PE
Supported formats
PE32, PE32+
Description
The PE (Portable Executable) file format is the file format for executables, object code, and DLLs (Dynamic-Link Libraries) in Windows operating systems. It is a binary format that defines the structure and layout of executable code, necessary data, and metadata for the Windows OS to load and execute a program. This backend extracts information from PE files for further inspection.
info
Available in Contextal Platform 1.0 and later.
Symbols
Object
ISSUES→ issues were faced while processing the executable. The possible detected issues are stored in the object's metadata entry$issuesand may include the following entries:PH_AGGRESSIVE_WS_TRIM_SET,PH_RESERVED_SET,PH_TOO_MANY_SECTIONS,PH_FUTURE_TIMESTAMP,OH_WIN32VERSIONVALUE_SET,OH_IMAGEBASE_BADVAL,OH_SECTIONALIGNMENT_BADVAL,OH_FILEALIGNMENT_BADVAL,OH_SIZEOFIMAGE_BADVAL,OH_SIZEOFHEADERS_BADVAL,OH_LOADERFLAGS_SET,OH_TOO_MANY_DATADIRS,SH*_RES_1_SET,SH*_RES_2_SET,SH*_RES_3_SET,SH*_TYPE_NO_PAD_SET,SH*_RES_5_SET,SH*_LNK_OTHER_SET,SH*_LNK_INFO_SET,SH*_RES_6_SET,SH*_LNK_REMOVE_SET,SH*_LNK_COMDAT_SET,SH*_MEM_PURGEABLE_SET,SH*_MEM_LOCKED_SET,SH*_MEM_PRELOAD_SET.
Example Metadata
{
"org": "ctx",
"object_id": "547a1a1d08381d2103c9ef6bd7f1bb68783a8d788dd7b336ddca3fbad3684f53",
"object_type": "PE",
"object_subtype": null,
"recursion_level": 1,
"size": 395776,
"hashes": {
"sha512": "a5ce5f334220d3752ad12ae83dbada665c9fdcc020f207ab80280b23e95a99b55605e0fd7426881b45a27fdf4f0e5d0b9e0acd1db283b5474fe99f989ed6a7a5",
"md5": "111ec3b664493425244001508fe4da9f",
"sha1": "50ed10f291611c37cf1cf8fab9d1acd3ebc676a7",
"sha256": "547a1a1d08381d2103c9ef6bd7f1bb68783a8d788dd7b336ddca3fbad3684f53"
},
"ctime": 1726592494.251118,
"ok": {
"symbols": [
"INFECTED",
"INFECTED-CLAM-Win.Packer.pkr_ce1a-9980177-0"
],
"object_metadata": {
"_backend_version": "1.0.0",
"optional_header": {
"AddressOfEntryPoint": 8034,
"BaseOfCode": 4096,
"BaseOfData": 335872,
"CheckSum": 455881,
"DataDirectories": [
{
"Size": 0,
"VirtualAddress": 0
},
{
"Size": 80,
"VirtualAddress": 343140
},
{
"Size": 52168,
"VirtualAddress": 4673536
},
{
"Size": 0,
"VirtualAddress": 0
},
{
"Size": 0,
"VirtualAddress": 0
},
{
"Size": 0,
"VirtualAddress": 0
},
{
"Size": 28,
"VirtualAddress": 336320
},
{
"Size": 0,
"VirtualAddress": 0
},
{
"Size": 0,
"VirtualAddress": 0
},
{
"Size": 24,
"VirtualAddress": 342320
},
{
"Size": 64,
"VirtualAddress": 342248
},
{
"Size": 0,
"VirtualAddress": 0
},
{
"Size": 392,
"VirtualAddress": 335872
},
{
"Size": 0,
"VirtualAddress": 0
},
{
"Size": 0,
"VirtualAddress": 0
},
{
"Size": 0,
"VirtualAddress": 0
}
],
"DllCharacteristics": 33024,
"FileAlignment": 512,
"ImageBase": 4194304,
"LoaderFlags": 0,
"Magic": 267,
