|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Adam Levin (alevin
audible.com)Date: Wed Apr 24 2002 - 11:34:10 CDT
On Wed, 24 Apr 2002, *Hobbit* wrote:
> We *do* have a way to recognize executables, one of which has been
> described already. Provided they arrive as base64 blobs, I run them
> through
> ## exe "MZ" header, which varies a bit. base64 and uuencode versions
> /^TV[nopqr]....[AB]..A.A....*AAAA...*AAAA/i REJECT
> /^M35[GHIJK].`..`..*````/i REJECT
> ## .rdata
> /LnJkY#XRhAA/i REJECT
> /cmRhd#GEAA/i REJECT
> /5yZGF#0YQAA/i REJECT
> ## .reloc
> /LnJlb#G9JAA/i REJECT
> /cmVsb#2MAA/i REJECT
> /5yZWx#vYwAA/i REJECT
That's really helpful, thanks. One quick question: just to confirm, those
are supposed to be case *sensitive*, not case *in*sensitive, right? This
recently got me (that's what I get for not *thoroughly* reading the docs
:) ).
-Adam
Adam Levin, Senior Unix Systems Administrator | http://www.audible.com/
Audible, Inc.
Wayne, NJ, 07470 I'm wet! I'm hysterical, and I'm wet!
973-837-2797 I'm in pain, and I'm wet, and I'm still hysterical!
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]