Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 04:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Change doc/ subdir into a git submodule

Browse source 
The docs now live at https://github.com/zeek/zeek-docs
This commit is contained in:
Jon Siwek 2019-01-17 14:09:29 -06:00
parent 0d685efbf5
commit 2ff746fea7
693 changed files with 26 additions and 105609 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/scripts/base/files/pe/__load__.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
base/files/pe/__load__.bro
==========================
:Imports: :doc:`base/files/pe/consts.bro </scripts/base/files/pe/consts.bro>`, :doc:`base/files/pe/main.bro </scripts/base/files/pe/main.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

281
doc/scripts/base/files/pe/consts.bro.rst
View file

@ -1,281 +0,0 @@
:tocdepth: 3
base/files/pe/consts.bro
========================
.. bro:namespace:: PE
:Namespace: PE
Summary
~~~~~~~
Constants
#########
========================================================================================================================== =
:bro:id:`PE::directories`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`PE::dll_characteristics`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`PE::file_characteristics`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`PE::machine_types`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`PE::os_versions`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`PE::section_characteristics`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`PE::section_descs`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:bro:id:`PE::windows_subsystems`: :bro:type:`table` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
========================================================================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. bro:id:: PE::directories
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "Resource Table",
[9] = "TLS Table",
[6] = "Debug",
[11] = "Bound Import",
[14] = "CLR Runtime Header",
[4] = "Certificate Table",
[1] = "Import Table",
[8] = "Global Ptr",
[7] = "Architecture",
[15] = "Reserved",
[5] = "Base Relocation Table",
[10] = "Load Config Table",
[0] = "Export Table",
[3] = "Exception Table",
[12] = "IAT",
[13] = "Delay Import Descriptor"
}
.. bro:id:: PE::dll_characteristics
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[256] = "NX_COMPAT",
[512] = "NO_ISOLATION",
[128] = "FORCE_INTEGRITY",
[2048] = "NO_BIND",
[32768] = "TERMINAL_SERVER_AWARE",
[8192] = "WDM_DRIVER",
[1024] = "NO_SEH",
[64] = "DYNAMIC_BASE"
}
.. bro:id:: PE::file_characteristics
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "EXECUTABLE_IMAGE",
[4] = "LINE_NUMS_STRIPPED",
[256] = "32BIT_MACHINE",
[512] = "DEBUG_STRIPPED",
[1] = "RELOCS_STRIPPED",
[8] = "LOCAL_SYMS_STRIPPED",
[16384] = "UP_SYSTEM_ONLY",
[32] = "LARGE_ADDRESS_AWARE",
[128] = "BYTES_REVERSED_LO",
[2048] = "NET_RUN_FROM_SWAP",
[32768] = "BYTES_REVERSED_HI",
[8192] = "DLL",
[1024] = "REMOVABLE_RUN_FROM_SWAP",
[4096] = "SYSTEM",
[16] = "AGGRESSIVE_WS_TRIM"
}
.. bro:id:: PE::machine_types
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[496] = "POWERPC",
[870] = "MIPSFPU",
[497] = "POWERPCFP",
[450] = "THUMB",
[512] = "IA64",
[422] = "SH4",
[361] = "WCEMIPSV2",
[3772] = "EBC",
[34404] = "AMD64",
[452] = "ARMNT",
[358] = "R4000",
[448] = "ARM",
[467] = "AM33",
[43620] = "ARM64",
[36929] = "M32R",
[332] = "I386",
[418] = "SH3",
[0] = "UNKNOWN",
[1126] = "MIPSFPU16",
[424] = "SH5",
[419] = "SH3DSP",
[614] = "MIPS16"
}
.. bro:id:: PE::os_versions
:Type: :bro:type:`table` [:bro:type:`count`, :bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[6, 0] = "Windows Vista or Server 2008",
[5, 0] = "Windows 2000",
[6, 1] = "Windows 7 or Server 2008 R2",
[6, 3] = "Windows 8.1 or Server 2012 R2",
[3, 50] = "Windows NT 3.5",
[2, 11] = "Windows 2.11",
[1, 4] = "Windows 1.04",
[1, 0] = "Windows 1.0",
[3, 10] = "Windows 3.1 or NT 3.1",
[2, 10] = "Windows 2.10",
[4, 90] = "Windows Me",
[3, 2] = "Windows 3.2",
[2, 0] = "Windows 2.0",
[4, 10] = "Windows 98",
[3, 51] = "Windows NT 3.51",
[1, 1] = "Windows 1.01",
[5, 1] = "Windows XP",
[10, 0] = "Windows 10",
[3, 0] = "Windows 3.0",
[6, 4] = "Windows 10 Technical Preview",
[6, 2] = "Windows 8 or Server 2012",
[3, 11] = "Windows for Workgroups 3.11",
[4, 0] = "Windows 95 or NT 4.0",
[1, 3] = "Windows 1.03",
[5, 2] = "Windows XP x64 or Server 2003"
}
.. bro:id:: PE::section_characteristics
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[10485760] = "ALIGN_512BYTES",
[14680064] = "ALIGN_8192BYTES",
[16777216] = "LNK_NRELOC_OVFL",
[7340032] = "ALIGN_64BYTES",
[256] = "LNK_OTHER",
[512] = "LNK_INFO",
[131072] = "MEM_16BIT",
[8388608] = "ALIGN_128BYTES",
[33554432] = "MEM_DISCARDABLE",
[8] = "TYPE_NO_PAD",
[12582912] = "ALIGN_2048BYTES",
[536870912] = "MEM_EXECUTE",
[67108864] = "MEM_NOT_CACHED",
[524288] = "MEM_PRELOAD",
[262144] = "MEM_LOCKED",
[32] = "CNT_CODE",
[128] = "CNT_UNINITIALIZED_DATA",
[1048576] = "ALIGN_1BYTES",
[4194304] = "ALIGN_8BYTES",
[2048] = "LNK_REMOVE",
[32768] = "GPREL",
[1073741824] = "MEM_READ",
[2097152] = "ALIGN_2BYTES",
[9437184] = "ALIGN_256BYTES",
[13631488] = "ALIGN_4096BYTES",
[134217728] = "MEM_NOT_PAGED",
[11534336] = "ALIGN_1024BYTES",
[2147483648] = "MEM_WRITE",
[64] = "CNT_INITIALIZED_DATA",
[5242880] = "ALIGN_16BYTES",
