-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpe_analyzer.h
More file actions
55 lines (44 loc) · 1.1 KB
/
pe_analyzer.h
File metadata and controls
55 lines (44 loc) · 1.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#pragma once
#include <windows.h>
#include <vector>
#include <string>
#include <cstdint>
struct SectionInfo {
std::string name;
DWORD rva;
DWORD rawSize;
DWORD virtualSize;
DWORD characteristics;
bool canRead;
bool canWrite;
bool canExecute;
bool containsCode;
bool entryPointHere;
double entropy;
double threshold;
bool highEntropy;
bool isRWX;
};
struct PEAnalysisResult {
std::string filePath;
std::string arch;
std::string subsystem;
uint64_t imageBase;
uint64_t epRVA;
uint64_t epVA;
int sectionCount = 0;
int suspicionScore = 0;
std::string verdict;
std::vector<SectionInfo> sections;
};
class PEAnalyzer {
public:
bool analyze(const std::string& path);
const PEAnalysisResult& result() const;
private:
PEAnalysisResult m_result;
double CalculateEntropy(const unsigned char* data, size_t size);
std::string GetSectionName(const IMAGE_SECTION_HEADER& s);
DWORD RvaToRaw(DWORD rva, const std::vector<IMAGE_SECTION_HEADER>& sections);
double GetEntropyThreshold(const std::string& name);
};