From a2eff14e0598fd8c7ea88f3d94fbde5b75834a18 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sun, 19 Apr 2015 18:41:32 -0400
Subject: [PATCH] Add data about which tables are present.

---
 scripts/base/files/pe/main.bro                |  5 +++++
 scripts/base/init-bare.bro                    |  3 ++-
 src/file_analysis/analyzer/pe/pe-analyzer.pac | 21 +++++++++++++++++--
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index bbe0846f04..db4d9e41d4 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -97,6 +97,11 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 		if ( c == 0x400 )
 			f$pe$uses_seh = F;
 		}
+
+	f$pe$has_export_table = (|h$rvas| > 0 && h$rvas[0] > 0);
+	f$pe$has_import_table = (|h$rvas| > 1 && h$rvas[1] > 0);
+	f$pe$has_cert_table = (|h$rvas| > 4 && h$rvas[4] > 0);
+	f$pe$has_debug_data = (|h$rvas| > 6 && h$rvas[6] > 0);
 	}
 
 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 2b8ed021b4..3babb1ded5 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2603,7 +2603,8 @@ type PE::OptionalHeader: record {
 	subsystem               : count;
 	dll_characteristics     : set[count];
 	loader_flags            : count;
-	number_of_rva_and_sizes : count;
+	rvas                    : vector of count;
+	
 };
 
 ## Record for Portable Executable (PE) section headers.
diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac
index 1c61241684..fd3ee5b0e2 100644
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@@ -1,10 +1,25 @@
-
 %extern{
 #include "Event.h"
 #include "file_analysis/File.h"
 #include "events.bif.h"
 %}
 
+%header{
+VectorVal* process_rvas(const RVAS* rvas, const uint16 size);
+%}
+
+%code{
+VectorVal* process_rvas(const RVAS* rva_table, const uint16 size)
+	{
+	VectorVal* rvas = new VectorVal(internal_type("index_vec")->AsVectorType());
+	for ( uint16 i=0; i < size; ++i )
+		rvas->Assign(i, new Val((*rva_table->rvas())[i]->size(), TYPE_COUNT));
+
+	return rvas;
+	}
+%}
+
+
 refine flow File += {
 
 	function characteristics_to_bro(c: uint32, len: uint8): TableVal
@@ -134,7 +149,9 @@ refine flow File += {
 			oh->Assign(22, new Val(${h.subsystem}, TYPE_COUNT));
 			oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16));
 			oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT));
-			oh->Assign(25, new Val(${h.number_of_rva_and_sizes}, TYPE_COUNT));
+
+			oh->Assign(25, process_rvas(${h.rvas}, ${h.number_of_rva_and_sizes}));
+			
 			BifEvent::generate_pe_optional_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                      connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                                      oh);