This repository contains a Spicy-based analyzer for the Portable Executable (PE) image file format,
- PE format specification
- Tour of the Win32 Portable Executable File Format
- Wikipedia: Portable Executable
This analyzer replaces the builtin Zeek PE analyzer.
Some fields in the logs are disabled by default, but they can be enabled with the following redefinitions.
|Log the Shannon entropy for every section in the |
|Log whether sections are (r)eadable, (e)xecutable and/or (w)ritable in the |
|Log all the imported function names in the PE, prepended with the source file, to the |
|Log all the exported function names in the PE to the |
- parse the data from remaining directory sections
- allowing tuning/control of parsing contraints would be nice, but something that Spicy would have to support, see this discussion