add: [pe-optional-header] New object template for PE optional headers

2024-04-03 17:32:47 +02:00 · 2024-04-03 17:32:47 +02:00 · 980ab615ec
parent f247f04548
commit 980ab615ec
1 changed files with 217 additions and 0 deletions
--- a/objects/pe-optional-header/definition.json
+++ b/objects/pe-optional-header/definition.json
@ -0,0 +1,217 @@
+{
+  "attributes": {
+    "address_of_entrypoint": {
+      "description": "The address of the entry point relative to the image base when the executable file is loaded into memory",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 1
+    },
+    "base_of_code": {
+      "description": "Address relative to the imagebase where the binary's code starts",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "base_of_data": {
+      "description": "Address relative to the imagebase where the binary's data starts",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "checksum": {
+      "description": "The image file checksum",
+      "disable_correlation": true,
+      "misp-attribute": "hex",
+      "ui-priority": 0
+    },
+    "dll_characteristics": {
+      "description": "Some characteristics of the underlying binary",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "APPCONTAINER",
+        "DYNAMIC_BASE",
+        "FORCE_INTEGRITY",
+        "GUARD_CF",
+        "HIGH_ENTROPY_VA",
+        "NO_BIND",
+        "NO_ISOLATION",
+        "NO_SEH",
+        "NX_COMPAT",
+        "TERMINAL_SERVER_AWARE",
+        "WDM_DRIVER"
+      ],
+      "ui-priority": 0
+    },
+    "dll_characteristics_hex": {
+      "description": "The DLL characteristics in a single hex value",
+      "disable_correlation": true,
+      "misp-attribute": "hex",
+      "ui-priority": 0
+    },
+    "file_alignment": {
+      "description": "The alignment factor (in bytes) that is used to align the raw data of sections in the image file",
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "image_base": {
+      "description": "The preferred base address when mapping the binary in memory",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "loader_flags": {
+      "description": "According to the PE specifications, this value is reserved and should be 0",
+      "disable_correlation": true,
+      "misp-attribute": "hex",
+      "ui-priority": 0
+    },
+    "magic": {
+      "description": "Magic value (PE_TYPE) that identifies a PE32 from a PE64",
+      "disable_correlation": true,
+      "misp-attribute": "hex",
+      "ui-priority": 0
+    },
+    "major_image_version": {
+      "description": "The major version number of the image",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "major_linker_version": {
+      "description": "The linker major version number",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "major_os_version": {
+      "description": "The major version number of the required operating system",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "major_subsystem_version": {
+      "description": "The major version number of the subsystem",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "minor_image_version": {
+      "description": "The minor version number of the image",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "minor_linker_version": {
+      "description": "The linker minor version number",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "minor_os_version": {
+      "description": "The minor version number of the required operating system",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "minor_subsystem_version": {
+      "description": "The minor version number of the subsystem",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "number_of_rva_and_size": {
+      "description": "The number of DataDirectory that follow this header",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "section_alignment": {
+      "description": "The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to file_alignment and the default is the page size for the architecture",
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "size_of_code": {
+      "description": "The size of the code .text section or the sum of all the sections that contain code",
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "size_of_headers": {
+      "description": "The combined size of an MS-DOS stub, PE header, and section headers rounded up to a multiple of file_alignment",
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "size_of_heap_commit": {
+      "description": "The size of the local heap space to commit",
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "size_of_heap_reserve": {
+      "description": "The size of the local heap space to reserve",
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "size_of_image": {
+      "description": "The size (in bytes) of the image, including all headers, as the image is loaded in memory",
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "size_of_initialised_data": {
+      "description": "The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections",
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "size_of_stack_commit": {
+      "description": "The size of the stack to commit",
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "size_of_stack_reserve": {
+      "description": "The size of the stack to reserve",
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "size_of_uninitialised_data": {
+      "description": "The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections",
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "subsystem": {
+      "description": "Target subsystem",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "EFI_APPLICATION",
+        "EFI_BOOT_SERVICE_DRIVER",
+        "EFI_ROM",
+        "EFI_RUNTIME_DRIVER",
+        "NATIVE",
+        "NATIVE_WINDOWS",
+        "OS2_CUI",
+        "POSIX_CUI",
+        "UNKNOWN",
+        "WINDOWS_BOOT_APPLICATION",
+        "WINDOWS_CE_GUI",
+        "WINDOWS_CUI",
+        "WINDOWS_GUI",
+        "XBOX"
+      ],
+      "ui-priority": 0
+    },
+    "win32_version_value": {
+      "description": "Specifies the reserved win32 version value (must be zero)",
+      "disable_correlation": true,
+      "misp-attribute": "hex",
+      "ui-priority": 0
+    }
+  },
+  "description": "Object describing a Portable Executable Optional Header",
+  "meta-category": "file",
+  "name": "pe-optional-header",
+  "requiredOneOf": [
+    "address_of_entrypoint"
+  ],
+  "uuid": "ebde65ab-ce98-413d-a518-8f37bc79bcb9",
+  "version": 1
+}