patterns: Adding IPS pattern and fixed PE magic file (#153)

* Update pe.hexpat New improvement * Add ips.hexpat via upload * Add ips.hexpat.ips via upload * Added IPS to README * Mentioned Windows in portable_executable_magic
2026-03-27 23:37:04 -05:00 · 2023-08-26 19:38:30 -03:00
parent 86f93dfdaf
commit ba14dd0cb2
4 changed files with 32 additions and 1 deletions
--- a/patterns/ips.hexpat
+++ b/patterns/ips.hexpat
@@ -0,0 +1,30 @@
+#include <std/mem.pat>
+#include <std/string.pat>
+
+#pragma endian big
+
+u8 eofOffset = 3;
+
+struct Hunk {
+	u24 offset;
+	u16 length;
+	if (length == 0) {
+		u16 runCount;
+		u8 payload;
+	}
+	else {
+		u8 payload[length];
+	}
+};
+
+struct IPS {
+	char signature[5];
+	if (std::mem::read_string(std::mem::size()-3, 3) != "EOF") {
+		eofOffset += 3;
+	}
+	Hunk hunks[while($ < std::mem::size()-eofOffset)];
+	char eof[3];
+	u24 truncatedSize[eofOffset>3];
+};
+
+IPS ips @ 0x00;