This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org. Win_Executable_File_Object 2.0.1 09/19/2013 The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. Copyright (c) 2012-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included. The Windows_Executable_File object is intended to characterize Windows PE (Portable Executable) files. Sources of information: Matt Pietrik's articles in MSDN Magazine (http://msdn.microsoft.com/en-us/magazine/cc301805.aspx and http://msdn.microsoft.com/en-us/magazine/cc301808.aspx); Microsoft's specification of PE and COFF (http://msdn.microsoft.com/library/windows/hardware/gg463125); LUEVELSMEYER's description (http://webster.cs.ucr.edu/Page_TechDocs/pe.txt). The Resource field characterizes an abstract PE file resource. The VersionInfoResource field characterizes a Version resource that uses the VERSIONINFO resource. The WindowsExecutableFileObjectType type is intended to characterize Windows PE (Portable Executable) files. The Build_Information field specifies some information on the tools used to build the PE binary. The Digital_Signature field specifies the information about the digital signature used to sign the PE binary. The Exports field characterizes the PE Export table of the PE Binary. The Extraneous_Bytes field specifies the number of extraneous bytes contained in the PE binary. The Headers property contains fields for characterizing aspects the various types of PE headers. The Imports property characterizes the PE Import Table of the binary. The PE_Checksum property specifies the checksum of the PE file. The Resources field characterizes the PE Resources of the binary. The Sections field characterizes the PE Sections of the binary. The Type specifies the particular type of the PE binary, e.g. Executable. The PECheckSumType records the checksum of the PE file, both as found in the file and computed. PE_Computed_API specifies a checksum computed by an external algorithm. PE_File_API specifed the checksum computed by IMAGHELP.DLL. PE_File_Raw specifies the checksum found in the PE file (in the Optional Header). PEExportsType specifies the PE File exports data section. The exports data section contains information about symbols exported by the PE File (a DLL) which can be dynamically loaded by other executables. This type abstracts, and its components, abstract the Windows structures. A list of the exported functions in this section. The date and time the export data was created. The number of addresses in the export data section's address table. The number of names in the export data section's name table. PEExportedFunctionsType specifies a list of PE exported functions Specifies a single field in the list of exported functions. Specifies a list of sections that appear in the PE file. Specifies an field of a list of PE file sections. Specifies the result of an entropy computation. Specifies the computed entropy value. Specifies the smallest possible value for the entropy computation. Specifies the largest possible value for the entropy computation (eg., this would be 8 if the entropy computations is based on bits of information). The PEImportType type is intended as container for the properties relevant to PE binary imports. The File_Name field specifies the name of the library (file) that the PE binary imports. The Imported_Functions field is used to enumerate any functions imported from a particular library. The Virtual_Address field specifies the relative virtual address (RVA) of the PE binary library import. The delay_load field is a boolean value that is intended to describe whether a PE binary import is delay-load or not. The initially_visible field refers to whether the import is initially visible, with regards to being initially visible or hidden in relation to PE binary packing. A packed binary will typically have few initially visible imports, and thus it is necessary to make the distinction between those that are visible initially or only after the binary is unpacked. A list of PE imported functions Specifies a single field in a list of imported functions. The PEResourceType type is intended as container for the properties relevant to PE binary resources. This field refers to the type of data referred to by this resource. The Name field specifies the name of the resource used by the PE binary. The Hashes field is used to include any hash values computed using the specified PE binary resource as input. The PEVersionInfoResourceType characterizes the special VERSIONINFO resource type. For more information please see: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381058(v=vs.85).aspx The Comments field captures any additional information that should be displayed for diagnostic purposes. The CompanyName field captures the company that produced the file - for example, "Microsoft Corporation" or "Standard Microsystems Corporation, Inc." The FileDescription field captures the file description to be presented to users. This string may be displayed in a list box when the user is choosing files to install - for example, "Keyboard Driver for AT-Style Keyboards". The FileVersion field captures the version number of the file - for example, "3.10" or "5.00.RC2". The InternalName field captures the internal name of the file, if one exists - for example, a module name if the file is a dynamic-link library. If the file has no internal name, this string should be the original filename, without extension. The LangID field captures the localization language identifier