Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 03:28:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

A bit of final core-level cleanup.

Browse source
This commit is contained in:
Vlad Grigorescu 2015-04-19 21:59:42 -04:00
parent e3d63bfee8
commit 49d54b6a4e
4 changed files with 12 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/file_analysis/analyzer/pe/PE.cc
View file

@ -8,7 +8,7 @@ PE::PE(RecordVal* args, File* file)
{
conn = new binpac::PE::MockConnection(this);
interp = new binpac::PE::File(conn);
done=false;
done = false;
}
PE::~PE()
@ -27,7 +27,6 @@ bool PE::DeliverStream(const u_char* data, uint64 len)
}
catch ( const binpac::Exception& e )
{
printf("Binpac exception: %s\n", e.c_msg());
return false;
}

2
src/file_analysis/analyzer/pe/PE.h
View file

@ -10,7 +10,7 @@
namespace file_analysis {
/**
* An action to simply extract files to disk.
* Analyze Portable Executable files
*/
class PE : public file_analysis::Analyzer {
public:

10
src/file_analysis/analyzer/pe/pe-file-headers.pac
View file

@ -39,9 +39,9 @@ type DOS_Code(len: uint32) = record {
type NT_Headers = record {
PESignature : uint32;
file_header : File_Header;
have_opt_header : case file_header.SizeOfOptionalHeader of {
0 -> none: empty;
default -> optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader;
have_opt_header : case is_exe of {
true -> optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader;
false -> none: empty;
};
} &let {
length: uint32 = file_header.SizeOfOptionalHeader + offsetof(have_opt_header);
@ -101,7 +101,7 @@ type Optional_Header = record {
number_of_rva_and_sizes : uint32;
rvas : RVAS(number_of_rva_and_sizes);
} &let {
pe_format: uint8 = $context.connection.set_pe32_format(magic);
pe_format : uint8 = $context.connection.set_pe32_format(magic);
image_base: uint64 = pe_format == PE32_PLUS ? image_base_64 : image_base_32;
};
@ -149,8 +149,10 @@ refine connection MockConnection += {
%{
if ( ${magic} == 0x10b )
pe32_format_ = PE32;
if ( ${magic} == 0x20b )
pe32_format_ = PE32_PLUS;
return pe32_format_;
%}

7
src/file_analysis/analyzer/pe/pe-file.pac
View file

@ -12,8 +12,9 @@ type Portable_Executable = record {
pad : Padding(restofdata);
} &let {
unparsed_hdr_len: uint32 = headers.pe_header.size_of_headers - headers.length;
restofdata: uint64 = headers.pe_header.is_exe ? $context.connection.get_max_file_location() - headers.pe_header.size_of_headers + unparsed_hdr_len : 0;
proc: bool = $context.connection.proc_pe(this);
data_post_hdrs: uint64 = $context.connection.get_max_file_location() - headers.pe_header.size_of_headers + unparsed_hdr_len;
restofdata: uint64 = headers.pe_header.is_exe ? data_post_hdrs : 0;
proc: bool = $context.connection.mark_done();
} &byteorder=littleendian;
refine connection MockConnection += {
@ -26,7 +27,7 @@ refine connection MockConnection += {
done_ = false;
%}
function proc_pe(p: Portable_Executable): bool
function mark_done(): bool
%{
done_ = true;
return true;