main.zeek¶

ts: time &log: Current timestamp.
id: string &log: File id of this portable executable file.
machine: string &log &optional: The target machine that the file was compiled for.
compile_ts: time &log &optional: The time that the file was created at.
os: string &log &optional: The required operating system.
subsystem: string &log &optional: The subsystem that is required to run this file.
is_exe: bool &log &default = T &optional: Is the file an executable, or just an object file?
is_64bit: bool &log &default = T &optional: Is the file a 64-bit executable?
uses_aslr: bool &log &default = F &optional: Does the file support Address Space Layout Randomization?
uses_dep: bool &log &default = F &optional: Does the file support Data Execution Prevention?
uses_code_integrity: bool &log &default = F &optional: Does the file enforce code integrity checks?
uses_seh: bool &log &default = T &optional: Does the file use structured exception handing?
has_import_table: bool &log &optional: Does the file have an import table?
has_export_table: bool &log &optional: Does the file have an export table?
has_cert_table: bool &log &optional: Does the file have an attribute certificate table?
has_debug_data: bool &log &optional: Does the file have a debug table?
section_names: vector of string &log &optional: The names of the sections, in order.

Events¶

PE::log_pe¶

Type:	`event` (rec: `PE::Info`)

Event for accessing logged records.

Hooks¶

PE::log_policy¶

Type:	`Log::PolicyHook`

PE::set_file¶

Type:	`hook` (f: `fa_file`) : `bool`

A hook that gets called when we first see a PE file.