specified in the version-information resource. The LegalCopyright field captures the copyright notices that apply to the file. This should include the full text of all notices, legal symbols, copyright dates, and so on. The LegalTrademarks field captures the trademarks and registered trademarks that apply to the file. This should include the full text of all notices, legal symbols, trademark numbers, and so on. The OriginalFilename field captures the original name of the file, not including a path. This information enables an application to determine whether a file has been renamed by a user. The format of the name depends on the file system for which the file was created. The PrivateBuild field captures the information about a private version of the file - for example, "Built by TESTER1 on \TESTBED". This string should be present only if VS_FF_PRIVATEBUILD is specified in the fileflags parameter of the root block. The ProductName field captures the name of the product with which the file is distributed. This string is required. The ProductVersion field captures the version of the product with which the file is distributed - for example, "3.10" or "5.00.RC2". The SpecialBuild field captures the text that indicates how this version of the file differs from the standard version - for example, "Private build for TESTER1 solving mouse problems on M250 and M250E computers". This string should be present only if VS_FF_SPECIALBUILD is specified in the fileflags parameter of the root block. PEExportType sepcifies the type describing exported functions. The Function_Name field specifies the name of the function exported by the PE binary. The Entry_Point field specifies the entry point of the function exported by the PE binary. The Ordinal field specifies the ordinal value (index) of the function exported by the PE binary. PEResourceListType specifies a list of resources found in the PE file. Specifies an field of a list of resources. PEImportedFunctionType specifies the type describing imported functions. The Function_Name field specifies the name of the function from the specified library that the PE binary imports. The Hint field specifies the index into the export table of the library that the function is found in. The Ordinal field specifies the ordinal value (index) of the function in the library that is found in. The Bound field specifies the precomputed address if the imported function is bound. The Virtual_Address field specifies the relative virtual address (RVA) of the PE binary library imported function. PEImportListType specifies a list of functions in an import data section. Specifies a single field in a list of imported functions. The PESectionType type is intended as container for the properties relevant to PE binary sections. A PE Section consists of a header and data. The PESectionType contains properties that describe the Section Header and metadata computed about the section (e.g., hashes, entropy). The Section_Header property contains characteristics of the section's section header structure. The Data_Hashes field is used to include any hash values computed using the data contained in the specified PE binary section as input. The Entropy field specifies the calculated entropy of the PE binary section. The Header_Hashes field is used to include any hash values computed using the header of the specified PE binary section as input. Specifies the type of the section. The PEDataDirectoryStruct type is intended as container for the properties relevant to a PE binary's data directory structure. The Virtual_Address field specifies the relative virtual address (RVA) of the data structure. The size field specifies the size of the data structure, in bytes. The PESectionHeaderStruct type is intended as container for the properties relevant to a PE binary's section header structure. The Name field specifies the name of the PE binary section. The Virtual_Size field is the total size of the PE binary section when loaded into memory. It is valid only for executables and should be 0 for object files. The Virtual_Address field specifies the relative virtual address (RVA) of the PE binary section. The Size_Of_Raw_Data field specifies the size of the data contained in the PE binary section. The Pointer_To_Raw_Data field specifies the file offset of the beginning of the PE binary section. The Pointer_To_Relocations field specifies the offset of the PE binary section relocations, if applicable. Specifies the beginning of line-number entries for the section. Should be 0. The Number_Of_Relocations field specifies the number of relocations defined for the specified PE binary section. Specifies the number of line number entreis for the section. Should be 0. The Characteristics field specifies any flags defined for the specified PE binary section. The DOSHeaderType type is a container for the characteristics of the _IMAGE_DOS_HEADER structure, which can be found in Winnt.h and pe.h. See http://www.csn.ul.ie/~caolan/pub/winresdump/winresdump/doc/pefile.html for more information about the winnt.h file, and http://www.tavi.co.uk/phobos/exeformat.html for even more clarification. Specifies the magic number, specifically the Windows OS signature value, which can either take on MZ for DOS (which is, for all intensive purposes, MOST Windows executables), NE for OS2, LE for OS2 LE, or PE00 for NT. Specifies the number of bytes actually used in the last page, with the special case of a full page being represented by a value of zero (since