Image Load Event Properties
The following event properties can be used with image load events in uAQL queries (event type Image.Load and Driver.Load). In addition to the properties listed here, the common properties are applicable, too.
| Property name | uAQL Data Type | Description | Platform |
|---|---|---|---|
Image.Name |
String | The image’s file name (e.g., userenv.dll) |
Win |
Image.Path |
String | The image’s full path including the image file name | Win |
Image.Hash.MD5 |
String | MD5 hash of the image | Win |
Image.Hash.SHA1 |
String | SHA1 hash of the image | Win |
Image.Hash.SHA256 |
String | SHA256 hash of the image | Win |
Image.Hash.IMP |
String | Import-table hash of the image | Win |
Image.Hashes |
String | All enabled hashes for image are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
Win |
Image.IsSigned |
Boolean | Is the image signed? This evaluates to true even if the certificate was revoked or is expired. |
Win |
Image.IsSignedByOSVendor |
Boolean | Is the image signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired. |
Win |
Image.Signature |
String | The signer name. | Win |
Image.SignatureStatus |
String | Evaluates to Valid for a valid certificate and Invalid for an invalid certificate. It is empty if the image is not signed. |
Win |