These commits improve the whitelisting of PE headers:
pe_tools are moved to a shared utility subpackage, which is now also used in the PeHeaderWhitelister. This removes code duplicates between PeHeaderWhitelister and WhitelistFilter, simplifying the development.
The function responsible for the normalization of PE headers was fully rewritten. It now supports normalizing .NET PEs. Furthermore it correctly handles non-zero offsets before the MZ header.
Duplicate code within pe_tools was removed.
A separate PeHeaderHasher.py provides the hashing of nomalized PE headers as a command line tool. This can be useful for sorting and (re)identification of dumped PE files.
The additional_pe_whitelist in the config is extended by the hashes of the provided hooks EP_EM0_sleep.dll, both_EM0_sleep.dll, and TP_EM0_sleep.dll.
These commits improve the whitelisting of PE headers:
pe_toolsare moved to a shared utility subpackage, which is now also used in thePeHeaderWhitelister. This removes code duplicates betweenPeHeaderWhitelisterandWhitelistFilter, simplifying the development.The function responsible for the normalization of PE headers was fully rewritten. It now supports normalizing .NET PEs. Furthermore it correctly handles non-zero offsets before the MZ header.
Duplicate code within
pe_toolswas removed.A separate
PeHeaderHasher.pyprovides the hashing of nomalized PE headers as a command line tool. This can be useful for sorting and (re)identification of dumped PE files.The
additional_pe_whitelistin the config is extended by the hashes of the provided hooksEP_EM0_sleep.dll,both_EM0_sleep.dll, andTP_EM0_sleep.dll.