the last page is never empty). For example, assuming a page size of 512 bytes, this value would be 0x0000 for a 1024 byte file, and 0x0001 for a 1025 byte file (since it only contains one valid byte). Specifies the the number of pages required to hold the file. For example, if the file contains 1024 bytes, and we assume the file has pages of a size of 512 bytes, this word would contain 0x0002; if the file contains 1025 bytes, this word would contain 0x0003. Specifies the number of relocation items, i.e. the number of entries that exist in the relocation pointer table. If there are no relocation entries, this value is zero. Specifies the size of the executable header in terms of paragraphs (16 byte chunks). It indicates the offset of the program's compiled/assembled and linked image (the load module) within the executable file. The size of the load module can be deduced by subtracting this value (converted to bytes) from the overall file size derived from combining the e_cp (number of file pages) and e_cblp (number of bytes in last page) values. The header always spans an even number of paragraphs. Specifies the minimum number of extra paragraphs needed to be allocated to begin execution. This is IN ADDITION to the memory required to hold the load module. This value normally represents the total size of any uninitialised data and/or stack segments that are linked at the end of a program. This space is not directly included in the load module, since there are no particular initializing values and it would simply waste disk space. Specifies the maximum number of extra paragraphs needed to be allocated by the program before it begins execution. This indicates ADDITIONAL memory over and above that required by the load module and the value specified by MINALLOC. If the request cannot be satisfied, the program is allocated as much memory as is available. Specifies the initial SS value, which is the paragraph address of the stack segment relative to the start of the load module. At load time, this value is relocated by adding the address of the start segment of the program to it, and the resulting value is placed in the SS register before the program is started. In DOS, the start segment of the program is the first segment boundary in memory after the PSP. Specifies the initial SP value, which is the absolute value that must be loaded into the SP register before the program is given control. Since the actual stack segment is determined by the loader, and this is merely a value within that segment, it does not need to be relocated. Specifies the checksum of the contents of the executable file. It is used to ensure the integrity of the data within the file. For full details on how this checksum is calculated, see http://www.tavi.co.uk/phobos/exeformat.html#checksum. Specifies the initial IP value, which is the absolute value that should be loaded into the IP register in order to transfer control to the program. Since the actual code segment is determined by the loader, and this is merely a value within that segment, it does not need to be relocated. Specifies the pre-relocated initial CS value, relative to the start of the load module, that should be placed in the CS register in order to transfer control to the program. At load time, this value is relocated by adding the address of the start segment of the program to it, and the resulting value is placed in the CS register when control is transferred. Specifies the file address of the relocation table, or more specifically, the offset from the start of the file to the relocation pointer table. This value must be used to locate the relocation pointer table (rather than assuming a fixed location) because variable-length information pertaining to program overlays can occur before this table, causing its position to vary. A value of 0x40 in this field generally indicates a different kind of executable file, not a DOS 'MZ' type. Specifies the overlay number, which is normally set to 0x0000, because few programs actually have overlays. It changes only in files containing programs that use overlays. See http://www.tavi.co.uk/phobos/exeformat.html#overlaynote for more information about overlays. Specifies reserved words for the program (known in winnt.h as e_res[4]), usually set to zero by the linker. In this case, just use a single reserved1 set to zero; if not zero create four reserved1 with the correct value. Specifies the identifier for the OEM for e_oeminfo. Specifies the OEM information for a specific value of e_oeminfo. Specifies reserved words for the program (known in winnt.h as e_res[10]), usually set to zero by the linker. In this case, just use a single reserved1 set to zero; if not zero create ten reserved1 with the correct value. Specifies the file adress of the of the new exe header. In particular, it is a 4-byte offset into the file where the PE file header is located. It is necessary to use this offset to locate the PE header in the file. The Hashes field is used to include any hash values computed using the specified PE binary MS-DOS header as input. PEHeaderType specifies the headers found in PE and COFF files. The DOS_Header property refers to the MS-DOS PE header and its associated characteristics. The Signature property specifies the 4-bytes sugnature that identifies the file as a PE file. The File_Header property refers to the PE file header (somtimes referred to as the COFF header) and its associated characteristics. The Optional_Header field refers to the PE