Add data about which tables are present.

2025-10-07 00:58:19 +00:00 · 2015-04-19 18:41:32 -04:00 · 2015-04-19 18:41:32 -04:00 · a2eff14e05
commit a2eff14e05
parent ea36686524
3 changed files with 26 additions and 3 deletions
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@ -97,6 +97,11 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 		if ( c == 0x400 )
 			f$pe$uses_seh = F;
 		}
+
+	f$pe$has_export_table = (|h$rvas| > 0 && h$rvas[0] > 0);
+	f$pe$has_import_table = (|h$rvas| > 1 && h$rvas[1] > 0);
+	f$pe$has_cert_table = (|h$rvas| > 4 && h$rvas[4] > 0);
+	f$pe$has_debug_data = (|h$rvas| > 6 && h$rvas[6] > 0);
 	}

 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -2603,7 +2603,8 @@ type PE::OptionalHeader: record {
 	subsystem               : count;
 	dll_characteristics     : set[count];
 	loader_flags            : count;
-	number_of_rva_and_sizes : count;
+	rvas                    : vector of count;
+	
 };

 ## Record for Portable Executable (PE) section headers.