mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 17:18:20 +00:00
Make the dos code available in script land.
This commit is contained in:
Seth Hall
parent
7ff8c1ebdd
commit
a65966c2d1
3 changed files with 21 additions and 1 deletions
|
|
@ -7060,6 +7060,7 @@ event file_hash%(f: fa_file, kind: string, hash: string%);
|
||||||
|
|
||||||
|
|
||||||
event pe_dos_header%(f: fa_file, h: PE::DOSHeader%);
|
event pe_dos_header%(f: fa_file, h: PE::DOSHeader%);
|
||||||
|
event pe_dos_code%(f: fa_file, code: string%);
|
||||||
event pe_file_header%(f: fa_file, h: PE::FileHeader%);
|
event pe_file_header%(f: fa_file, h: PE::FileHeader%);
|
||||||
event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%);
|
event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%);
|
||||||
event pe_section_header%(f: fa_file, h: PE::SectionHeader%);
|
event pe_section_header%(f: fa_file, h: PE::SectionHeader%);
|
||||||
|
|
|
||||||
|
|
@ -59,6 +59,17 @@ refine flow File += {
|
||||||
return true;
|
return true;
|
||||||
%}
|
%}
|
||||||
|
|
||||||
|
function proc_dos_code(code: bytestring): bool
|
||||||
|
%{
|
||||||
|
if ( pe_dos_code )
|
||||||
|
{
|
||||||
|
BifEvent::generate_pe_dos_code((Analyzer *) connection()->bro_analyzer(),
|
||||||
|
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
|
||||||
|
new StringVal(code.length(), (const char*) code.data()));
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
%}
|
||||||
|
|
||||||
function proc_nt_headers(h: IMAGE_NT_HEADERS): bool
|
function proc_nt_headers(h: IMAGE_NT_HEADERS): bool
|
||||||
%{
|
%{
|
||||||
if ( ${h.PESignature} != 17744 ) // Number is uint32 version of "PE\0\0"
|
if ( ${h.PESignature} != 17744 ) // Number is uint32 version of "PE\0\0"
|
||||||
|
|
@ -171,6 +182,10 @@ refine typeattr DOS_Header += &let {
|
||||||
proc : bool = $context.flow.proc_dos_header(this);
|
proc : bool = $context.flow.proc_dos_header(this);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
refine typeattr DOS_Code += &let {
|
||||||
|
proc : bool = $context.flow.proc_dos_code(code);
|
||||||
|
};
|
||||||
|
|
||||||
refine typeattr IMAGE_NT_HEADERS += &let {
|
refine typeattr IMAGE_NT_HEADERS += &let {
|
||||||
proc : bool = $context.flow.proc_nt_headers(this);
|
proc : bool = $context.flow.proc_nt_headers(this);
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
|
|
||||||
type TheFile = record {
|
type TheFile = record {
|
||||||
dos_header : DOS_Header;
|
dos_header : DOS_Header;
|
||||||
dos_code : bytestring &length=dos_code_len;
|
dos_code : DOS_Code(dos_code_len);
|
||||||
pe_header : IMAGE_NT_HEADERS;
|
pe_header : IMAGE_NT_HEADERS;
|
||||||
sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient;
|
sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient;
|
||||||
#pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
|
#pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
|
||||||
|
|
@ -34,6 +34,10 @@ type DOS_Header = record {
|
||||||
AddressOfNewExeHeader : uint32;
|
AddressOfNewExeHeader : uint32;
|
||||||
} &byteorder=littleendian &length=64;
|
} &byteorder=littleendian &length=64;
|
||||||
|
|
||||||
|
type DOS_Code(len: uint32) = record {
|
||||||
|
code : bytestring &length=len;
|
||||||
|
};
|
||||||
|
|
||||||
type IMAGE_NT_HEADERS = record {
|
type IMAGE_NT_HEADERS = record {
|
||||||
PESignature : uint32;
|
PESignature : uint32;
|
||||||
file_header : IMAGE_FILE_HEADER;
|
file_header : IMAGE_FILE_HEADER;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue