PE analyzer

This repository contains a Spicy-based analyzer for the Portable Executable (PE) image file format,

PE format specification
Tour of the Win32 Portable Executable File Format
Wikipedia: Portable Executable

This analyzer replaces the builtin Zeek PE analyzer.

Options

Some fields in the logs are disabled by default, but they can be enabled with the following redefinitions.

Option	Description
`PE::pe_log_section_entropy=T`	Log the Shannon entropy for every section in the `section_info` field.
`PE::pe_log_section_flags=T`	Log whether sections are (r)eadable, (e)xecutable and/or (w)ritable in the `section_info` field.
`PE::pe_log_import_table=T`	Log all the imported function names in the PE, prepended with the source file, to the `import_table` field.
`PE::pe_log_export_table=T`	Log all the exported function names in the PE to the `export_table` field.

TODOs

parse the data from remaining directory sections
allowing tuning/control of parsing contraints would be nice, but something that Spicy would have to support, see this discussion

spicy-pe

PE analyzer

Options

TODOs

Package Version :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :