OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-cybox message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-cybox] Minimum set of PE Header Fields?

I’ve added an initial cut of the PE Binary File Extension: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.gg5zibddf9bs

 

Please add any comments/edits as you see fit.

 

Regards,

Ivan

 

From: <cti-cybox@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org>
Date: Friday, July 8, 2016 at 7:22 AM
To: Jerome Athias <athiasjerome@gmail.com>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] Minimum set of PE Header Fields?

 

Sounds good – I’ll use those as a starting point. Maybe we should add Optional Header as well, since it contains information about linker version and OS version, etc.?

 

Regards,

Ivan

 

From: Jerome Athias <athiasjerome@gmail.com>
Date: Friday, July 8, 2016 at 3:55 AM
To: Ivan Kirillov <ikirillov@mitre.org>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] Minimum set of PE Header Fields?

 

Well

File Header, Hashes, Type and Checksum maybe for minimum 

On Thursday, 7 July 2016, Kirillov, Ivan A. <ikirillov@mitre.org> wrote:

Does anyone have any thoughts on the minimum set of PE Header fields (and other fields) we should include for the PE Binary File Extension? This is one of the last outstanding File Extensions that we need to define, and I’d rather avoid having to include all of the fields from the old Windows Exectuable File Object [1] if possible. The old Object tried to model an entire PE Binary (similar to how the old PDF File Object modeled an entire PDF File), and base on our new thinking there’s likely to be a subset of useful fields that can be exchanged; for additional data, it’s more useful to exchange the entire binary (i.e., using the Artifact Object). For reference, here’s the overall structure of the old Object:

 

·         Build Information

·         Exports

·         Headers

o    DOS_Header

o    Signature

o    File Header

o    Optional Header

o    Hashes

·         Imports

·         PE_Checksum

·         Resources

·         Sections

·         Type

 

[1] http://cybox.mitre.org/language/version2.1/xsddocs/objects/Win_Executable_File_Object.html

 

Regards,

Ivan

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]