Merge pull request #461 from fireeye/pe-add-os-windows

focus on os windows

load-code/pe/access-pe-header.yml

@@ -9,6 +9,8 @@ rule:
     examples:
       - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x1400018E0
   features:
-    - or:
-      - api: RtlImageNtHeader
-      - api: RtlImageNtHeaderEx
+    - and:
+      - os: windows
+      - or:
+        - api: RtlImageNtHeader
+        - api: RtlImageNtHeaderEx

load-code/pe/enumerate-pe-sections.yml

@@ -11,6 +11,7 @@ rule:
       - E4C33AC3638EEF68311F8AC0D72483C7:0x401510
   features:
     - and:
+      - os: windows
       - offset: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections
       - basic block:
         - or:

load-code/pe/inject-dll-reflectively.yml

@@ -13,6 +13,7 @@ rule:
       - E4C33AC3638EEF68311F8AC0D72483C7:0x401510
   features:
     - and:
+      - os: windows
       - match: enumerate PE sections
       - match: rebuild import table
       - basic block:

load-code/pe/inspect-section-memory-permissions.yml

@@ -9,6 +9,7 @@ rule:
       - E4C33AC3638EEF68311F8AC0D72483C7:0x401480
   features:
     - and:
+      - os: windows
       - 3 or more:
         - and:
           - number: 0x40000000 = IMAGE_SCN_MEM_READ

load-code/pe/parse-pe-exports.yml

@@ -10,6 +10,7 @@ rule:
       - E4C33AC3638EEF68311F8AC0D72483C7:0x401390
   features:
     - and:
+      - os: windows
       - offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew
       - or:
         - offset/x32: 0x78 = IMAGE_NT_HEADERS32.OptionalHeader.DataDirectory.VirtualAddress

load-code/pe/rebuild-import-table.yml

@@ -11,6 +11,7 @@ rule:
       - E4C33AC3638EEF68311F8AC0D72483C7:0x401510
   features:
     - and:
+      - os: windows
       - offset: 0x7C = IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.Size
       - offset: 0x78 = IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress
       - basic block: