observable:WindowsPEOptionalHeader leaf node


URI

https://unifiedcyberontology.org/ontology/uco/observable#WindowsPEOptionalHeader

Label

WindowsPEOptionalHeader

Description

A Windows PE optional header is a grouping of characteristics unique to the 'optional header' of a Windows PE (Portable Executable) file, consisting of a collection of metadata about the executable code structure of the file.

Usage

Instances of observable:WindowsPEOptionalHeader can have the following properties:

PROPERTYTYPEDESCRIPTIONRANGE
From class owl:Thing
investigation:authorizationIdentifier owl:DatatypeProperty The identifier for a particular authorization (e.g. warrant number) xsd:string
investigation:authorizationType owl:DatatypeProperty A label categorizing a type of authorization (e.g. warrant) xsd:string
investigation:exhibitNumber owl:DatatypeProperty Specifies a unique identifier assigned to a given object at any stage of an investigation to differentiate it from all other objects. xsd:string
investigation:focus owl:DatatypeProperty Specifies the topical focus of an investigation. xsd:string
investigation:investigationForm owl:DatatypeProperty A label categorizing a type of investigation (case, incident, suspicious-activity, etc.) vocab:InvestigationFormVocab
investigation:investigationStatus owl:DatatypeProperty A label characterizing the status of an investigation (open, closed, etc.). xsd:string
investigation:relevantAuthorization owl:ObjectProperty Specifies an authorization relevant to a particular investigation. investigation:Authorization
investigation:rootExhibitNumber owl:DatatypeProperty Specifies a unique identifier assigned to a given object at the start of its treatment as part of an investigation. The first node in a provenance chain, which can be viewed as a heirarchical tree originating from a single root. xsd:string

Property Shapes

By the associated SHACL property shapes, instances of observable:WindowsPEOptionalHeader can have the following properties:

PROPERTY

PROPERTY TYPE

DESCRIPTION

MIN COUNT

MAX COUNT

LOCAL RANGE
(type range for property on this class)

GLOBAL RANGE
(type range for property globally)

observable:WindowsPEOptionalHeader
observable:addressOfEntryPoint owl:DatatypeProperty Specifies the address of the entry point relative to the image base when the executable is loaded into memory.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:baseOfCode owl:DatatypeProperty Specifies the address that is relative to the image base of the beginning-of-code section when it is loaded into memory.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:checksum owl:DatatypeProperty Specifies the checksum of the PE binary.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:dllCharacteristics owl:DatatypeProperty Specifies the flags that characterize the PE binary.
0 * xsd:unsignedShort
xsd:unsignedShort
observable:fileAlignment owl:DatatypeProperty Specifies the factor (in bytes) that is used to align the raw data of sections in the image file.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:imageBase owl:DatatypeProperty Specifies the address that is relative to the image base of the beginning-of-data section when it is loaded into memory.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:loaderFlags owl:DatatypeProperty Specifies the reserved loader flags
0 * xsd:unsignedInt
xsd:unsignedInt
observable:magic owl:DatatypeProperty Specifies the value that indicates the type of the PE binary.
0 * xsd:unsignedShort
xsd:unsignedShort
observable:majorImageVersion owl:DatatypeProperty Specifies the major version number of the image.
0 * xsd:unsignedShort
xsd:unsignedShort
observable:majorLinkerVersion owl:DatatypeProperty Specifies the linker major version number.
0 * xsd:byte
xsd:byte
observable:majorOSVersion owl:DatatypeProperty Specifies the major version number of the required operating system.
0 * xsd:unsignedShort
xsd:unsignedShort
observable:majorSubsystemVersion owl:DatatypeProperty Specifies the major version number of the subsystem.
0 * xsd:unsignedShort
xsd:unsignedShort
observable:minorImageVersion owl:DatatypeProperty Specifies the minor version number of the image.
0 * xsd:unsignedShort
xsd:unsignedShort
observable:minorLinkerVersion owl:DatatypeProperty Specifies the linker minor version number.
0 * xsd:byte
xsd:byte
observable:minorOSVersion owl:DatatypeProperty Specifies the minor version number of the required operating system.
0 * xsd:unsignedShort
xsd:unsignedShort
observable:minorSubsystemVersion owl:DatatypeProperty Specifies the minor version number of the subsystem.
0 * xsd:unsignedShort
xsd:unsignedShort
observable:numberOfRVAAndSizes owl:DatatypeProperty Specifies the number of data-directory entries in the remainder of the optional header.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:sectionAlignment owl:DatatypeProperty Specifies the alignment (in bytes) of PE sections when they are loaded into memory.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:sizeOfCode owl:DatatypeProperty Specifies the size of the code (text) section. If there are multiple such sections, this refers to the sum of the sizes of each section.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:sizeOfHeaders owl:DatatypeProperty Specifies the combined size of the MS-DOS, PE header, and section headers, rounded up a multiple of the value specified in the file_alignment header.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:sizeOfHeapCommit owl:DatatypeProperty Specifies the size of the local heap space to commit.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:sizeOfHeapReserve owl:DatatypeProperty Specifies the size of the local heap space to reserve.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:sizeOfImage owl:DatatypeProperty Specifies the size, in bytes, of the image, including all headers, as the image is loaded in memory.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:sizeOfInitializedData owl:DatatypeProperty Specifies the size of the initialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:sizeOfStackCommit owl:DatatypeProperty Specifies the size of the stack to commit.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:sizeOfStackReserve owl:DatatypeProperty Specifies the size of the stack to reserve.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:sizeOfUninitializedData owl:DatatypeProperty Specifies the size of the uninitialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section.
0 * xsd:unsignedInt
xsd:unsignedInt
observable:subsystem owl:DatatypeProperty Specifies the subsystem (e.g., GUI, device driver, etc.) that is required to run this image.
0 * xsd:unsignedShort
xsd:unsignedShort
observable:win32VersionValue owl:DatatypeProperty Specifies the reserved win32 version value.
0 * xsd:unsignedInt
xsd:unsignedInt

