base/files/pe/main.zeek

PE
Namespace

PE

Imports

base/files/pe/consts.zeek

Summary

Types

PE::Info: record

Redefinitions

Log::ID: enum

fa_file: record &redef
New Fields

fa_file

pe: PE::Info &optional

Events

PE::log_pe: event

Event for accessing logged records.

Hooks

PE::log_policy: Log::PolicyHook

PE::set_file: hook

A hook that gets called when we first see a PE file.

Detailed Interface

Types

PE::Info
Type

record

ts: time &log

Current timestamp.

id: string &log

File id of this portable executable file.

machine: string &log &optional

The target machine that the file was compiled for.

compile_ts: time &log &optional

The time that the file was created at.

os: string &log &optional

The required operating system.

subsystem: string &log &optional

The subsystem that is required to run this file.

is_exe: bool &log &default = T &optional

Is the file an executable, or just an object file?

is_64bit: bool &log &default = T &optional

Is the file a 64-bit executable?

uses_aslr: bool &log &default = F &optional

Does the file support Address Space Layout Randomization?

uses_dep: bool &log &default = F &optional

Does the file support Data Execution Prevention?

uses_code_integrity: bool &log &default = F &optional

Does the file enforce code integrity checks?

uses_seh: bool &log &default = T &optional

Does the file use structured exception handing?

has_import_table: bool &log &optional

Does the file have an import table?

has_export_table: bool &log &optional

Does the file have an export table?

has_cert_table: bool &log &optional

Does the file have an attribute certificate table?

has_debug_data: bool &log &optional

Does the file have a debug table?

section_names: vector of string &log &optional

The names of the sections, in order.

Events

PE::log_pe
Type

event (rec: PE::Info)

Event for accessing logged records.

Hooks

PE::log_policy
Type

Log::PolicyHook

PE::set_file
Type

hook (f: fa_file) : bool

A hook that gets called when we first see a PE file.