"MagicStr": "PE32",
"MajorImageVersion": 0,
"MajorLinkerVersion": 9,
"MajorOperatingSystemVersion": 5,
"MajorSubsystemVersion": 5,
"MinorImageVersion": 0,
"MinorLinkerVersion": 0,
"MinorOperatingSystemVersion": 0,
"MinorSubsystemVersion": 0,
"NumberOfRvaAndSizes": 16,
"SectionAlignment": 4096,
"SizeOfCode": 328192,
"SizeOfHeaders": 1024,
"SizeOfHeapCommit": 4096,
"SizeOfHeapReserve": 1048576,
"SizeOfImage": 4726784,
"SizeOfInitializedData": 4402176,
"SizeOfStackCommit": 4096,
"SizeOfStackReserve": 1048576,
"SizeOfUninitializedData": 0,
"Subsystem": 2,
"SubsystemStr": "Windows GUI subsystem",
"Win32VersionValue": 0
},
"pe_header": {
"Characteristics": 259,
"CharacteristicsSymbols": [
"RELOCS_STRIPPED",
"EXECUTABLE_IMAGE",
"32BIT_MACHINE"
],
"Machine": 332,
"MachineStr": "x86",
"NumberOfSections": 4,
"NumberOfSymbols": 0,
"PointerToSymbolTable": 0,
"SizeOfOptionalHeader": 224,
"TimeDateStamp": 1665993348,
"TimeDateStampString": "2022-10-17 07:55:48 UTC"
},
"section_headers": [
{
"Characteristics": 1610612768,
"CharacteristicsSymbols": [
"CNT_CODE",
"MEM_EXECUTE",
"MEM_READ"
],
"Name": ".text",
"NumberOfLinenumbers": 0,
"NumberOfRelocations": 0,
"PointerToLinenumbers": 0,
"PointerToRawData": 1024,
"PointerToRelocations": 0,
"SizeOfRawData": 328192,
"VirtualAddress": 4096,
"VirtualSize": 328176
},
{
"Characteristics": 1073741888,
"CharacteristicsSymbols": [
"CNT_INITIALIZED_DATA",
"MEM_READ"
],
"Name": ".rdata",
"NumberOfLinenumbers": 0,
"NumberOfRelocations": 0,
"PointerToLinenumbers": 0,
"PointerToRawData": 329216,
"PointerToRelocations": 0,
"SizeOfRawData": 9728,
"VirtualAddress": 335872,
"VirtualSize": 9624
},
{
"Characteristics": 3221225536,
"CharacteristicsSymbols": [
"CNT_INITIALIZED_DATA",
"MEM_READ",
"MEM_WRITE"
],
"Name": ".data",
"NumberOfLinenumbers": 0,
"NumberOfRelocations": 0,
"PointerToLinenumbers": 0,
"PointerToRawData": 338944,
"PointerToRelocations": 0,
"SizeOfRawData": 4608,
"VirtualAddress": 348160,
"VirtualSize": 4325344
},
{
"Characteristics": 1073741888,
"CharacteristicsSymbols": [
"CNT_INITIALIZED_DATA",
"MEM_READ"
],
"Name": ".rsrc",
"NumberOfLinenumbers": 0,
"NumberOfRelocations": 0,
"PointerToLinenumbers": 0,
"PointerToRawData": 343552,
"PointerToRelocations": 0,
"SizeOfRawData": 52224,
"VirtualAddress": 4673536,
"VirtualSize": 52168
}
]
},
"children": []
}
}
Example Queries
object_type == "PE"
&& @match_object_meta($section_headers[0].Name == "UPX0")
- This query matches a
PEobject, which has the first section namedUPX0.
object_type == "PE" &&
@match_object_meta($issues == "PH_FUTURE_TIMESTAMP")
- This query matches a
PEobject, which has a timestamp in the future.
Configuration Options
This backend doesn't use any dedicated options.