-
Notifications
You must be signed in to change notification settings - Fork 17
Proposal: Expand Coverage of Resources in Windows Executable File Object
Ivan Kirillov edited this page Dec 18, 2013
·
5 revisions
Status: Closed
Comment Period Closes: 12/17/2013
Affects Backwards Compatibility: No
Relevant Issues: https://github.com/CybOXProject/schemas/issues/62
This proposal concerns the Windows Executable File Object and its ability to accurately characterize PE File Resources. Specifically, we felt that the PEResourceType was incomplete and missing a few key fields useful for ensuring complete capture of PE Resource details.
In version 2.0.1 of the Windows Executable File Object, the PEResourceType only had the following fields:
| Field | Description |
|---|---|
| Type | The Type field refers to the type of data referred to by this resource. |
| Name | The Name field specifies the name of the resource used by the PE binary. |
| Hashes | The Hashes field is used to include any hash values computed using the specified PE binary resource as input. |
The PEResourceType in the Windows Executable File Object will be expanded with the following fields:
| Field | Description |
|---|---|
| Size | The Size field specifies the size of the resource, in bytes. |
| Virtual_Address | The Virtual_Address field specifies the relative virtual address (RVA) of the resource data. |
| Language | The Language field specifies the name of the language (LANG) defined for the resource, if applicable. |
| Sub_Language | The Sub_Language field specifies the name of the sub language (SUBLANG) defined for the resource, if applicable. |
| Data | The Data field captures the actual data contained in the resource, most commonly as a base64-encoded string encapsulated in a CDATA () section. |
No other datatypes are effected by this change and there are no foreseen backwards compatibility issues.
- Do these additional fields and their annotations make sense?
- Are there any other fields that should be added for complete characterization of PE Resources?