optional header and its associated characteristics. The Optional Header is required for executable (PE) files, but optional for object (COFF) files. The Entropy field specifies the calculated entropy of the PE file header. The Hashes field is used to include any hash values computed using the specified PE binary file header as input. The PEFileHeaderType type refers to the PE file header (somtimes referred to as the COFF header) and its associated characteristics. Specifies the type of target machine. Specifies the number of sections in the file. Specifies the time when the file was created (the low 32 bits of the number of seconds since epoch). Specifies the file offset of the COFF symbol table (should be 0). Specifies the number of entries in the symbol table. Should be 0. Specifies the size of the optional header. Should be 0 for object files and non-zero for executables. Specifies the flags that indicate the file's characteristics. Any hashes computed for the Optional Header. SubsystemTypes specifies subsystem types via a union of the SubsystemTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications. This attribute is optional and specifies the expected type for the value of the specified property. PEType specifies PE file types via a union of the PETypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications. This attribute is optional and specifies the expected type for the value of the specified property. SectionTypes specifies PE section types via a union of the SectionTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications. This attribute is optional and specifies the expected type for the value of the specified property. The PEOptionalHeaderType type describes the PE Optional Header structure. Additional computed metadata, e.g., hashes of the header, are also included. Specifies the unsigned integer that indicates the type of executable file. Specifies the linker major version number. Specifies the linker minor version number. Specifies the size of the code (text) section. If there are multiple sections, size is the sum of the sizes if each. Specifies the size of the initialized data section. If there are multiple sections, size is the sum of the sizes if each. Specifies the size of the uninitialized (bss) data section. If there are multiple sections, size is the sum of the sizes if each. Specifies the address of the entry point relative to the image base when the executable is loaded into memory. When there is no entry point (e.g., optional for DLLs), the value should be 0. Specifies the address that is relative to the image base of the beginning-of-code section when it is loaded into memory. Specifies the address that is relative to the image base of the beginning-of-data section when it is loaded into memory. Specifies the preferred address of the first byte of image when loaded into memory; must be a multiple of 64 K. Specifies the alignment (in bytes) of sections when they are loaded into memory. Specifies the factor (in bytes) that is used to align the raw data of sections in the image file. Specifies the major version number of the required operating system. Specifies the minor version number of the required operating system. Specifies the major version number of the image. Specifies the minor version number of the image. Specifies the major version number of the subsystem. Specifies the minor version number of the subsystem. Reserved; must be 0. Specifies the size (in bytes) of the image, including all headers, as the image is loaded in memory. Specifies the combined size of the MS DOS header, PE header, and section headers rounded up to a multiple of FileAlignment. Specifies the checksum of the PE file. Specifies the subsystem (e.g., GUI, device driver) that is required to run this image. Specifies flags that characterize the PE file. Specifies the size of the stack to reserve. Specifies the size of the stack to commit. Specifies the size of the local heap space to reserve. Specifies the size of the local heap space to commit. Reserved; must be 0. Specifieshe number of data-directory entries in the remainder of the optional header. Specifies the data directories in the remainder in the optional header. This field will be repeated for each data directory. The Hashes field is used to include any hash values computed using the specified PE binary optional header as input. The DataDirectoryType specifies the data directories that can appear in the PE file's optional header. The data directories, except the Certificate Table, are loaded into memory so they can be used at runtime. Specifies the export table data directory. Specifies the import table data directory. Specifies the resource table data directory. Specifies the exception table data directory. Specifies the certificate table data directory. The table of certificates is in a file which the data directory points to. Specifies the base relocation table data directory. Specifies the debug data directory. Reserved, must be 0. Specifies the RVA of the value to be stored in the global pointer register. Specifies the thread local storage (TLS) table data directory. Specifies the load configuration table data directory. Specifies the bound import table data directory. Specifies the import address table (IAT) data directory. Specifies the delay import descriptor data directory. Specifies the Common Language Runtime (CLR) header data directory. Reserved; must be 0. The PEBuildInformationType captures information about the tools used to build