mirror of
https://github.com/horsicq/Detect-It-Easy.git
synced 2026-06-24 01:54:08 +00:00
1119 lines
39 KiB
Text
1119 lines
39 KiB
Text
// Check PE Format 0.1
|
|
// Bugreports : horsicq@gmail.com
|
|
|
|
//
|
|
function load()
|
|
{
|
|
// call on script load
|
|
script.addMessage("Loading Check PE Format script");
|
|
script.addMessage("Bugreports: horsicq@gmail.com");
|
|
script.addMessage("______________________________");
|
|
}
|
|
function name()
|
|
{
|
|
// return script's name
|
|
return "Check PE Format 0.1";
|
|
}
|
|
function info()
|
|
{
|
|
// return script's information
|
|
return "Check PE Format 0.1";
|
|
}
|
|
function run()
|
|
{
|
|
// main script's function
|
|
var pefile=PEFile;
|
|
var szCurrentFile=script.getCurrentFileName();
|
|
var value;
|
|
var szString;
|
|
|
|
script.addMessage("Open file: "+szCurrentFile);
|
|
script.addMessage("");
|
|
|
|
if(pefile.setFileName(szCurrentFile))
|
|
{
|
|
if(pefile.isValid())
|
|
{
|
|
value=pefile.getDosHeader_magic();
|
|
szString="IMAGE_DOS_HEADER.e_magic: 0x"+script.wordToHex(value);
|
|
if(value==0x5A4D)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be 0x5A4D)");
|
|
}
|
|
value=pefile.getDosHeader_cblp();
|
|
szString="IMAGE_DOS_HEADER.e_cblp: 0x"+script.wordToHex(value);
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
value=pefile.getDosHeader_cp();
|
|
szString="IMAGE_DOS_HEADER.e_cp: 0x"+script.wordToHex(value);
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
value=pefile.getDosHeader_crlc();
|
|
szString="IMAGE_DOS_HEADER.e_crlc: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_cparhdr();
|
|
szString="IMAGE_DOS_HEADER.e_cparhdr: 0x"+script.wordToHex(value);
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
|
|
value=pefile.getDosHeader_minalloc();
|
|
szString="IMAGE_DOS_HEADER.e_minalloc: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_maxalloc();
|
|
szString="IMAGE_DOS_HEADER.e_maxalloc: 0x"+script.wordToHex(value);
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
value=pefile.getDosHeader_ss();
|
|
szString="IMAGE_DOS_HEADER.e_ss: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_sp();
|
|
szString="IMAGE_DOS_HEADER.e_sp: 0x"+script.wordToHex(value);
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
value=pefile.getDosHeader_csum();
|
|
szString="IMAGE_DOS_HEADER.e_csum: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_ip();
|
|
szString="IMAGE_DOS_HEADER.e_ip: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_cs();
|
|
szString="IMAGE_DOS_HEADER.e_cs: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_lfarlc();
|
|
szString="IMAGE_DOS_HEADER.e_lfarlc: 0x"+script.wordToHex(value);
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
value=pefile.getDosHeader_ovno();
|
|
szString="IMAGE_DOS_HEADER.e_ovno: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
|
|
value=pefile.getDosHeader_res(0);
|
|
szString="IMAGE_DOS_HEADER.e_res[0]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_res(1);
|
|
szString="IMAGE_DOS_HEADER.e_res[1]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_res(2);
|
|
szString="IMAGE_DOS_HEADER.e_res[2]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_res(3);
|
|
szString="IMAGE_DOS_HEADER.e_res[3]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_oemid();
|
|
szString="IMAGE_DOS_HEADER.e_oemid: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_oeminfo();
|
|
szString="IMAGE_DOS_HEADER.e_oeminfo: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
|
|
value=pefile.getDosHeader_res2(0);
|
|
szString="IMAGE_DOS_HEADER.e_res2[0]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_res2(1);
|
|
szString="IMAGE_DOS_HEADER.e_res2[1]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_res2(2);
|
|
szString="IMAGE_DOS_HEADER.e_res2[2]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_res2(3);
|
|
szString="IMAGE_DOS_HEADER.e_res2[3]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_res2(4);
|
|
szString="IMAGE_DOS_HEADER.e_res2[4]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_res2(5);
|
|
szString="IMAGE_DOS_HEADER.e_res2[5]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_res2(6);
|
|
szString="IMAGE_DOS_HEADER.e_res2[6]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_res2(7);
|
|
szString="IMAGE_DOS_HEADER.e_res2[7]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_res2(8);
|
|
szString="IMAGE_DOS_HEADER.e_res2[8]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_res2(9);
|
|
szString="IMAGE_DOS_HEADER.e_res2[9]: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
value=pefile.getDosHeader_lfanew();
|
|
szString="IMAGE_DOS_HEADER.e_lfanew: 0x"+script.dwordToHex(value);
|
|
if(value%4)
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be multiplicity 4)");
|
|
}
|
|
else if(value==0)
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(value<=64)
|
|
{
|
|
script.addWarningMessage(szString+" PE signature in MSDOS header");
|
|
}
|
|
else if(value>0x200)
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(too large)");
|
|
}
|
|
else
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
|
|
if(pefile.isDosStubPresent())
|
|
{
|
|
script.addSuccessMessage("MS DOS present");
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage("MS DOS is not present");
|
|
}
|
|
if(pefile.isRichSignaturePresent())
|
|
{
|
|
script.addSuccessMessage("Rich signature present");
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage("Rich signature is not present");
|
|
}
|
|
