https://ontology.unifiedcyberontology.org/uco/observable/WindowsPEBinaryFileFacet
A Windows PE binary file facet is a grouping of characteristics unique to a Windows portable executable (PE) file.
Instances of observable:WindowsPEBinaryFileFacet can have the following properties:
| PROPERTY | TYPE | DESCRIPTION | RANGE |
|---|---|---|---|
| From class owl:Thing | |||
| core:informalType | owl:DatatypeProperty | Informal Type serves as a parent property for string-valued properties meant to describe a type without implementing a class design. This property hierarchy supports a balancing point between semantic specificity and operational agility. The known benefits of describing types rather than implementing them include swift extensibility of some existing, or possibly non-existing, subclass hierarchy in UCO without requiring training in ontological development, taxonomic specification, or OWL, SHACL, or RDF maintenance logistics. The known detractions of using string-literals for type descriptions include that used vocabularies may require careful maintenance among data-sharing parties; that vocabularies require independent logistics (external to UCO) for providing definitions (i.e., dictionary-style semantics) to string-literals chosen; and that string-literals cannot by themselves encode hierarchical structure or entailments, such as the informal device type string 'ExamplePhone 8 P4321' entailing 'ExamplePhone 8', 'ExamplePhone', or 'ExamplePhone models discontinued in 2020'. Usage of Informal Type to house strings should be weighed against usage of classes when classes are available, and should periodically be reviewed for potential additions to UCO's class hierarchy or downstream extensions thereof. | owl:Thing |
| types:threadNextItem | owl:ObjectProperty | The link to a next item in a thread. | owl:Thing |
| types:threadPreviousItem | owl:ObjectProperty | A direct link to a previous item in a thread. | owl:Thing |
By the associated SHACL property shapes, instances of observable:WindowsPEBinaryFileFacet can have the following properties:
PROPERTY |
PROPERTY TYPE |
DESCRIPTION |
MIN COUNT |
MAX COUNT |
LOCAL RANGE |
GLOBAL RANGE |
|
|---|---|---|---|---|---|---|---|
| observable:WindowsPEBinaryFileFacet | |||||||
| observable:characteristics | owl:DatatypeProperty |
Specifies the flags that indicate the file’s characteristics.
|
xsd:unsignedShort
|
xsd:unsignedShort
|
|||
| observable:fileHeaderHashes | owl:ObjectProperty |
Specifies any hashes that were computed for the file header.
|
types:Hash
|
types:Hash
|
|||
| observable:impHash | owl:DatatypeProperty |
Specifies the special import hash, or ‘imphash’, calculated for the PE Binary based on its imported libraries and functions.
|
1 |
xsd:string
|
xsd:string
|
||
| observable:machine | owl:DatatypeProperty |
Specifies the type of target machine.
|
xsd:string
|
xsd:string
|
|||
| observable:numberOfSections | owl:DatatypeProperty |
Specifies the number of sections in the PE binary, as a non-negative integer.
|
1 |
xsd:integer
|
xsd:integer
|
||
| observable:numberOfSymbols | owl:DatatypeProperty |
Specifies the number of entries in the symbol table of the PE binary, as a non-negative integer.
|
1 |
xsd:integer
|
xsd:integer
|
||
| observable:optionalHeader | owl:ObjectProperty |
Specifies the PE optional header of the PE binary.
|
1 |
observable:WindowsPEOptionalHeader
|
observable:WindowsPEOptionalHeader
|
||
| observable:peType | owl:DatatypeProperty |
Specifies the type of the PE binary.
|
1 |
xsd:string
|
xsd:string
|
||
| observable:pointerToSymbolTable | owl:DatatypeProperty |
Specifies the file offset of the COFF symbol table.
|
xsd:hexBinary
|
xsd:hexBinary
|
|||
| observable:sections | owl:ObjectProperty |
Specifies metadata about the sections in the PE file.
|
observable:WindowsPESection
|
observable:WindowsPESection
|
|||
| observable:sizeOfOptionalHeader | owl:DatatypeProperty |
Specifies the size of the optional header of the PE binary.
|
1 |
xsd:integer
|
xsd:integer
|
||
| observable:timeDateStamp | owl:DatatypeProperty |
Specifies the time when the PE binary was created.
|
1 |
xsd:dateTime
|
xsd:dateTime
|
||
@prefix core: <https://ontology.unifiedcyberontology.org/uco/core/> .
@prefix observable: <https://ontology.unifiedcyberontology.org/uco/observable/> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix types: <https://ontology.unifiedcyberontology.org/uco/types/> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
observable:WindowsPEBinaryFileFacet a owl:Class,
sh:NodeShape ;
rdfs:label "WindowsPEBinaryFileFacet"@en ;
rdfs:comment "A Windows PE binary file facet is a grouping of characteristics unique to a Windows portable executable (PE) file."@en ;
rdfs:subClassOf core:Facet ;
sh:property [ sh:class observable:WindowsPEOptionalHeader ;
sh:maxCount 1 ;
sh:nodeKind sh:IRI ;
sh:path observable:optionalHeader ],
[ sh:class observable:WindowsPESection ;
sh:nodeKind sh:IRI ;
sh:path observable:sections ],
[ sh:class types:Hash ;
sh:nodeKind sh:IRI ;
sh:path observable:fileHeaderHashes ],
[ sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:timeDateStamp ],
[ sh:datatype xsd:hexBinary ;
sh:nodeKind sh:Literal ;
sh:path observable:pointerToSymbolTable ],
[ sh:datatype xsd:integer ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:numberOfSections ],
[ sh:datatype xsd:integer ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:numberOfSymbols ],
[ sh:datatype xsd:integer ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:sizeOfOptionalHeader ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:impHash ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:peType ],
[ sh:datatype xsd:string ;
sh:nodeKind sh:Literal ;
sh:path observable:machine ],
[ sh:datatype xsd:unsignedShort ;
sh:nodeKind sh:Literal ;
sh:path observable:characteristics ] ;
sh:targetClass observable:WindowsPEBinaryFileFacet .