Skip to main content

Image Load Event Properties

The following event properties can be used with image load events in uAQL queries (event type Image.Load and Driver.Load). In addition to the properties listed here, the common properties are applicable, too.

Property name uAQL Data Type Description Platform
Image.Name String The image’s file name (e.g., userenv.dll) Win
Image.Path String The image’s full path including the image file name Win
Image.Hash.MD5 String MD5 hash of the image Win
Image.Hash.SHA1 String SHA1 hash of the image Win
Image.Hash.SHA256 String SHA256 hash of the image Win
Image.Hash.IMP String Import-table hash of the image Win
Image.Hashes String All enabled hashes for image are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C Win
Image.IsSigned Boolean Is the image signed? This evaluates to true even if the certificate was revoked or is expired. Win
Image.IsSignedByOSVendor Boolean Is the image signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired. Win
Image.Signature String The signer name. Win
Image.SignatureStatus String Evaluates to Valid for a valid certificate and Invalid for an invalid certificate. It is empty if the image is not signed. Win

Comments

Your email address will not be published. Required fields are marked *