|
|
value=pefile.getNTHeaders_Signature();
|
|
szString="IMAGE_NT_HEADERS.Signature: 0x"+script.dwordToHex(value);
|
|
if(value==0x00004550)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0x00004550)");
|
|
}
|
|
value=pefile.getFileHeader_Machine();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.Machine: 0x"+script.wordToHex(value);
|
|
if(value==0x014C)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else if(value==0x8664)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be 0x014C or 0x8664)");
|
|
}
|
|
value=pefile.getFileHeader_NumberOfSections();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.NumberOfSections: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(value>0x60)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(too large)");
|
|
}
|
|
else
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
value=pefile.getFileHeader_TimeDateStamp();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.TimeDateStamp: 0x"+script.dwordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
value=pefile.getFileHeader_PointerToSymbolTable();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.PointerToSymbolTable: 0x"+script.dwordToHex(value);
|
|
if(value)
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
else
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
value=pefile.getFileHeader_NumberOfSymbols();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.NumberOfSymbols: 0x"+script.dwordToHex(value);
|
|
if(value)
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
else
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
|
|
value=pefile.getFileHeader_SizeOfOptionalHeader();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.SizeOfOptionalHeader: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else
|
|
{
|
|
if(pefile.isPEPlus())
|
|
{
|
|
if(value==0xF0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0x00F0)");
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if(value==0xE0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0x00E0)");
|
|
}
|
|
}
|
|
}
|
|
value=pefile.getFileHeader_Characteristics();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.Characteristics: 0x"+script.wordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(value&0x0002)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(IMAGE_FILE_EXECUTABLE_IMAGE must be set)");
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_Magic();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.Magic: 0x"+script.wordToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(value==0x10B)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else if(value==0x20B)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+"Invalid value(must be 0x10B or 0x20B)");
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_MajorLinkerVersion();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.MajorLinkerVersion: 0x"+script.byteToHex(value);
|
|
if(value==0)
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
value=pefile.getOptionalHeader_MinorLinkerVersion();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.MinorLinkerVersion: 0x"+script.byteToHex(value);
|
|
|
|
script.addSuccessMessage(szString);
|
|
|
|
value=pefile.getOptionalHeader_SizeOfCode();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfCode: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==pefile.calculateSizeOfCode())
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be "+script.dwordToHex(pefile.calculateSizeOfCode())+")");
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_SizeOfInitializedData();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfInitializedData: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==pefile.calculateSizeOfInitializedData())
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else if(value==pefile.calculateSizeOfInitializedData2())
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be "+script.dwordToHex(pefile.calculateSizeOfInitializedData())+" or "+script.dwordToHex(pefile.calculateSizeOfInitializedData2())+")");
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_SizeOfUninitializedData();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfUninitializedData: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==pefile.calculateSizeOfUninitializedData())
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be "+script.dwordToHex(pefile.calculateSizeOfUninitializedData())+")");
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_AddressOfEntryPoint();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint: 0x"+script.dwordToHex(value);
|
|
|
|
if(pefile.RVAToSection(value)==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else if(value<pefile.getOptionalHeader_SizeOfHeaders())
|
|
{
|
|
script.addWarningMessage(szString+" AddressOfEntryPoint in header");
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value");
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_BaseOfCode();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.BaseOfCode: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==pefile.calculateBaseOfCode())
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be "+script.dwordToHex(pefile.calculateBaseOfCode())+")");
|
|
}
|
|
|
|
if(!pefile.isPEPlus())
|
|
{
|
|
value=pefile.getOptionalHeader_BaseOfData();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.BaseOfData: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==pefile.calculateBaseOfData())
