base/bif/plugins/Zeek_PE.events.bif.zeek
- GLOBAL
- Namespace
GLOBAL
Summary
Events
A PE file DOS stub was parsed. |
|
A PE file DOS header was parsed. |
|
A PE file file header was parsed. |
|
A PE file optional header was parsed. |
|
A PE file section header was parsed. |
Detailed Interface
Events
- pe_dos_code
-
A PE file DOS stub was parsed. The stub is a valid application that runs under MS-DOS, by default to inform the user that the program can’t be run in DOS mode.
- Parameters
f – The file.
code – The DOS stub
See also:
pe_dos_header
,pe_file_header
,pe_optional_header
,pe_section_header
- pe_dos_header
- Type
event
(f:fa_file
, h:PE::DOSHeader
)
A PE file DOS header was parsed. This is the top-level header and contains information like the size of the file, initial value of registers, etc.
- Parameters
f – The file.
h – The parsed DOS header information.
See also:
pe_dos_code
,pe_file_header
,pe_optional_header
,pe_section_header
- pe_file_header
- Type
event
(f:fa_file
, h:PE::FileHeader
)
A PE file file header was parsed. This header contains information like the target machine, the timestamp when the file was created, the number of sections, and pointers to other parts of the file.
- Parameters
f – The file.
h – The parsed file header information.
See also:
pe_dos_header
,pe_dos_code
,pe_optional_header
,pe_section_header
- pe_optional_header
- Type
event
(f:fa_file
, h:PE::OptionalHeader
)
A PE file optional header was parsed. This header is required for executable files, but not for object files. It contains information like OS requirements to execute the file, the original entry point address, and information needed to load the file into memory.
- Parameters
f – The file.
h – The parsed optional header information.
See also:
pe_dos_header
,pe_dos_code
,pe_file_header
,pe_section_header
- pe_section_header
- Type
event
(f:fa_file
, h:PE::SectionHeader
)
A PE file section header was parsed. This header contains information like the section name, size, address, and characteristics.
- Parameters
f – The file.
h – The parsed section header information.
See also:
pe_dos_header
,pe_dos_code
,pe_file_header
,pe_optional_header