Expand description
These fields contain Windows Portable Executable (PE) metadata.
Constants§
- PE_
ARCHITECTURE - CPU architecture target for the file.
- PE_
COMPANY - Internal company name of the file, provided at compile-time.
- PE_
DESCRIPTION - Internal description of the file, provided at compile-time.
- PE_
FILE_ VERSION - Internal version of the file, provided at compile-time.
- PE_
GO_ IMPORTS - List of imported Go language element names and types.
- PE_
GO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of Go imports.
- PE_
GO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of Go imports.
- PE_
GO_ IMPORT_ HASH - A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
- PE_
GO_ STRIPPED - Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
- PE_
IMPHASH - A hash of the imports in a PE file. An imphash – or import hash – can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
- PE_
IMPORTS - List of imported element names and types.
- PE_
IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of imported element names and types.
- PE_
IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of imported element names and types.
- PE_
IMPORT_ HASH - A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.
- PE_
ORIGINAL_ FILE_ NAME - Internal name of the file, provided at compile-time.
- PE_
PEHASH - A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.
- PE_
PRODUCT - Internal product name of the file, provided at compile-time.
- PE_
SECTIONS - An array containing an object for each section of the PE file.
The keys that should be present in these objects are defined by sub-fields underneath
pe.sections.*. - PE_
SECTIONS_ ENTROPY - Shannon entropy calculation from the section.
- PE_
SECTIONS_ NAME - PE Section List name.
- PE_
SECTIONS_ PHYSICAL_ SIZE - PE Section List physical size.
- PE_
SECTIONS_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the section.
- PE_
SECTIONS_ VIRTUAL_ SIZE - PE Section List virtual size. This is always the same as
physical_size.