Expand description
Structural PE anomaly detection — pure computation over a parsed PeFile.
These heuristics fire on PE header fields that are valid by the spec but statistically associated with malware: writable+executable sections, entry points outside all sections, large virtual/raw size ratios, TLS callbacks, and appended overlay data.
All functions are pure (no I/O). The caller provides a fully-parsed
PeFile from crate::parser::parse_pe.
Enums§
- PeAnomaly
- A structural anomaly found in a PE binary.
Functions§
- detect_
structural_ anomalies - Compute structural anomalies from a fully-parsed
PeFile. - entry_
point_ in_ section - Return
truewhenentry_rvafalls within the virtual address range of at least one section ([va, va + virtual_size)).