Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 11:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

A bit of final core-level cleanup.

Browse source
This commit is contained in:
Vlad Grigorescu 2015-04-19 21:59:42 -04:00
parent e3d63bfee8
commit 49d54b6a4e
4 changed files with 12 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

1
src/file_analysis/analyzer/pe/PE.cc
View file

@ -27,7 +27,6 @@ bool PE::DeliverStream(const u_char* data, uint64 len)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
printf("Binpac exception: %s\n", e.c_msg());
return false; return false;
} }

2
src/file_analysis/analyzer/pe/PE.h
View file

@ -10,7 +10,7 @@
namespace file_analysis { namespace file_analysis {
/** /**
* An action to simply extract files to disk. * Analyze Portable Executable files
*/ */
class PE : public file_analysis::Analyzer { class PE : public file_analysis::Analyzer {
public: public:

8
src/file_analysis/analyzer/pe/pe-file-headers.pac
View file

@ -39,9 +39,9 @@ type DOS_Code(len: uint32) = record {
type NT_Headers = record { type NT_Headers = record {
PESignature : uint32; PESignature : uint32;
file_header : File_Header; file_header : File_Header;
have_opt_header : case file_header.SizeOfOptionalHeader of { have_opt_header : case is_exe of {
0 -> none: empty; true -> optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader;
default -> optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader; false -> none: empty;
}; };
} &let { } &let {
length: uint32 = file_header.SizeOfOptionalHeader + offsetof(have_opt_header); length: uint32 = file_header.SizeOfOptionalHeader + offsetof(have_opt_header);
@ -149,8 +149,10 @@ refine connection MockConnection += {
%{ %{
if ( ${magic} == 0x10b ) if ( ${magic} == 0x10b )
pe32_format_ = PE32; pe32_format_ = PE32;
if ( ${magic} == 0x20b ) if ( ${magic} == 0x20b )
pe32_format_ = PE32_PLUS; pe32_format_ = PE32_PLUS;
return pe32_format_; return pe32_format_;
%} %}

7
src/file_analysis/analyzer/pe/pe-file.pac
View file

@ -12,8 +12,9 @@ type Portable_Executable = record {
pad : Padding(restofdata); pad : Padding(restofdata);
} &let { } &let {
unparsed_hdr_len: uint32 = headers.pe_header.size_of_headers - headers.length; unparsed_hdr_len: uint32 = headers.pe_header.size_of_headers - headers.length;
restofdata: uint64 = headers.pe_header.is_exe ? $context.connection.get_max_file_location() - headers.pe_header.size_of_headers + unparsed_hdr_len : 0; data_post_hdrs: uint64 = $context.connection.get_max_file_location() - headers.pe_header.size_of_headers + unparsed_hdr_len;
proc: bool = $context.connection.proc_pe(this); restofdata: uint64 = headers.pe_header.is_exe ? data_post_hdrs : 0;
proc: bool = $context.connection.mark_done();
} &byteorder=littleendian; } &byteorder=littleendian;
refine connection MockConnection += { refine connection MockConnection += {
@ -26,7 +27,7 @@ refine connection MockConnection += {
done_ = false; done_ = false;
%} %}
function proc_pe(p: Portable_Executable): bool function mark_done(): bool
%{ %{
done_ = true; done_ = true;
return true; return true;