Add data about which tables are present.

2025-10-02 14:48:21 +00:00 · 2015-04-19 18:41:32 -04:00 · 2015-04-19 18:41:32 -04:00 · a2eff14e05
commit a2eff14e05
parent ea36686524
3 changed files with 26 additions and 3 deletions
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@ -97,6 +97,11 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 		if ( c == 0x400 )
 			f$pe$uses_seh = F;
 		}
+
+	f$pe$has_export_table = (|h$rvas| > 0 && h$rvas[0] > 0);
+	f$pe$has_import_table = (|h$rvas| > 1 && h$rvas[1] > 0);
+	f$pe$has_cert_table = (|h$rvas| > 4 && h$rvas[4] > 0);
+	f$pe$has_debug_data = (|h$rvas| > 6 && h$rvas[6] > 0);
 	}

 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -2603,7 +2603,8 @@ type PE::OptionalHeader: record {
 	subsystem               : count;
 	dll_characteristics     : set[count];
 	loader_flags            : count;
-	number_of_rva_and_sizes : count;
+	rvas                    : vector of count;
+	
 };

 ## Record for Portable Executable (PE) section headers.
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@ -1,10 +1,25 @@
-
 %extern{
 #include "Event.h"
 #include "file_analysis/File.h"
 #include "events.bif.h"
 %}

+%header{
+VectorVal* process_rvas(const RVAS* rvas, const uint16 size);
+%}
+
+%code{
+VectorVal* process_rvas(const RVAS* rva_table, const uint16 size)
+	{
+	VectorVal* rvas = new VectorVal(internal_type("index_vec")->AsVectorType());
+	for ( uint16 i=0; i < size; ++i )
+		rvas->Assign(i, new Val((*rva_table->rvas())[i]->size(), TYPE_COUNT));
+
+	return rvas;
+	}
+%}
+
+
 refine flow File += {

 	function characteristics_to_bro(c: uint32, len: uint8): TableVal
@ -134,7 +149,9 @@ refine flow File += {
 			oh->Assign(22, new Val(${h.subsystem}, TYPE_COUNT));
 			oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16));
 			oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT));
-			oh->Assign(25, new Val(${h.number_of_rva_and_sizes}, TYPE_COUNT));
+
+			oh->Assign(25, process_rvas(${h.rvas}, ${h.number_of_rva_and_sizes}));
+			
 			BifEvent::generate_pe_optional_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                      connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                                      oh);