fix: [pe-optional-header] Updated object template

- Harmonised object relations to match with the
  `pe` template object relations, especially the
  ones for hex values
- Added object relations for `magic` value and
  `subsystem` hex value
pull/434/head
Christian Studer 2024-07-25 10:34:05 +02:00
parent d062743502
commit ecb061bb1b
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 44 additions and 28 deletions

View File

@ -1,18 +1,18 @@
{ {
"attributes": { "attributes": {
"address_of_entrypoint": { "address-of-entrypoint": {
"description": "The address of the entry point relative to the image base when the executable file is loaded into memory", "description": "The address of the entry point relative to the image base when the executable file is loaded into memory",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
"ui-priority": 1 "ui-priority": 1
}, },
"base_of_code": { "base-of-code": {
"description": "Address relative to the imagebase where the binary's code starts", "description": "Address relative to the imagebase where the binary's code starts",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
"ui-priority": 0 "ui-priority": 0
}, },
"base_of_data": { "base-of-data": {
"description": "Address relative to the imagebase where the binary's data starts", "description": "Address relative to the imagebase where the binary's data starts",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
@ -24,7 +24,7 @@
"misp-attribute": "hex", "misp-attribute": "hex",
"ui-priority": 0 "ui-priority": 0
}, },
"dll_characteristics": { "dll-characteristics": {
"description": "Some characteristics of the underlying binary", "description": "Some characteristics of the underlying binary",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "text", "misp-attribute": "text",
@ -44,24 +44,24 @@
], ],
"ui-priority": 0 "ui-priority": 0
}, },
"dll_characteristics_hex": { "dll-characteristics-hex": {
"description": "The DLL characteristics in a single hex value", "description": "The DLL characteristics in a single hex value",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "hex", "misp-attribute": "hex",
"ui-priority": 0 "ui-priority": 0
}, },
"file_alignment": { "file-alignment": {
"description": "The alignment factor (in bytes) that is used to align the raw data of sections in the image file", "description": "The alignment factor (in bytes) that is used to align the raw data of sections in the image file",
"misp-attribute": "size-in-bytes", "misp-attribute": "size-in-bytes",
"ui-priority": 0 "ui-priority": 0
}, },
"image_base": { "image-base": {
"description": "The preferred base address when mapping the binary in memory", "description": "The preferred base address when mapping the binary in memory",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
"ui-priority": 0 "ui-priority": 0
}, },
"loader_flags": { "loader-flags": {
"description": "According to the PE specifications, this value is reserved and should be 0", "description": "According to the PE specifications, this value is reserved and should be 0",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "hex", "misp-attribute": "hex",
@ -70,109 +70,119 @@
"magic": { "magic": {
"description": "Magic value (PE_TYPE) that identifies a PE32 from a PE64", "description": "Magic value (PE_TYPE) that identifies a PE32 from a PE64",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"PE32",
"PE32_PLUS"
],
"ui-priority": 0
},
"magic-hex": {
"description": "The magic value in a simple hex value",
"disable_correlation": true,
"misp-attribute": "hex", "misp-attribute": "hex",
"ui-priority": 0 "ui-priority": 0
}, },
"major_image_version": { "major-image-version": {
"description": "The major version number of the image", "description": "The major version number of the image",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
"ui-priority": 0 "ui-priority": 0
}, },
"major_linker_version": { "major-linker-version": {
"description": "The linker major version number", "description": "The linker major version number",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
"ui-priority": 0 "ui-priority": 0
}, },
"major_os_version": { "major-os-version": {
"description": "The major version number of the required operating system", "description": "The major version number of the required operating system",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
"ui-priority": 0 "ui-priority": 0
}, },
"major_subsystem_version": { "major-subsystem-version": {
"description": "The major version number of the subsystem", "description": "The major version number of the subsystem",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
"ui-priority": 0 "ui-priority": 0
}, },
"minor_image_version": { "minor-image-version": {
"description": "The minor version number of the image", "description": "The minor version number of the image",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
"ui-priority": 0 "ui-priority": 0
}, },
"minor_linker_version": { "minor-linker-version": {
