Expand description
These fields contain information about code libraries dynamically loaded into processes.
Many operating systems refer to “shared code libraries” with different names, but this field set refers to all of the following:
- Dynamic-link library (
.dll) commonly used on Windows - Shared Object (
.so) commonly used on Unix-like operating systems - Dynamic library (
.dylib) commonly used on macOS
Constants§
- DLL_
CODE_ SIGNATURE_ DIGEST_ ALGORITHM - The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
- DLL_
CODE_ SIGNATURE_ EXISTS - Boolean to capture if a signature is present.
- DLL_
CODE_ SIGNATURE_ SIGNING_ ID - The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
- DLL_
CODE_ SIGNATURE_ STATUS - Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
- DLL_
CODE_ SIGNATURE_ SUBJECT_ NAME - Subject name of the code signer
- DLL_
CODE_ SIGNATURE_ TEAM_ ID - The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
- DLL_
CODE_ SIGNATURE_ TIMESTAMP - Date and time when the code signature was generated and signed.
- DLL_
CODE_ SIGNATURE_ TRUSTED - Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
- DLL_
CODE_ SIGNATURE_ VALID - Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
- DLL_
HASH_ MD5 - MD5 hash.
- DLL_
HASH_ SHA1 - SHA1 hash.
- DLL_
HASH_ SHA256 - SHA256 hash.
- DLL_
HASH_ SHA384 - SHA384 hash.
- DLL_
HASH_ SHA512 - SHA512 hash.
- DLL_
HASH_ SSDEEP - SSDEEP hash.
- DLL_
HASH_ TLSH - TLSH hash.
- DLL_
NAME - Name of the library. This generally maps to the name of the file on disk.
- DLL_
PATH - Full file path of the library.
- DLL_
PE_ ARCHITECTURE - CPU architecture target for the file.
- DLL_
PE_ COMPANY - Internal company name of the file, provided at compile-time.
- DLL_
PE_ DESCRIPTION - Internal description of the file, provided at compile-time.
- DLL_
PE_ FILE_ VERSION - Internal version of the file, provided at compile-time.
- DLL_
PE_ GO_ IMPORTS - List of imported Go language element names and types.
- DLL_
PE_ GO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of Go imports.
- DLL_
PE_ GO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of Go imports.
- DLL_
PE_ GO_ IMPORT_ HASH - A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
- DLL_
PE_ GO_ STRIPPED - Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
- DLL_
PE_ IMPHASH - A hash of the imports in a PE file. An imphash – or import hash – can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
- DLL_
PE_ IMPORTS - List of imported element names and types.
- DLL_
PE_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of imported element names and types.
- DLL_
PE_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of imported element names and types.
- DLL_
PE_ IMPORT_ HASH - A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.
- DLL_
PE_ ORIGINAL_ FILE_ NAME - Internal name of the file, provided at compile-time.
- DLL_
PE_ PEHASH - A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.
- DLL_
PE_ PRODUCT - Internal product name of the file, provided at compile-time.
- DLL_
PE_ SECTIONS - An array containing an object for each section of the PE file.
The keys that should be present in these objects are defined by sub-fields underneath
pe.sections.*. - DLL_
PE_ SECTIONS_ ENTROPY - Shannon entropy calculation from the section.
- DLL_
PE_ SECTIONS_ NAME - PE Section List name.
- DLL_
PE_ SECTIONS_ PHYSICAL_ SIZE - PE Section List physical size.
- DLL_
PE_ SECTIONS_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the section.
- DLL_
PE_ SECTIONS_ VIRTUAL_ SIZE - PE Section List virtual size. This is always the same as
physical_size.