Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Another checkpoint

Browse source
This commit is contained in:
Seth Hall 2013-04-25 13:44:12 -04:00
parent d72980828f
commit 317252b5ae
8 changed files with 62 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

35
scripts/base/init-bare.bro
View file

@ -2489,6 +2489,41 @@ type irc_join_info: record {
## .. bro:see:: irc_join_message ## .. bro:see:: irc_join_message
type irc_join_list: set[irc_join_info]; type irc_join_list: set[irc_join_info];
type PEHeader: record {
# Machine : count;
# TimeDateStamp : time;
# magic : uint16;
# major_linker_version : uint8;
# minor_linker_version : uint8;
# size_of_code : uint32;
# size_of_init_data : uint32;
# size_of_uninit_data : uint32;
# addr_of_entry_point : uint32;
# base_of_code : uint32;
# base_of_data : uint32;
# image_base : uint32;
# section_alignment : uint32;
# file_alignment : uint32;
# os_version_major : uint16;
# os_version_minor : uint16;
# major_image_version : uint16;
# minor_image_version : uint16;
# major_subsys_version : uint16;
# minor_subsys_version : uint16;
# win32_version : uint32;
# size_of_image : uint32;
# checksum : uint32;
# subsystem : uint16;
# mem: case magic of {
# 0x0b01 -> i32 : MEM_INFO32;
# 0x0b02 -> i64 : MEM_INFO64;
# default -> InvalidPEFile : empty;
# };
# loader_flags : uint32;
# number_of_rva_and_sizes : uint32;
#
};
## Record for Portable Executable (PE) section headers. ## Record for Portable Executable (PE) section headers.
type PESectionHeader: record { type PESectionHeader: record {
name : string; name : string;

4
src/binpac_bro.h
View file

@ -7,7 +7,7 @@ class PortVal;
#include "util.h" #include "util.h"
#include "Analyzer.h" #include "Analyzer.h"
#include "file_analysis/Action.h" #include "file_analysis/Analyzer.h"
#include "Val.h" #include "Val.h"
#include "event.bif.func_h" #include "event.bif.func_h"
@ -16,7 +16,7 @@ class PortVal;
namespace binpac { namespace binpac {
typedef Analyzer* BroAnalyzer; typedef Analyzer* BroAnalyzer;
typedef file_analysis::Action BroFileAnalyzer; typedef file_analysis::Analyzer BroFileAnalyzer;
typedef Val* BroVal; typedef Val* BroVal;
typedef PortVal* BroPortVal; typedef PortVal* BroPortVal;
typedef StringVal* BroStringVal; typedef StringVal* BroStringVal;

2
src/file_analysis/AnalyzerSet.cc
View file

@ -4,6 +4,7 @@
#include "Extract.h" #include "Extract.h"
#include "DataEvent.h" #include "DataEvent.h"
#include "Hash.h" #include "Hash.h"
#include "analyzers/PE.h"
using namespace file_analysis; using namespace file_analysis;
@ -14,6 +15,7 @@ static AnalyzerInstantiator analyzer_factory[] = {
file_analysis::SHA1::Instantiate, file_analysis::SHA1::Instantiate,
file_analysis::SHA256::Instantiate, file_analysis::SHA256::Instantiate,
file_analysis::DataEvent::Instantiate, file_analysis::DataEvent::Instantiate,
file_analysis::PE::Instantiate,
}; };
static void analyzer_del_func(void* v) static void analyzer_del_func(void* v)

