| 1 |
c97ab82a
|
Ermal Lu?i
|
# Executable - Microsoft PE file format.
|
| 2 |
|
|
# Pattern attributes: good notsofast notsofast subset
|
| 3 |
|
|
# Protocol groups: file
|
| 4 |
|
|
|
| 5 |
|
|
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
|
| 6 |
|
|
# Thanks to Brandon Enright [bmenrighATucsd.edu]
|
| 7 |
|
|
|
| 8 |
|
|
# This pattern doesn't techincally match the PE file format but rather the
|
| 9 |
|
|
# MZ stub program Microsoft uses for backwards compatibility with DOS.
|
| 10 |
|
|
# That means this will correctly match DOS executables too.
|
| 11 |
|
|
|
| 12 |
|
|
exe
|
| 13 |
|
|
# There are two different stubs used depending on the compiler/packer.
|
| 14 |
|
|
# Numerous NULL bytes have been stripped from this pattern.
|
| 15 |
|
|
|
| 16 |
|
|
# This pattern may be more efficient:
|
| 17 |
|
|
# \x4d\x5a\x90\x03\x04|\x4d\x5a\x50\x02\x04
|
| 18 |
|
|
|
| 19 |
|
|
# This is easier to understand:
|
| 20 |
|
|
\x4d\x5a(\x90\x03|\x50\x02)\x04
|