This repository contains a Spicy-based analyzer for the Portable Executable (PE) image file format,
- PE format specification
- Tour of the Win32 Portable Executable File Format
- Wikipedia: Portable Executable
This analyzer replaces the builtin Zeek PE analyzer.
Some fields in the logs are disabled by default, but they can be enabled with the following redefinitions.
| Option | Description |
|---|---|
PE::pe_log_section_entropy=T |
Log the Shannon entropy for every section in the section_info field. |
PE::pe_log_section_flags=T |
Log whether sections are (r)eadable, (e)xecutable and/or (w)ritable in the section_info field. |
PE::pe_log_import_table=T |
Log all the imported function names in the PE, prepended with the source file, to the import_table field. |
PE::pe_log_export_table=T |
Log all the exported function names in the PE to the export_table field. |
- parse the data from remaining directory sections
- allowing tuning/control of parsing contraints would be nice, but something that Spicy would have to support, see this discussion