[go: up one dir, main page]

Skip to content

Metadata hash incorporating the Rich Header for robustness against packing and other malware tricks

License

Notifications You must be signed in to change notification settings

RichHeaderResearch/RichPE

Repository files navigation

Rich Header Research

The Rich header is an undocumented header contained within PE files compiled and linked using the Microsoft toolchain. It contains information about the build environment that the PE file was created in. If you want to learn more about the Rich header, check out these excellent articles:

Prior research on the Rich header has shown that it is very useful for malware analysis:

This repository contains our own research on the Rich header, which includes the RichPE metadata hash and a tool that checks whether the metadata within the Rich header is corroborated by other PE file metadata.

RichPE:

Implementation of the RichPE metadata hash.

usage: python3 richpe.py [any # of file paths]

example: python3 richpe.py /path/to/file

example: python3 richpe.py /path/to/directory/*

Spoof Check:

Checks that the metadata within a file's Rich header does not contradict the other metadata contained within it.

usage: python3 spoof_check.py [any # of file paths]

example: python3 spoof_check.py /path/to/file

example: python3 spoof_check.py /path/to/directory/*

Rich header hash:

Implementation of the Rich header hash to be used within yara rules (hash.md5(pe.rich_signature.clear_data)).

usage: python3 rich.py [any # of file paths]

example: python3 rich.py /path/to/file

example: python3 rich.py /path/to/directory/*

Dependencies:

All scripts (richpe.py, rich.py and spoof_check.py) depend upon the pefile library.

pip3 install pefile

About

Metadata hash incorporating the Rich Header for robustness against packing and other malware tricks

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages