main.zeek

Summary

`Log::ID`: `enum`	`PE::LOG`
`fa_file`: `record` `&redef`	New Fields: `fa_file` pe: `PE::Info` `&optional`

Event for accessing logged records.

`PE::log_policy`: `Log::PolicyHook`
`PE::set_file`: `hook`	A hook that gets called when we first see a PE file.

Type:

record

Fields:

machine: string &log &optional: The target machine that the file was compiled for.

compile_ts: time &log &optional: The time that the file was created at.

subsystem: string &log &optional: The subsystem that is required to run this file.

is_exe: bool &log &default = T &optional: Is the file an executable, or just an object file?

is_64bit: bool &log &default = T &optional: Is the file a 64-bit executable?

uses_aslr: bool &log &default = F &optional: Does the file support Address Space Layout Randomization?

uses_dep: bool &log &default = F &optional: Does the file support Data Execution Prevention?

uses_code_integrity: bool &log &default = F &optional: Does the file enforce code integrity checks?

uses_seh: bool &log &default = T &optional: Does the file use structured exception handing?

has_import_table: bool &log &optional: Does the file have an import table?

has_export_table: bool &log &optional: Does the file have an export table?

has_cert_table: bool &log &optional: Does the file have an attribute certificate table?

has_debug_data: bool &log &optional: Does the file have a debug table?

section_names: vector of string &log &optional: The names of the sections, in order.

Event for accessing logged records.

A hook that gets called when we first see a PE file.