29
src/file_analysis/analyzers/PE.cc
View file

@ -7,38 +7,29 @@
using namespace file_analysis; using namespace file_analysis;
PE_Analyzer::PE_Analyzer(RecordVal* args, File* file) PE::PE(RecordVal* args, File* file)
: Action(args, file) : file_analysis::Analyzer(args, file)
{ {
conn = new binpac::PE::MockConnection(this); conn = new binpac::PE::MockConnection(this);
interp = new binpac::PE::File(conn); interp = new binpac::PE::File(conn);
done=false; done=false;
} }
PE_Analyzer::~PE_Analyzer() PE::~PE()
{ {
delete interp; delete interp;
} }
Action* PE_Analyzer::Instantiate(RecordVal* args, File* file) bool PE::DeliverStream(const u_char* data, uint64 len)
{ {
return new PE_Analyzer(args, file);
}
bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
{
printf("deliver stream\n");
if (done)
{
printf("analyzer done\n");
return false;
}
Action::DeliverStream(data, len);
try try
{ {
interp->NewData(data, data + len); interp->NewData(data, data + len);
} }
catch ( const binpac::HaltParser &e )
{
return false;
}
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
printf("Binpac exception: %s\n", e.c_msg()); printf("Binpac exception: %s\n", e.c_msg());
@ -48,9 +39,9 @@ bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
return true; return true;
} }
bool PE_Analyzer::EndOfFile() bool PE::EndOfFile()
{ {
printf("end of file!\n"); printf("end of file!\n");
done=true; //throw binpac::HaltParser();
return false; return false;
} }

9
src/file_analysis/analyzers/PE.h
View file

@ -12,18 +12,19 @@ namespace file_analysis {
/** /**
* An action to simply extract files to disk. * An action to simply extract files to disk.
*/ */
class PE_Analyzer : Action { class PE : public file_analysis::Analyzer {
public: public:
static Action* Instantiate(RecordVal* args, File* file); ~PE();
~PE_Analyzer(); static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
{ return new PE(args, file); }
virtual bool DeliverStream(const u_char* data, uint64 len); virtual bool DeliverStream(const u_char* data, uint64 len);
virtual bool EndOfFile(); virtual bool EndOfFile();
protected: protected:
PE_Analyzer(RecordVal* args, File* file); PE(RecordVal* args, File* file);
binpac::PE::File* interp; binpac::PE::File* interp;
binpac::PE::MockConnection* conn; binpac::PE::MockConnection* conn;
bool done; bool done;

5
src/file_analysis/analyzers/pe-analyzer.pac
View file

@ -9,10 +9,7 @@ refine flow File += {
function proc_the_file(): bool function proc_the_file(): bool
%{ %{
printf("ending the flow!\n"); throw binpac::HaltParser();
connection()->bro_analyzer()->EndOfFile();
connection()->FlowEOF(true);
connection()->FlowEOF(false);
return true; return true;
%} %}

7
src/file_analysis/analyzers/pe-file.pac
View file

@ -6,7 +6,6 @@ type TheFile = record {
sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient; sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient;
#pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
#data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections];
#pad : bytestring &restofdata;
} &let { } &let {
dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64; dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64;
} &byteorder=littleendian; } &byteorder=littleendian;
@ -75,9 +74,9 @@ type IMAGE_OPTIONAL_HEADER(len: uint16) = record {
subsystem : uint16; subsystem : uint16;
dll_characteristics : uint16; dll_characteristics : uint16;
mem: case magic of { mem: case magic of {
0x0b01 -> i32 : MEM_INFO32; 0x0b01 -> i32 : MEM_INFO32;
0x0b02 -> i64 : MEM_INFO64; 0x0b02 -> i64 : MEM_INFO64;
default -> InvalidPEFile : bytestring &length=0; default -> InvalidPEFile : empty;
}; };
loader_flags : uint32; loader_flags : uint32;
number_of_rva_and_sizes : uint32; number_of_rva_and_sizes : uint32;

4
src/types.bif
View file

@ -163,6 +163,7 @@ type ModbusHeaders: record;
type ModbusCoils: vector; type ModbusCoils: vector;
type ModbusRegisters: vector; type ModbusRegisters: vector;
type PEHeader: record;
type PESectionHeader: record; type PESectionHeader: record;
module Log; module Log;
@ -250,6 +251,9 @@ enum Analyzer %{
## Deliver the file contents to the script-layer in an event. ## Deliver the file contents to the script-layer in an event.
ANALYZER_DATA_EVENT, ANALYZER_DATA_EVENT,
## Pass the file to the PE analyzer.
ANALYZER_PE,
%} %}
module GLOBAL; module GLOBAL;