"description": "The linker minor version number", "description": "The linker minor version number",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
"ui-priority": 0 "ui-priority": 0
}, },
"minor_os_version": { "minor-os-version": {
"description": "The minor version number of the required operating system", "description": "The minor version number of the required operating system",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
"ui-priority": 0 "ui-priority": 0
}, },
"minor_subsystem_version": { "minor-subsystem-version": {
"description": "The minor version number of the subsystem", "description": "The minor version number of the subsystem",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
"ui-priority": 0 "ui-priority": 0
}, },
"number_of_rva_and_size": { "number-of-rva-and-size": {
"description": "The number of DataDirectory that follow this header", "description": "The number of DataDirectory that follow this header",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "integer", "misp-attribute": "integer",
"ui-priority": 0 "ui-priority": 0
}, },
"section_alignment": { "section-alignment": {
"description": "The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to file_alignment and the default is the page size for the architecture", "description": "The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to file_alignment and the default is the page size for the architecture",
"misp-attribute": "size-in-bytes", "misp-attribute": "size-in-bytes",
"ui-priority": 0 "ui-priority": 0
}, },
"size_of_code": { "size-of-code": {
"description": "The size of the code .text section or the sum of all the sections that contain code", "description": "The size of the code .text section or the sum of all the sections that contain code",
"misp-attribute": "size-in-bytes", "misp-attribute": "size-in-bytes",
"ui-priority": 0 "ui-priority": 0
}, },
"size_of_headers": { "size-of-headers": {
"description": "The combined size of an MS-DOS stub, PE header, and section headers rounded up to a multiple of file_alignment", "description": "The combined size of an MS-DOS stub, PE header, and section headers rounded up to a multiple of file_alignment",
"misp-attribute": "size-in-bytes", "misp-attribute": "size-in-bytes",
"ui-priority": 0 "ui-priority": 0
}, },
"size_of_heap_commit": { "size-of-heap-commit": {
"description": "The size of the local heap space to commit", "description": "The size of the local heap space to commit",
"misp-attribute": "size-in-bytes", "misp-attribute": "size-in-bytes",
"ui-priority": 0 "ui-priority": 0
}, },
"size_of_heap_reserve": { "size-of-heap-reserve": {
"description": "The size of the local heap space to reserve", "description": "The size of the local heap space to reserve",
"misp-attribute": "size-in-bytes", "misp-attribute": "size-in-bytes",
"ui-priority": 0 "ui-priority": 0
}, },
"size_of_image": { "size-of-image": {
"description": "The size (in bytes) of the image, including all headers, as the image is loaded in memory", "description": "The size (in bytes) of the image, including all headers, as the image is loaded in memory",
"misp-attribute": "size-in-bytes", "misp-attribute": "size-in-bytes",
"ui-priority": 0 "ui-priority": 0
}, },
"size_of_initialised_data": { "size-of-initialised-data": {
"description": "The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections", "description": "The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections",
"misp-attribute": "size-in-bytes", "misp-attribute": "size-in-bytes",
"ui-priority": 0 "ui-priority": 0
}, },
"size_of_stack_commit": { "size-of-stack-commit": {
"description": "The size of the stack to commit", "description": "The size of the stack to commit",
"misp-attribute": "size-in-bytes", "misp-attribute": "size-in-bytes",
"ui-priority": 0 "ui-priority": 0
}, },
"size_of_stack_reserve": { "size-of-stack-reserve": {
"description": "The size of the stack to reserve", "description": "The size of the stack to reserve",
"misp-attribute": "size-in-bytes", "misp-attribute": "size-in-bytes",
"ui-priority": 0 "ui-priority": 0
}, },
"size_of_uninitialised_data": { "size-of-uninitialised-data": {
"description": "The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections", "description": "The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections",
"misp-attribute": "size-in-bytes", "misp-attribute": "size-in-bytes",
"ui-priority": 0 "ui-priority": 0
@ -199,7 +209,13 @@
], ],
"ui-priority": 0 "ui-priority": 0
}, },
"win32_version_value": { "subsystem-hex": {
"description": "The subsystem in a simple hex value",
"disable_correlation": true,
"misp-attribute": "hex",
"ui-priority": 0
},
"win32-version-value": {
"description": "Specifies the reserved win32 version value (must be zero)", "description": "Specifies the reserved win32 version value (must be zero)",
"disable_correlation": true, "disable_correlation": true,
"misp-attribute": "hex", "misp-attribute": "hex",