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be "+script.dwordToHex(pefile.calculateBaseOfData())+")");
|
|
}
|
|
}
|
|
|
|
if(pefile.isPEPlus())
|
|
{
|
|
value=pefile.getOptionalHeader_ImageBase64();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.ImageBase: 0x"+script.qwordToHex(value);
|
|
}
|
|
else
|
|
{
|
|
value=pefile.getOptionalHeader_ImageBase();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.ImageBase: 0x"+script.dwordToHex(value);
|
|
}
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(value%0x10000==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be multiplicity 0x10000)");
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_SectionAlignment();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SectionAlignment: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(value==0x1000)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0x1000)");
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_FileAlignment();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.FileAlignment: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(value==0x200)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0x200)");
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_MajorOperatingSystemVersion();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.MajorOperatingSystemVersion: 0x"+script.wordToHex(value);
|
|
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_MinorOperatingSystemVersion();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.MinorOperatingSystemVersion: 0x"+script.wordToHex(value);
|
|
|
|
script.addSuccessMessage(szString);
|
|
|
|
value=pefile.getOptionalHeader_MajorImageVersion();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.MajorImageVersion: 0x"+script.wordToHex(value);
|
|
|
|
script.addSuccessMessage(szString);
|
|
|
|
value=pefile.getOptionalHeader_MinorImageVersion();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.MinorImageVersion: 0x"+script.wordToHex(value);
|
|
|
|
script.addSuccessMessage(szString);
|
|
|
|
value=pefile.getOptionalHeader_MajorSubsystemVersion();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.MajorSubsystemVersion: 0x"+script.wordToHex(value);
|
|
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_MinorSubsystemVersion();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.MinorSubsystemVersion: 0x"+script.wordToHex(value);
|
|
|
|
script.addSuccessMessage(szString);
|
|
|
|
|
|
value=pefile.getOptionalHeader_Win32VersionValue();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.Win32VersionValue: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
}
|
|
|
|
|
|
value=pefile.getOptionalHeader_SizeOfImage();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfImage: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(value==pefile.calculateSizeOfImage())
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else if(value==pefile.calculateSizeOfImage2())
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be "+script.dwordToHex(pefile.calculateSizeOfImage())+" or "+script.dwordToHex(pefile.calculateSizeOfImage2())+")" );
|
|
}
|
|
|
|
|
|
value=pefile.getOptionalHeader_SizeOfHeaders();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfHeaders: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(value==pefile.calculateSizeOfHeaders())
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be "+script.dwordToHex(pefile.calculateSizeOfHeaders())+")" );
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_CheckSum();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.CheckSum: 0x"+script.dwordToHex(value);
|
|
|
|
var nCheckSum=pefile.CalculateCheckSum();
|
|
if(value==nCheckSum)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be "+script.dwordToHex(nCheckSum)+")");
|
|
}
|
|
|
|
|
|
value=pefile.getOptionalHeader_Subsystem();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.Subsystem: 0x"+script.wordToHex(value);
|
|
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
|
|
|
|
value=pefile.getOptionalHeader_DllCharacteristics();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.DllCharacteristics: 0x"+script.wordToHex(value);
|
|
|
|
script.addSuccessMessage(szString);
|
|
|
|
if(pefile.isPEPlus())
|
|
{
|
|
value=pefile.getOptionalHeader_SizeOfStackReserve64();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfStackReserve: 0x"+script.qwordToHex(value);
|
|
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
}
|
|
else
|
|
{
|
|
value=pefile.getOptionalHeader_SizeOfStackReserve();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfStackReserve: 0x"+script.dwordToHex(value);
|
|
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
}
|
|
|
|
if(pefile.isPEPlus())
|
|
{
|
|
value=pefile.getOptionalHeader_SizeOfStackCommit64();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfStackCommit: 0x"+script.qwordToHex(value);
|
|
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else if(value>pefile.getOptionalHeader_SizeOfStackReserve64())
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be below than IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfStackReserve)");
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
}
|
|
else
|
|
{
|
|
value=pefile.getOptionalHeader_SizeOfStackCommit();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfStackCommit: 0x"+script.dwordToHex(value);
|
|
|
|
if(value)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else if(value>pefile.getOptionalHeader_SizeOfStackReserve())
