Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

PE: Rehash the log a bit.

Browse source
This commit is contained in:
Vlad Grigorescu 2015-04-16 22:56:47 -04:00
parent 4753e4a3c2
commit 81bafb6c36
1 changed files with 42 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

60
scripts/base/files/pe/main.bro
View file

@ -5,14 +5,28 @@ export {
redef enum Log::ID += { LOG }; redef enum Log::ID += { LOG };
type Info: record { type Info: record {
ts: time &log; ts: time &log;
fuid: string &log; fuid: string &log;
machine: string &log &optional; machine: string &log &optional;
compile_ts: time &log &optional; compile_ts: time &log &optional;
os: string &log &optional; os: string &log &optional;
subsystem: string &log &optional; subsystem: string &log &optional;
characteristics: set[string] &log &optional;
section_names: vector of string &log &optional; is_exe: bool &log &default=F;
is_dll: bool &log &default=F;
is_64bit: bool &log &default=T;
uses_aslr: bool &log &default=F;
uses_dep: bool &log &default=F;
uses_code_integrity: bool &log &default=F;
uses_seh: bool &log &default=T;
has_import_table: bool &log &optional;
has_export_table: bool &log &optional;
has_cert_table: bool &log &optional;
has_debug_data: bool &log &optional;
section_names: vector of string &log &optional;
}; };
@ -33,41 +47,51 @@ hook set_file(f: fa_file) &priority=5
if ( ! f?$pe ) if ( ! f?$pe )
{ {
local c: set[string] = set(); local c: set[string] = set();
f$pe = [$ts=network_time(), $fuid=f$id, $characteristics=c]; f$pe = [$ts=network_time(), $fuid=f$id];
} }
} }
event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
{ {
# print "DOS header";
# print h;
hook set_file(f); hook set_file(f);
} }
event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
{ {
# print "File header";
# print h;
hook set_file(f); hook set_file(f);
f$pe$compile_ts = h$ts; f$pe$compile_ts = h$ts;
f$pe$machine = machine_types[h$machine]; f$pe$machine = machine_types[h$machine];
for ( c in h$characteristics ) for ( c in h$characteristics )
add f$pe$characteristics[PE::file_characteristics[c]]; {
if ( c == 0x2 )
f$pe$is_exe = T;
if ( c == 0x100 )
f$pe$is_64bit = F;
if ( c == 0x2000 )
f$pe$is_dll = T;
}
} }
event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
{ {
# print "Optional header";
# print h;
hook set_file(f); hook set_file(f);
f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
f$pe$subsystem = windows_subsystems[h$subsystem]; f$pe$subsystem = windows_subsystems[h$subsystem];
for ( c in h$dll_characteristics )
{
if ( c == 0x40 )
f$pe$uses_aslr = T;
if ( c == 0x80 )
f$pe$uses_code_integrity = T;
if ( c == 0x100 )
f$pe$uses_dep = T;
if ( c == 0x400 )
f$pe$uses_seh = F;
}
} }
event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
{ {
# print "Section header";
# print h;
hook set_file(f); hook set_file(f);
if ( ! f$pe?$section_names ) if ( ! f$pe?$section_names )