some question about source code

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

2.97k stars 420 forks source link

some question about source code #117

Closed helloobaby closed 11 months ago

helloobaby commented 11 months ago

I feel that your project is very useful, and I am also puzzled by some of your algorithms. https://github.com/hasherezade/pe-sieve/blob/be19198456e562143e44ecc34e7d034184f4d42f/stats/stats_analyzer.cpp#L179

Do you have more detailed information?

hasherezade commented 11 months ago

hi @helloobaby , I can understand that this part can be confusing. Those are just some magic numbers that I approximated basing on my tests, it's not something precise. Just ratios of characters that are common for particular type of content. Now it is hardcoded, but it may be replaced with some machine learning in the future.

helloobaby commented 11 months ago

Thank you for the explanation