These commits improve the whitelisting of PE headers:
pe_tools are moved to a shared utility subpackage, which is now also used in the PeHeaderWhitelister. This removes code duplicates between PeHeaderWhitelister and WhitelistFilter, simplifying the development.
The function responsible for the normalization of PE headers was fully rewritten. It now supports normalizing .NET PEs. Furthermore it correctly handles non-zero offsets before the MZ header.
Duplicate code within pe_tools was removed.
A separate PeHeaderHasher.py provides the hashing of nomalized PE headers as a command line tool. This can be useful for sorting and (re)identification of dumped PE files.
The additional_pe_whitelist in the config is extended by the hashes of the provided hooks EP_EM0_sleep.dll, both_EM0_sleep.dll, and TP_EM0_sleep.dll.
These commits improve the whitelisting of PE headers:
pe_tools
are moved to a shared utility subpackage, which is now also used in thePeHeaderWhitelister
. This removes code duplicates betweenPeHeaderWhitelister
andWhitelistFilter
, simplifying the development.The function responsible for the normalization of PE headers was fully rewritten. It now supports normalizing .NET PEs. Furthermore it correctly handles non-zero offsets before the MZ header.
Duplicate code within
pe_tools
was removed.A separate
PeHeaderHasher.py
provides the hashing of nomalized PE headers as a command line tool. This can be useful for sorting and (re)identification of dumped PE files.The
additional_pe_whitelist
in the config is extended by the hashes of the provided hooksEP_EM0_sleep.dll
,both_EM0_sleep.dll
, andTP_EM0_sleep.dll
.