spicy-pe

PE analyzer

This repository contains a Spicy-based analyzer for the Portable Executable (PE) image file format,

This analyzer replaces the builtin Zeek PE analyzer.

Options

Some fields in the logs are disabled by default, but they can be enabled with the following redefinitions.

OptionDescription
PE::pe_log_section_entropy=TLog the Shannon entropy for every section in the section_names field.
PE::pe_log_section_flags=TLog whether sections are (r)eadable, (e)xecutable and/or (w)ritable in the section_names field.
PE::pe_log_import_table=TLog all the imported function names in the PE, prepended with the source file, to the import_table field.
PE::pe_log_export_table=TLog all the exported function names in the PE to the export_table field.

TODOs

  • parse the data from remaining directory sections
  • allowing tuning/control of parsing contraints would be nice, but something that Spicy would have to support, see this discussion

Package Version :