Detecting PE's 'on-the-wire'

StackOverflow https://stackoverflow.com/questions/16321421

Question

I'm looking for suggestions of how I can detect the start of a windows PE (portable execution) by inspecting a stream of bytes

I know there are certain headers that I can look for, what combination of these would identify a PE? Or is there another technique that could do it better?

I need it as light weight as possible but with as few false positives as possible.

Just really looking for some direction, not a coded example, but if people have any code to do it, all the better :)

(just looking at feasibility so can do it in any language but c or matlab or something like that is probably the direction I'm going)

Was it helpful?

Solution

Your first step would be to look for the 4-byte sequence

PE\0\0

which is the signature of a PE header.

Following that, look for any valid architecture code (or if you expect say just the Intel architecture, look for that specific architecture code)

0x14d Intel i860

0x14c Intel I386 (same ID used for 486 and 586)

0x162 MIPS R3000

0x166 MIPS R4000 0x183 DEC Alpha AXP

Depending on other data on the wire, and on your needs, that may be enough to reasonably assume the the data represents a PE binary and you may wish to attempt to load the data as an executable at that point. If you must have absolute confidence, you will need to parse the header just like a the loader would. Complete information on the PE structure can be found at

http://msdn.microsoft.com/en-us/library/ms809762.aspx

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top