fileinfo: Anomalies in PE files

[metthal]

PE files (or generally other executable files, but let's stick to PE files in this ticket) do not necessarily need to conform to the PE specification in order to be loadable by Windows. There are often many discrepancies and violations of the specification and the file still remains valid. This is often abused by malware authors in order to make analysis of the file more complicated. These, so called anomalies, can be used as initial indicators that something fishy is going on. They can also be used by another tools which use fileinfo as their source of data in order to focus on things pointed out by these indicators.

The indicators would be presented by fileinfo in form of list. Indicators would also possibly be parameterized if it is necessary. Indicators can also possibly be split into categories by their severity.

I am not going to list here all the possible anomalies that are going to be implemented here because I don't even know them all myself and the list would be infinite. We can start with the detection of unusual values in PE header and work our way from that. This is more of a research than definite task.

[PeterMatula]

Internal note: possible inspiration in Avast cuckoo module static_pe_anomaly.py.

[metthal]

Additional anomalies proposed:

• Detection of PDB paths that was purposefully truncated (like in af4db267da79adc536f4fdae30860d92b384a39acb8a7fa6ed1b99ad66310188)