Quantcast

PE Header Test 32-bit vs 64-bit

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

PE Header Test 32-bit vs 64-bit

dtanner
All -



While working toward implementing the peheader_test, I noticed that the test assumes a 32-bit executable but does not take into account the possibility of a 64-bit executable.  Is this just a limitation in the documentation or should we only be gathering information for 32-bit files?



For a 64-bit executable, some of the DWORD fields are now QWORD fields: image_base_address, size_of_stack_reserve, size_of_stack_commit, size_of_heap_reserve, size_of_heap_commit.



Thanks,



Doug

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PE Header Test 32-bit vs 64-bit

dtanner
I guess I should clarify my verbiage.  When I say 64-bit I mean PE32+ and when I say 32-bit I mean PE32.



Additionally, the data_base element does not exist for 64-bit executables so should it be set to "does not exist" or "not collected"?



Thanks,



Doug

________________________________
From: OVAL_Developer [[hidden email]] on behalf of Tanner, Douglas C CIV SPAWARSYSCEN-ATLANTIC, 58510 [[hidden email]]
Sent: Wednesday, July 29, 2015 9:00 AM
To: [hidden email]
Cc: [hidden email]
Subject: [OVAL DEVELOPER] PE Header Test 32-bit vs 64-bit

All -



While working toward implementing the peheader_test, I noticed that the test assumes a 32-bit executable but does not take into account the possibility of a 64-bit executable.  Is this just a limitation in the documentation or should we only be gathering information for 32-bit files?



For a 64-bit executable, some of the DWORD fields are now QWORD fields: image_base_address, size_of_stack_reserve, size_of_stack_commit, size_of_heap_reserve, size_of_heap_commit.



Thanks,



Doug

...

_______________________________________________
OVAL_Developer mailing list
[hidden email]
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Loading...