Implementation

@prefix observable: <https://unifiedcyberontology.org/ontology/uco/observable#> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

observable:WindowsPEOptionalHeader a owl:Class,
        sh:NodeShape ;
    rdfs:label "WindowsPEOptionalHeader"@en ;
    rdfs:comment "A Windows PE optional header is a grouping of characteristics unique to the 'optional header' of a Windows PE (Portable Executable) file, consisting of a collection of metadata about the executable code structure of the file."@en ;
    sh:property [ sh:datatype xsd:byte ;
            sh:nodeKind sh:Literal ;
            sh:path observable:majorLinkerVersion ],
        [ sh:datatype xsd:byte ;
            sh:nodeKind sh:Literal ;
            sh:path observable:minorLinkerVersion ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:addressOfEntryPoint ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:baseOfCode ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:checksum ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:fileAlignment ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:imageBase ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:loaderFlags ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:numberOfRVAAndSizes ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:sectionAlignment ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:sizeOfCode ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:sizeOfHeaders ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:sizeOfHeapCommit ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:sizeOfHeapReserve ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:sizeOfImage ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:sizeOfInitializedData ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:sizeOfStackCommit ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:sizeOfStackReserve ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:sizeOfUninitializedData ],
        [ sh:datatype xsd:unsignedInt ;
            sh:nodeKind sh:Literal ;
            sh:path observable:win32VersionValue ],
        [ sh:datatype xsd:unsignedShort ;
            sh:nodeKind sh:Literal ;
            sh:path observable:dllCharacteristics ],
        [ sh:datatype xsd:unsignedShort ;
            sh:nodeKind sh:Literal ;
            sh:path observable:magic ],
        [ sh:datatype xsd:unsignedShort ;
            sh:nodeKind sh:Literal ;
            sh:path observable:majorImageVersion ],
        [ sh:datatype xsd:unsignedShort ;
            sh:nodeKind sh:Literal ;
            sh:path observable:majorOSVersion ],
        [ sh:datatype xsd:unsignedShort ;
            sh:nodeKind sh:Literal ;
            sh:path observable:majorSubsystemVersion ],
        [ sh:datatype xsd:unsignedShort ;
            sh:nodeKind sh:Literal ;
            sh:path observable:minorImageVersion ],
        [ sh:datatype xsd:unsignedShort ;
            sh:nodeKind sh:Literal ;
            sh:path observable:minorOSVersion ],
        [ sh:datatype xsd:unsignedShort ;
            sh:nodeKind sh:Literal ;
            sh:path observable:minorSubsystemVersion ],
        [ sh:datatype xsd:unsignedShort ;
            sh:nodeKind sh:Literal ;
            sh:path observable:subsystem ] ;
    sh:targetClass observable:WindowsPEOptionalHeader .