[4096] = "LNK_COMDAT",
[268435456] = "MEM_SHARED",
[3145728] = "ALIGN_4BYTES",
[6291456] = "ALIGN_32BYTES"
}
.. bro:id:: PE::section_descs
:Type: :bro:type:`table` [:bro:type:`string`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[".debug$T"] = "Debug types",
[".bss"] = "Uninitialized data",
[".rdata"] = "Read-only initialized data",
[".debug$S"] = "Debug symbols",
[".idlsym"] = "Includes registered SEH to support IDL attributes",
[".tls$"] = "Thread-local storage",
[".sdata"] = "GP-relative initialized data",
[".xdata"] = "Exception information",
[".reloc"] = "Image relocations",
[".srdata"] = "GP-relative read-only data",
[".edata"] = "Export tables",
[".tls"] = "Thread-local storage",
[".pdata"] = "Exception information",
[".debug$F"] = "Generated FPO debug information",
[".drective"] = "Linker options",
[".sbss"] = "GP-relative uninitialized data",
[".idata"] = "Import tables",
[".sxdata"] = "Registered exception handler data",
[".text"] = "Executable code",
[".vsdata"] = "GP-relative initialized data",
[".debug$P"] = "Precompiled debug types",
[".rsrc"] = "Resource directory",
[".cormeta"] = "CLR metadata that indicates that the object file contains managed code",
[".data"] = "Initialized data"
}
.. bro:id:: PE::windows_subsystems
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`string`
:Attributes: :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
:Default:
::
{
[2] = "WINDOWS_GUI",
[9] = "WINDOWS_CE_GUI",
[11] = "EFI_BOOT_SERVICE_DRIVER",
[14] = "XBOX",
[1] = "NATIVE",
[7] = "POSIX_CUI",
[10] = "EFI_APPLICATION",
[0] = "UNKNOWN",
[3] = "WINDOWS_CUI",
[12] = "EFI_RUNTIME_DRIVER",
[13] = "EFI_ROM"
}

16
doc/scripts/base/files/pe/index.rst
View file

@ -1,16 +0,0 @@
:orphan:
Package: base/files/pe
======================
Support for Portable Executable (PE) file analysis.
:doc:`/scripts/base/files/pe/__load__.bro`
:doc:`/scripts/base/files/pe/consts.bro`
:doc:`/scripts/base/files/pe/main.bro`

115
doc/scripts/base/files/pe/main.bro.rst
View file

@ -1,115 +0,0 @@
:tocdepth: 3
base/files/pe/main.bro
======================
.. bro:namespace:: PE
:Namespace: PE
:Imports: :doc:`base/files/pe/consts.bro </scripts/base/files/pe/consts.bro>`
Summary
~~~~~~~
Types
#####
======================================== =
:bro:type:`PE::Info`: :bro:type:`record`
======================================== =
Redefinitions
#############
========================================================== =
:bro:type:`Log::ID`: :bro:type:`enum`
:bro:type:`fa_file`: :bro:type:`record` :bro:attr:`&redef`
========================================================== =
Events
######
======================================= ===================================
:bro:id:`PE::log_pe`: :bro:type:`event` Event for accessing logged records.
======================================= ===================================
Hooks
#####
======================================== ====================================================
:bro:id:`PE::set_file`: :bro:type:`hook` A hook that gets called when we first see a PE file.
======================================== ====================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: PE::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Current timestamp.
id: :bro:type:`string` :bro:attr:`&log`
File id of this portable executable file.
machine: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The target machine that the file was compiled for.
compile_ts: :bro:type:`time` :bro:attr:`&log` :bro:attr:`&optional`
The time that the file was created at.
os: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The required operating system.
subsystem: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The subsystem that is required to run this file.
is_exe: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``T`` :bro:attr:`&optional`
Is the file an executable, or just an object file?
is_64bit: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``T`` :bro:attr:`&optional`
Is the file a 64-bit executable?
uses_aslr: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Does the file support Address Space Layout Randomization?
uses_dep: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Does the file support Data Execution Prevention?
uses_code_integrity: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Does the file enforce code integrity checks?
uses_seh: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``T`` :bro:attr:`&optional`
Does the file use structured exception handing?
has_import_table: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
Does the file have an import table?
has_export_table: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
Does the file have an export table?
has_cert_table: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
Does the file have an attribute certificate table?
has_debug_data: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
Does the file have a debug table?
section_names: :bro:type:`vector` of :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
The names of the sections, in order.
Events
######
.. bro:id:: PE::log_pe
:Type: :bro:type:`event` (rec: :bro:type:`PE::Info`)
Event for accessing logged records.
Hooks
#####
.. bro:id:: PE::set_file
:Type: :bro:type:`hook` (f: :bro:type:`fa_file`) : :bro:type:`bool`
A hook that gets called when we first see a PE file.