Sounds good – I’ll use those as a starting point. Maybe we should add Optional Header as well, since it contains information about linker version and OS version, etc.?
Regards,
Ivan
From:
Jerome Athias <athiasjerome@gmail.com>
Date: Friday, July 8, 2016 at 3:55 AM
To: Ivan Kirillov <ikirillov@mitre.org>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] Minimum set of PE Header Fields?
Well
File Header, Hashes, Type and Checksum maybe for minimum
On Thursday, 7 July 2016, Kirillov, Ivan A. <ikirillov@mitre.org> wrote:
Does anyone have any thoughts on the minimum set of PE Header fields (and other fields) we should include for the PE Binary File Extension? This is
one of the last outstanding File Extensions that we need to define, and I’d rather avoid having to include all of the fields from the old Windows Exectuable File Object [1] if possible. The old Object tried to model an entire PE Binary (similar to how the
old PDF File Object modeled an entire PDF File), and base on our new thinking there’s likely to be a subset of useful fields that can be exchanged; for additional data, it’s more useful to exchange the entire binary (i.e., using the Artifact Object). For reference,
here’s the overall structure of the old Object:
·
Build Information
·
Exports
·
Headers
o
DOS_Header
o
Signature
o
File Header
o
Optional Header
o
Hashes
·
Imports
·
PE_Checksum
·
Resources
·
Sections
·
Type
[1]
http://cybox.mitre.org/language/version2.1/xsddocs/objects/Win_Executable_File_Object.html
Regards,
Ivan
|