the PE binary, including the compiler and linker. The Linker_Name field specifies the name of the linker used to link the PE binary. The Linker_Version field specifies the version of the linker used to link the PE binary. The Compiler_Name field specifies the name of the compiler used to compile the binary. The Compiler_Version field specifies the version of the compiler used to compile the binary. SectionTypeEnum enumerates the types of PE sections in an executable. See http://www.silurian.com/inspect/peformat.htm for more information. These sections can be viewed in a Disassembler, such as IDA and more specifically in the freeware CFF Explorer. Denoted by .text, this specifies the main program code--usually execute and read access only. Denoted by .data, this specifies main initialized data code that is used by the program. Denoted by .rsrc, this specifies Windows Resource data. Denoted by .rdata, this specifies read only data. Denoted by .reloc, this specifies base relocations. Denoted by .debug, this specifies debug information. Denoted by .idata, this specifies imported function data. Denoted by .tls, this specifies Thread Local Storage. Data is private to each thread. Denoted by .CRT, this specifies data reserved for the C Run-Time library. SubsystemTypeEnum enumerates the types of subsystems in Windows an executable can be compatible for, according to winnt.h and more specifically, the Subsystem value of the IMAGE_OPTIONAL_HEADER structure. See http://source.winehq.org/source/include/winnt.h and http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx for more information. Specifies an unknown subsystem. Specifies that no subsystem is required to run the image (i.e. only device drivers and native system processes are needed). Specifies the Windows Graphical user interface (GUI) subsystem. Specifies the Windows character-mode user interface (CUI) subsystem. Specifies the OS/2 CUI subsystem. Specifies the POSIX CUI subsystem. Specifies the Native Windows 9x drivers. This is denoted by the value IMAGE_SUBSYSTEM_NATIVE_WINDOWS or 0x8. Specifies the Windows CE system with a GUI. Specifies the Extensible Firmware Interface (EFI) application. Specifies the Extensible Firmware Interface (EFI) driver with boot services. Specifies the Extensible Firmware Interface (EFI) driver with run-time services. Specifies the Extensible Firmware Interface (EFI) image. Specifies the XBOX system. Specifies the Windows Boot application. PETypeEnum enumerates the characteristics flags for the executable file in question. These are detailed in winnt.h. Specifies an executable image (not an OBJ or LIB). Specifies a dynamic link library, not a program. Specifies an invalid executable file (i.e. not one of the listed types). The PEResourceTypeEnum is a non-exhaustive enumeration of PE resource types. The resource specified is a cursor or animated cursor defined by naming it and specifying the name of the file that contains it. (To use a particular cursor, the application requests it by name.) The resource specified is a bitmap defined by naming it and specifying the name of the file that contains it. (To use a particular cursor, the application requests it by name.) The resource specified is an icon or animated icon by naming it and specifying the name of the file that contains it. (To use a particular icon, the application requests it by name.) The resource specified defines the appearance and function of a menu. Does not define help or regular identifiers, nor uses the MFT_* type and MFS_* state flags. The resource specified defines the appearance and function of a menu, which can also utilize help or regular identifiers, as well as the MFT_* type and MFS_* state flags. The resource specified defines a menu item that can contain menu items and submenus. The resource specified defines a template that an application can use to create dialog boxes. This type is considered obsolete in Windows and newer applications use the DIALOGEX resource. The resource specified defines a template that newer applications can use to create dialog boxes. The resource specified defines string resources. String resources are Unicode or ASCII strings that can be loaded from the executable file. The resource specified defines the name of a file that contains a font. The resource specified defines menu accelerator keys. The resource specified defines data resources. Data resources let you include binary data in the executable file. The resource specified defines a message table by naming it and specifying the name of the file that contains it. The file is a binary resource file generated by the message compiler. The resource specified defines version-information. Vontains information such as the version number, intended operating system, and so on. This resource is obsolete and included for completeness. This is a special resource that is interpreted by Visual C++. For more information see http://go.microsoft.com/FWLink/?LinkId=83951. This is a special resource that is used with /TLBID and /TLBOUT linker options. For more information see http://go.microsoft.com/FWLink/?LinkId=83960 (for /TLBID) and http://go.microsoft.com/FWLink/?LinkId=83947 (for /TLBOUT). This resource is obsolete and included for completeness. The resource specified defines an HTML file. The resource specified defines a different object than those listed. This resource type can also be considered User-Defined, i.e. defines a resource that contains application-specific data, as noted in MSDN.