[Esa-l] Recognizing Microsoft executable attachments

Karl.Dunn at vmic.com Karl.Dunn at vmic.com
Thu Aug 16 08:23:01 PDT 2001


I think we might be able to stop a lot of problems by recognizing the
signature of a Win32 PE file.  I think they all have to have an MS-DOS
stub, which means we should be able to recognize a simple signature near
the beginning.  They start with the hex word 0x5A4D, I think.  Examples
are EXE, DLL, and SCR files.

This trick, if it will work, might help with some Windows apps' tendency
to handle files by their content rather than what their extension is.

As a counterexample: CHM is not a PE file, but they all seem to start out
with 0x5449 0x4653.  This shows that it might not be a good idea to look
for signatures (magic) in general, because we could have a long list.

Linux's file command recgonizes quite a few MS file magics, regardless of
the name or extension.  So does FreeBSD's file command, but SPARC and i386
Solaris' file command does not.  We could use FreeBSD/Linux file command,
or peruse its source for magic numbers for which to look.

Is this idea way off target (surely it's not new)?  Opinions?

I much better like John's idea of moving to rejecting all but what we deem
safe, instead of accepting everything except what we deem dangerous.  He
mentioned that some time ago I think.

Karl Dunn     (KLD13)
VMIC
12090 South Memorial Parkway
Huntsville AL USA 35803
VOICE: (256) 382-8211 or (800) 322-3616
FAX:   (256) 650-5472 or (256) 882-0859



More information about the esd-l mailing list