Skip to content

File Anomalies

Jump to bottom Edit New page
Katja Hahn edited this page Aug 2, 2014 · 6 revisions

Note: Anomaly Scanning is still in heavy development!

Printing a Report

Scan for file anomalies by using the PEFileAnomaly scanner in the tools package. A simple report can be printed as follows:

File file = new File("filepath");
PEAnomalyScanner scanner = PEAnomalyScanner.newInstance(file);
System.out.println(scanner.scanReport());

Anomaly Types and Subtypes

Anomalies have five different types:

  • structural anomaly: unusual location, order, number or size of PE structures, e.g. collapsed, overlapping, moved to overlay
  • wrong values: These are values that violate the PE specification
  • deprecated values: These values or characteristics have ben set, but are deprecated
  • reserved values: These values or characteristics are reserved and should be zero, but where set nevertheless
  • non-default values: These values differ from the standard value. That doesn't mean they are wrong, they just might be unusual.

These types are reflected in the AnomalyType enum.

Furthermore, anomalies have subtypes, to differentiate them from each other. You find the list of the currently detected anomalies here: /~https://github.com/katjahahn/PortEx/blob/master/src/main/java/com/github/katjahahn/tools/anomalies/AnomalySubType.java

You can get a description, anomaly type, subtype, and the standard entry the anomaly belongs to as follows:

scanner = PEAnomalyScanner.newInstance(file);
List<Anomaly> anomalies = scanner.getAnomalies();
for(Anomaly anomaly: anomalies) {
      System.out.println("Type: " + anomaly.getType());
      System.out.println("Subtype: " + anomaly.subtype());
      System.out.println("Field or structure with anomaly: " + anomaly.key());
      System.out.println(anomaly.description());
      System.out.println();
}
Add a custom footer
Add a custom sidebar
Clone this wiki locally