VersionInfo and utf-16le vs utf-16be

[arty-hlr]

Hello,

While working on those LOL drivers, I noticed a few things:

• several documentation files state that the VersionInfo strings come from the PE header, that is incorrect, as they come from a string table in the resources section
• the yara-generator.py uses utf-16be instead of utf-16le to generate the hex encoded strings. This works because there usually is a zero byte before the string from the previous one, but should be fixed
• a few rules only contain a FileVersion or ProductVersion from that string table. These might be too broad and could result in FPs

I can submit a PR for the first two points if desired, for the third point I guess it's up to you, but at least a sentence about it would be helpful.

[josehelps]

Hey @arty-hlr a PR for the firs two would be awesome thank you! As per the FileVersion or ProductVersion, are you referring to yara rules mind pointing me to it. Likely I can adjust the generation script to make it more specific.

[MHaggis]

Hey @arty-hlr, just circling back on this!

We’d still love to see a PR for the first two points if you’re still interested in contributing. As for the third point regarding FileVersion/ProductVersion in the YARA rules, were you able to pinpoint any specific cases where they might be too broad? If so, feel free to share your thoughts, and we can look into refining them.

Appreciate your input, and thanks again for your contributions!

[arty-hlr]

Hi @MHaggis thanks for the reminder, sorry this completely slipped my mind. I'll get on this in the next few days!