Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VersionInfo and utf-16le vs utf-16be #131

Open
arty-hlr opened this issue Aug 10, 2023 · 1 comment
Open

VersionInfo and utf-16le vs utf-16be #131

arty-hlr opened this issue Aug 10, 2023 · 1 comment
Assignees
@josehelps

Comments

@arty-hlr
Copy link

Hello,

While working on those LOL drivers, I noticed a few things:

  • several documentation files state that the VersionInfo strings come from the PE header, that is incorrect, as they come from a string table in the resources section
  • the yara-generator.py uses utf-16be instead of utf-16le to generate the hex encoded strings. This works because there usually is a zero byte before the string from the previous one, but should be fixed
  • a few rules only contain a FileVersion or ProductVersion from that string table. These might be too broad and could result in FPs

I can submit a PR for the first two points if desired, for the third point I guess it's up to you, but at least a sentence about it would be helpful.
@josehelps
Copy link
Collaborator

Hey @arty-hlr a PR for the firs two would be awesome thank you! As per the FileVersion or ProductVersion, are you referring to yara rules mind pointing me to it. Likely I can adjust the generation script to make it more specific.

@josehelps josehelps self-assigned this Aug 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@josehelps josehelps

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@josehelps @arty-hlr