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be below than IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfStackReserve)");
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
}
|
|
|
|
if(pefile.isPEPlus())
|
|
{
|
|
value=pefile.getOptionalHeader_SizeOfHeapReserve64();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfHeapReserve: 0x"+script.qwordToHex(value);
|
|
|
|
script.addSuccessMessage(szString);
|
|
|
|
}
|
|
else
|
|
{
|
|
value=pefile.getOptionalHeader_SizeOfHeapReserve();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfHeapReserve: 0x"+script.dwordToHex(value);
|
|
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
|
|
if(pefile.isPEPlus())
|
|
{
|
|
value=pefile.getOptionalHeader_SizeOfHeapCommit64();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfHeapCommit: 0x"+script.qwordToHex(value);
|
|
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
value=pefile.getOptionalHeader_SizeOfHeapCommit();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfHeapCommit: 0x"+script.dwordToHex(value);
|
|
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
|
|
value=pefile.getOptionalHeader_LoaderFlags();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.LoaderFlags: 0x"+script.dwordToHex(value);
|
|
|
|
script.addSuccessMessage(szString);
|
|
|
|
value=pefile.getOptionalHeader_NumberOfRvaAndSizes();
|
|
szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.NumberOfRvaAndSizes: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==16)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0x00000010)");
|
|
}
|
|
|
|
// Export
|
|
if(pefile.isDll())
|
|
{
|
|
if(pefile.isExportPresent())
|
|
{
|
|
script.addSuccessMessage("Export is present");
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage("Export is not present");
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if(pefile.isExportPresent())
|
|
{
|
|
script.addWarningMessage("Export is present");
|
|
}
|
|
else
|
|
{
|
|
script.addSuccessMessage("Export is present");
|
|
}
|
|
}
|
|
|
|
// Import
|
|
if(pefile.isImportPresent())
|
|
{
|
|
script.addSuccessMessage("Import is present");
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage("Import is not present(module will not work in Windows 2000 and Vista)");
|
|
}
|
|
|
|
// Resource
|
|
if(pefile.isResourcePresent())
|
|
{
|
|
script.addSuccessMessage("Resource is present");
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage("Resource is not present");
|
|
}
|
|
|
|
// Version info
|
|
if(pefile.isVersionInfoPresent())
|
|
{
|
|
script.addSuccessMessage("Version info is present");
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage("Version info is not present");
|
|
}
|
|
|
|
|
|
var nNumberOfSections=pefile.getFileHeader_NumberOfSections();
|
|
|
|
// Check sections
|
|
for(var i=0;(i<nNumberOfSections)&&(i<20);i++)
|
|
{
|
|
value=pefile.getSectionNameAsString(i);
|
|
szString="IMAGE_SECTION_HEADER["+i+"].Name: "+value;
|
|
|
|
if(value!="")
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
|
|
value=pefile.getSection_VirtualAddress(i);
|
|
szString="IMAGE_SECTION_HEADER["+i+"].VirtualAddress: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(pefile.isRVAValid(value))
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value");
|
|
}
|
|
|
|
value=pefile.getSection_VirtualSize(i);
|
|
szString="IMAGE_SECTION_HEADER["+i+"].VirtualSize: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(pefile.isRVAValid(pefile.getSection_VirtualAddress(i)))
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value");
|
|
}
|
|
|
|
value=pefile.getSection_SizeOfRawData(i);
|
|
szString="IMAGE_SECTION_HEADER["+i+"].SizeOfRawData: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(pefile.isOffsetValid(value+pefile.getSection_PointerToRawData(i)))
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value");
|
|
}
|
|
|
|
|
|
value=pefile.getSection_PointerToRawData(i);
|
|
szString="IMAGE_SECTION_HEADER["+i+"].PointerToRawData: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else if(pefile.isOffsetValid(value))
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value");
|
|
}
|
|
|
|
value=pefile.getSection_PointerToRelocations(i);
|
|
szString="IMAGE_SECTION_HEADER["+i+"].PointerToRelocations: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
};
|
|
|
|
value=pefile.getSection_PointerToLinenumbers(i);
|
|
szString="IMAGE_SECTION_HEADER["+i+"].PointerToLinenumbers: 0x"+script.dwordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
};
|
|
|
|
value=pefile.getSection_NumberOfRelocations(i);
|
|
szString="IMAGE_SECTION_HEADER["+i+"].NumberOfRelocations: 0x"+script.wordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
};
|
|
|
|
value=pefile.getSection_NumberOfLinenumbers(i);
|
|
szString="IMAGE_SECTION_HEADER["+i+"].NumberOfLinenumbers: 0x"+script.wordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
else
|
|
{
|
|
script.addWarningMessage(szString+" Invalid value(must be 0)");
|
|
};
|
|
|
|
value=pefile.getSection_Characteristics(i);
|
|
szString="IMAGE_SECTION_HEADER["+i+"].Characteristics: 0x"+script.wordToHex(value);
|
|
|
|
if(value==0)
|
|
{
|
|
script.addErrorMessage(szString+" Invalid value(must be initialized)");
|
|
}
|
|
else
|
|
{
|
|
script.addSuccessMessage(szString);
|
|
}
|
|
|
|
}
|
|
|
|
// Check overlay
|
|
if(pefile.isOverlayPresent())
|
|
{
|
|
script.addWarningMessage("Overlay is present");
|
|
}
|
|
else
|
|
{
|
|
script.addSuccessMessage("Overlay is not present");
|
|
}
|
|
}
|
|
}
|
|
}
|