Skip to main content

Module anomalies

Module anomalies 

Source
Expand description

Structural PE anomaly detection — pure computation over a parsed PeFile.

These heuristics fire on PE header fields that are valid by the spec but statistically associated with malware: writable+executable sections, entry points outside all sections, large virtual/raw size ratios, TLS callbacks, and appended overlay data.

All functions are pure (no I/O). The caller provides a fully-parsed PeFile from crate::parser::parse_pe.

Enums§

PeAnomaly
A structural anomaly found in a PE binary.

Functions§

detect_structural_anomalies
Compute structural anomalies from a fully-parsed PeFile.
entry_point_in_section
Return true when entry_rva falls within the virtual address range of at least one section ([va, va + virtual_size)).