imports/ImHex-Patterns
1
0
Fork 0
mirror of https://github.com/WerWolv/ImHex-Patterns.git synced 2026-03-28 07:47:02 -05:00
Code Issues Packages Projects Releases Wiki Activity
154 Commits 2 Branches 46 Tags
dba93afe06fdd55fd9d91dba53ddd2cc7a73fd6f
Commit Graph

7 Commits

Author SHA1 Message Date
Nik
dba93afe06 patterns: Fixed duplicate variable names 2022-09-21 16:34:23 +02:00
Nik
2cfd3c43a7 patterns: Added x-dosexec MIME type to PE pattern 2022-09-13 15:57:34 +02:00
gmestanley
ece86f1124 patterns: Added enhancements for PE pattern (#41) 
The current pattern file for the PE format doesn't have a lot of the format's quirks, so I decided to code them in after I noticed that it doesn't cover the structure known as Rich Header. (Forgive the garbage code for its ProductType enum, it was the only way I found to make the values appear.)
Here are my sources for the improvements included here:

How the MZ header works and some of its variables' names: [How to determine the size of an PE executable file from headers and or footers](https://stackoverflow.com/questions/34684660/how-to-determine-the-size-of-an-pe-executable-file-from-headers-and-or-footers)
The function of some of the MZ header variables: [https://github.com/corkami/pics/blob/master/binary/pe102.png](PE102 by Corkami)
The existence of sections: [https://github.com/corkami/pics/blob/master/binary/pe101/pe101.png](PE101 by Corkami)
The Machine values for LoongArch processors, the architecture enum and how it's used in the Optional Header, Subsystem types, DLL & Section characteristics, how sections, their line numbers and relocations work: [PE Format](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-rsrc-section)
The Machine values for DECAlphaAXP and i860: [Peering Inside the PE: A Tour of the Win32 Portable Executable File Format](https://docs.microsoft.com/en-us/previous-versions/ms809762(v=msdn.10)#the-pe-header)
How the Rich Header works: [https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/](VB2019 paper: Rich Headers: leveraging this mysterious artifact of the PE format)
Values of products in the Rich Header: [https://securelist.com/the-devils-in-the-rich-header/84348/](The devil’s in the Rich header)
Every other value not found in the above source: Ghidra
 2022-08-10 15:06:10 +02:00
Oded Shapira
65f2b7821b patterns: Fix typo in pe.hexpat (#39) 
Fixed a typo where it said numberOfRelactions to numberOfRelocations.
 2022-08-04 23:49:26 +02:00
WerWolv
7c3db44abc patterns: Fix removal of nextAfter builtin function 2021-05-22 00:03:05 +02:00
ThisALV
2f41f6e233 Improved PE patterns for both x86 and x64 files. (#9) 
* Improved PE patterns for both x86 and x64 files.

Added sections table and data directories.
Support for 64bits binaries.
Separated files for 32bits and 64bits binaries.

* Deleted old PE pattern.

* Single file used for both PE32 and PE32+.

Change FORMAT preprocessor constant to switch mode.

* Improved sections table localization.

Using recently added nextAfter() builtin-function to locate sections
table.

* Automatic detection for 64bits executables.

Automatically detect if PE32+ format is enabled by checking machine
value.

* Updated README.md for single PE hexpat file.

* Use String for sections name.

* Remove silly usage of define preprocessor.
 2021-01-24 14:31:51 +01:00
WerWolv
f2d85fd506 Uploaded currently available files 2020-12-03 21:49:54 +01:00