base/bif/plugins/Zeek_PE.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

pe_dos_code: event

A PE file DOS stub was parsed.

pe_dos_header: event

A PE file DOS header was parsed.

pe_file_header: event

A PE file file header was parsed.

pe_optional_header: event

A PE file optional header was parsed.

pe_section_header: event

A PE file section header was parsed.

Detailed Interface

Events

pe_dos_code
Type

event (f: fa_file, code: string)

A PE file DOS stub was parsed. The stub is a valid application that runs under MS-DOS, by default to inform the user that the program can’t be run in DOS mode.

Parameters
  • f – The file.

  • code – The DOS stub

See also: pe_dos_header, pe_file_header, pe_optional_header, pe_section_header

pe_dos_header
Type

event (f: fa_file, h: PE::DOSHeader)

A PE file DOS header was parsed. This is the top-level header and contains information like the size of the file, initial value of registers, etc.

Parameters
  • f – The file.

  • h – The parsed DOS header information.

See also: pe_dos_code, pe_file_header, pe_optional_header, pe_section_header

pe_file_header
Type

event (f: fa_file, h: PE::FileHeader)

A PE file file header was parsed. This header contains information like the target machine, the timestamp when the file was created, the number of sections, and pointers to other parts of the file.

Parameters
  • f – The file.

  • h – The parsed file header information.

See also: pe_dos_header, pe_dos_code, pe_optional_header, pe_section_header

pe_optional_header
Type

event (f: fa_file, h: PE::OptionalHeader)

A PE file optional header was parsed. This header is required for executable files, but not for object files. It contains information like OS requirements to execute the file, the original entry point address, and information needed to load the file into memory.

Parameters
  • f – The file.

  • h – The parsed optional header information.

See also: pe_dos_header, pe_dos_code, pe_file_header, pe_section_header

pe_section_header
Type

event (f: fa_file, h: PE::SectionHeader)

A PE file section header was parsed. This header contains information like the section name, size, address, and characteristics.

Parameters
  • f – The file.

  • h – The parsed section header information.

See also: pe_dos_header, pe_dos_code, pe_file_header, pe_optional_header