the function to get PE position about secml_malware HOT 6 CLOSED

if this is an issue, then the shift attack and extension attack may be impacted

from secml_malware.

Is that before or after the extension of the header?
Because it must be that, since the PE is shifted for the case 2.

from secml_malware.

its before header extension. I just want to simply compare the three functions based on one input sample, to see if there are performing the same function.

By the way, your work truly inspired me about what I am working on. However, I am pretty new on this topic, probably a lots of questions, hope you don't mind. About the bool parameter "shift_values", it's always minus 1 when shift_values=True, what's the reason behind this?

Thank you so much!

from secml_malware.

Mmmh, strange.
Can you please tell me when this happens?
Because I can't find this in my tests.

The parameter shift_values express is used for networks that adds one to the bytes (so, the embedding value is 0 instead of 256). In this way, when reading the byte of a program, it correctly maps it inside the correct space.

Happy that my work has inspired you 👍

from secml_malware.

I noticed that, if the second method, which in your program, is fed with integer (not the path), then the results of above three methods are consistent. While if feed a str (path) to second method, then the result is different with other two.

So I just keep the input consistent, should solve the issue.

And thanks for you explanation about the shift_values. that's smart!

from secml_malware.

Mmmmmh.
So, inside the library, everything works with integer lists.
Closing the issue now, but I'll have a look to LIEF (with your suggestion).

Btw, thank you for appreciating this work! :)

from secml_malware.