PE analyzer

This repository contains a Spicy-based analyzer for the Portable Executable (PE) image file format,

This analyzer replaces the builtin Zeek PE analyzer.


Some fields in the logs are disabled by default, but they can be enabled with the following redefinitions.

PE::pe_log_section_entropy=TLog the Shannon entropy for every section in the section_info field.
PE::pe_log_section_flags=TLog whether sections are (r)eadable, (e)xecutable and/or (w)ritable in the section_info field.
PE::pe_log_import_table=TLog all the imported function names in the PE, prepended with the source file, to the import_table field.
PE::pe_log_export_table=TLog all the exported function names in the PE to the export_table field.


  • parse the data from remaining directory sections
  • allowing tuning/control of parsing contraints would be nice, but something that Spicy would have to support, see this discussion

Package Version :