristics & IMAGE_FILE_EXECUTABLE_IMAGE)) - if (struct.unpack("FileHeader.SizeOfOptionalHeader & (sizeof (ULONG_PTR) - 1)) - if struct.unpack("OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC) && (pNtHeader->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC)) - if struct.unpack("