:tocdepth: 3

base/files/pe/consts.bro
========================
.. bro:namespace:: PE


:Namespace: PE
:Source File: :download:`/scripts/base/files/pe/consts.bro`

Summary
~~~~~~~
Constants
#########
========================================================================================================================== =
:bro:id:`PE::directories`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`             
:bro:id:`PE::dll_characteristics`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`     
:bro:id:`PE::file_characteristics`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`    
:bro:id:`PE::machine_types`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`           
:bro:id:`PE::os_versions`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`             
:bro:id:`PE::section_characteristics`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional` 
:bro:id:`PE::section_descs`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`           
:bro:id:`PE::windows_subsystems`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`      
========================================================================================================================== =


Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. bro:id:: PE::directories

   :Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
   :Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
   :Default:

   ::

      {
         [0] = "Export Table",
         [1] = "Import Table",
         [14] = "CLR Runtime Header",
         [8] = "Global Ptr",
         [10] = "Load Config Table",
         [6] = "Debug",
         [12] = "IAT",
         [4] = "Certificate Table",
         [11] = "Bound Import",
         [2] = "Resource Table",
         [5] = "Base Relocation Table",
         [13] = "Delay Import Descriptor",
         [9] = "TLS Table",
         [3] = "Exception Table",
         [7] = "Architecture",
         [15] = "Reserved"
      }


.. bro:id:: PE::dll_characteristics

   :Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
   :Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
   :Default:

   ::

      {
         [32768] = "TERMINAL_SERVER_AWARE",
         [1024] = "NO_SEH",
         [8192] = "WDM_DRIVER",
         [64] = "DYNAMIC_BASE",
         [128] = "FORCE_INTEGRITY",
         [512] = "NO_ISOLATION",
         [256] = "NX_COMPAT",
         [2048] = "NO_BIND"
      }


.. bro:id:: PE::file_characteristics

   :Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
   :Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
   :Default:

   ::

      {
         [1] = "RELOCS_STRIPPED",
         [32] = "LARGE_ADDRESS_AWARE",
         [32768] = "BYTES_REVERSED_HI",
         [8] = "LOCAL_SYMS_STRIPPED",
         [1024] = "REMOVABLE_RUN_FROM_SWAP",
         [8192] = "DLL",
         [4] = "LINE_NUMS_STRIPPED",
         [128] = "BYTES_REVERSED_LO",
         [4096] = "SYSTEM",
         [2] = "EXECUTABLE_IMAGE",
         [512] = "DEBUG_STRIPPED",
         [16] = "AGGRESSIVE_WS_TRIM",
         [256] = "32BIT_MACHINE",
         [16384] = "UP_SYSTEM_ONLY",
         [2048] = "NET_RUN_FROM_SWAP"
      }


.. bro:id:: PE::machine_types

   :Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
   :Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
   :Default:

   ::

      {
         [0] = "UNKNOWN",
         [452] = "ARMNT",
         [3772] = "EBC",
         [496] = "POWERPC",
         [614] = "MIPS16",
         [870] = "MIPSFPU",
         [34404] = "AMD64",
         [43620] = "ARM64",
         [419] = "SH3DSP",
         [422] = "SH4",
         [361] = "WCEMIPSV2",
         [467] = "AM33",
         [1126] = "MIPSFPU16",
         [497] = "POWERPCFP",
         [424] = "SH5",
         [450] = "THUMB",
         [418] = "SH3",
         [332] = "I386",
         [512] = "IA64",
         [36929] = "M32R",
         [448] = "ARM",
         [358] = "R4000"
      }


.. bro:id:: PE::os_versions

   :Type: :bro:type:`table` [:bro:type:`count`, :bro:type:`count`] of :bro:type:`string`
   :Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
   :Default:

   ::

      {
         [6, 4] = "Windows 10 Technical Preview",
         [3, 11] = "Windows for Workgroups 3.11",
         [2, 10] = "Windows 2.10",
