base/files/pe/main.zeek¶
-
PE¶
| Namespace: | PE |
|---|---|
| Imports: | base/files/pe/consts.zeek |
Summary¶
Events¶
PE::log_pe: event |
Event for accessing logged records. |
Hooks¶
PE::set_file: hook |
A hook that gets called when we first see a PE file. |
Detailed Interface¶
Types¶
-
PE::Info¶ Type: - ts:
time&log Current timestamp.
- id:
string&log File id of this portable executable file.
- machine:
string&log&optional The target machine that the file was compiled for.
- compile_ts:
time&log&optional The time that the file was created at.
- os:
string&log&optional The required operating system.
- subsystem:
string&log&optional The subsystem that is required to run this file.
- is_exe:
bool&log&default=T&optional Is the file an executable, or just an object file?
- is_64bit:
bool&log&default=T&optional Is the file a 64-bit executable?
- uses_aslr:
bool&log&default=F&optional Does the file support Address Space Layout Randomization?
- uses_dep:
bool&log&default=F&optional Does the file support Data Execution Prevention?
- uses_code_integrity:
bool&log&default=F&optional Does the file enforce code integrity checks?
- uses_seh:
bool&log&default=T&optional Does the file use structured exception handing?
- has_import_table:
bool&log&optional Does the file have an import table?
- has_export_table:
bool&log&optional Does the file have an export table?
- has_cert_table:
bool&log&optional Does the file have an attribute certificate table?
- has_debug_data:
bool&log&optional Does the file have a debug table?
- section_names:
vectorofstring&log&optional The names of the sections, in order.
- ts: