|
1
|
# Executable - Microsoft PE file format.
|
|
2
|
# Pattern attributes: good notsofast notsofast subset
|
|
3
|
# Protocol groups: file
|
|
4
|
|
|
5
|
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
|
|
6
|
# Thanks to Brandon Enright [bmenrighATucsd.edu]
|
|
7
|
|
|
8
|
# This pattern doesn't techincally match the PE file format but rather the
|
|
9
|
# MZ stub program Microsoft uses for backwards compatibility with DOS.
|
|
10
|
# That means this will correctly match DOS executables too.
|
|
11
|
|
|
12
|
exe
|
|
13
|
# There are two different stubs used depending on the compiler/packer.
|
|
14
|
# Numerous NULL bytes have been stripped from this pattern.
|
|
15
|
|
|
16
|
# This pattern may be more efficient:
|
|
17
|
# \x4d\x5a\x90\x03\x04|\x4d\x5a\x50\x02\x04
|
|
18
|
|
|
19
|
# This is easier to understand:
|
|
20
|
\x4d\x5a(\x90\x03|\x50\x02)\x04
|