         [1, 0] = "Windows 1.0",
         [10, 0] = "Windows 10",
         [6, 1] = "Windows 7 or Server 2008 R2",
         [6, 0] = "Windows Vista or Server 2008",
         [3, 2] = "Windows 3.2",
         [5, 2] = "Windows XP x64 or Server 2003",
         [4, 0] = "Windows 95 or NT 4.0",
         [3, 51] = "Windows NT 3.51",
         [1, 4] = "Windows 1.04",
         [1, 1] = "Windows 1.01",
         [3, 50] = "Windows NT 3.5",
         [2, 11] = "Windows 2.11",
         [2, 0] = "Windows 2.0",
         [6, 2] = "Windows 8 or Server 2012",
         [5, 0] = "Windows 2000",
         [6, 3] = "Windows 8.1 or Server 2012 R2",
         [4, 90] = "Windows Me",
         [4, 10] = "Windows 98",
         [1, 3] = "Windows 1.03",
         [5, 1] = "Windows XP",
         [3, 0] = "Windows 3.0",
         [3, 10] = "Windows 3.1 or NT 3.1"
      }


.. bro:id:: PE::section_characteristics

   :Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
   :Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
   :Default:

   ::

      {
         [32] = "CNT_CODE",
         [32768] = "GPREL",
         [8] = "TYPE_NO_PAD",
         [12582912] = "ALIGN_2048BYTES",
         [1073741824] = "MEM_READ",
         [131072] = "MEM_16BIT",
         [5242880] = "ALIGN_16BYTES",
         [7340032] = "ALIGN_64BYTES",
         [1048576] = "ALIGN_1BYTES",
         [2097152] = "ALIGN_2BYTES",
         [6291456] = "ALIGN_32BYTES",
         [33554432] = "MEM_DISCARDABLE",
         [268435456] = "MEM_SHARED",
         [64] = "CNT_INITIALIZED_DATA",
         [11534336] = "ALIGN_1024BYTES",
         [536870912] = "MEM_EXECUTE",
         [128] = "CNT_UNINITIALIZED_DATA",
         [4096] = "LNK_COMDAT",
         [16777216] = "LNK_NRELOC_OVFL",
         [2147483648] = "MEM_WRITE",
         [262144] = "MEM_LOCKED",
         [524288] = "MEM_PRELOAD",
         [512] = "LNK_INFO",
         [3145728] = "ALIGN_4BYTES",
         [9437184] = "ALIGN_256BYTES",
         [134217728] = "MEM_NOT_PAGED",
         [4194304] = "ALIGN_8BYTES",
         [10485760] = "ALIGN_512BYTES",
         [13631488] = "ALIGN_4096BYTES",
         [14680064] = "ALIGN_8192BYTES",
         [67108864] = "MEM_NOT_CACHED",
         [256] = "LNK_OTHER",
         [2048] = "LNK_REMOVE",
         [8388608] = "ALIGN_128BYTES"
      }


.. bro:id:: PE::section_descs

   :Type: :bro:type:`table` [:bro:type:`string`] of :bro:type:`string`
   :Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
   :Default:

   ::

      {
         [".tls$"] = "Thread-local storage",
         [".debug$T"] = "Debug types",
         [".sbss"] = "GP-relative uninitialized data",
         [".text"] = "Executable code",
         [".debug$P"] = "Precompiled debug types",
         [".bss"] = "Uninitialized data",
         [".idlsym"] = "Includes registered SEH to support IDL attributes",
         [".xdata"] = "Exception information",
         [".rdata"] = "Read-only initialized data",
         [".idata"] = "Import tables",
         [".sdata"] = "GP-relative initialized data",
         [".sxdata"] = "Registered exception handler data",
         [".tls"] = "Thread-local storage",
         [".drective"] = "Linker options",
         [".debug$F"] = "Generated FPO debug information",
         [".debug$S"] = "Debug symbols",
         [".edata"] = "Export tables",
         [".cormeta"] = "CLR metadata that indicates that the object file contains managed code",
         [".data"] = "Initialized data",
         [".rsrc"] = "Resource directory",
         [".pdata"] = "Exception information",
         [".reloc"] = "Image relocations",
         [".srdata"] = "GP-relative read-only data",
         [".vsdata"] = "GP-relative initialized data"
      }


.. bro:id:: PE::windows_subsystems

   :Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
   :Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
   :Default:

   ::

      {
         [0] = "UNKNOWN",
         [1] = "NATIVE",
         [14] = "XBOX",
         [10] = "EFI_APPLICATION",
         [12] = "EFI_RUNTIME_\xe2\x80\xa8DRIVER",
         [11] = "EFI_BOOT_SERVICE_DRIVER",
         [2] = "WINDOWS_GUI",
         [13] = "EFI_ROM",
         [9] = "WINDOWS_CE_GUI",
         [3] = "WINDOWS_CUI",
         [7] = "POSIX_CUI"
      }



