mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 15:48:19 +00:00
Checkpoint
This commit is contained in:
Seth Hall
parent
e0276384e7
commit
cb040b6da4
7 changed files with 60 additions and 27 deletions
|
|
@ -5,6 +5,8 @@
|
|||
#include "DataEvent.h"
|
||||
#include "Hash.h"
|
||||
|
||||
#include "analyzers/PE.h"
|
||||
|
||||
using namespace file_analysis;
|
||||
|
||||
// keep in order w/ declared enum values in file_analysis.bif
|
||||
|
|
@ -14,6 +16,8 @@ static ActionInstantiator action_factory[] = {
|
|||
SHA1::Instantiate,
|
||||
SHA256::Instantiate,
|
||||
DataEvent::Instantiate,
|
||||
|
||||
PE_Analyzer::Instantiate,
|
||||
};
|
||||
|
||||
static void action_del_func(void* v)
|
||||
|
|
|
|||
|
|
@ -6,13 +6,11 @@
|
|||
|
||||
using namespace file_analysis;
|
||||
|
||||
PE_Analyzer::PE_Analyzer(Info* arg_info)
|
||||
: Action(arg_info, BifEnum::FileAnalysis::ACTION_PE_ANALYZER)
|
||||
PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info, uint64 fsize)
|
||||
: Action(args, info)
|
||||
{
|
||||
interp = new binpac::PE::File(this);
|
||||
|
||||
// Close the reverse flow.
|
||||
interp->FlowEOF(false);
|
||||
conn = new binpac::PE::MockConnection(this);
|
||||
interp = new binpac::PE::File(conn, fsize);
|
||||
}
|
||||
|
||||
PE_Analyzer::~PE_Analyzer()
|
||||
|
|
@ -20,17 +18,32 @@ PE_Analyzer::~PE_Analyzer()
|
|||
delete interp;
|
||||
}
|
||||
|
||||
Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info)
|
||||
Action* PE_Analyzer::Instantiate(RecordVal* args, Info* info)
|
||||
{
|
||||
return new PE_Analyzer(info);
|
||||
using BifType::Record::FileAnalysis::Info;
|
||||
const char* field = "total_bytes";
|
||||
Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field));
|
||||
if ( ! filesize )
|
||||
// TODO: this should be a reporter message? or better yet stop relying on the file size.
|
||||
return 0;
|
||||
|
||||
bro_uint_t fsize = filesize->AsCount();
|
||||
return new PE_Analyzer(args, info, fsize);
|
||||
}
|
||||
|
||||
bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
|
||||
{
|
||||
Action::DeliverStream(data, len);
|
||||
|
||||
// Data is exclusively sent into the "up" flow.
|
||||
interp->NewData(true, data, data + len);
|
||||
try
|
||||
{
|
||||
interp->NewData(data, data + len);
|
||||
}
|
||||
catch ( const binpac::Exception& e )
|
||||
{
|
||||
printf("Binpac exception: %s\n", e.c_msg());
|
||||
}
|
||||
|
||||
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,16 +14,18 @@ namespace file_analysis {
|
|||
*/
|
||||
class PE_Analyzer : Action {
|
||||
public:
|
||||
static Action* Instantiate(const RecordVal* args, Info* info);
|
||||
static Action* Instantiate(RecordVal* args, Info* info);
|
||||
|
||||
~PE_Analyzer();
|
||||
|
||||
virtual bool DeliverStream(const u_char* data, uint64 len);
|
||||
|
||||
protected:
|
||||
|
||||
PE_Analyzer(Info* arg_info);
|
||||
PE_Analyzer(RecordVal* args, Info* info, uint64 fsize);
|
||||
binpac::PE::File* interp;
|
||||
binpac::PE::MockConnection* conn;
|
||||
|
||||
uint64 fsize;
|
||||
};
|
||||
|
||||
} // namespace file_analysis
|
||||
|
|
|
|||
|
|
@ -1,16 +1,26 @@
|
|||
|
||||
%extern{
|
||||
#include "Event.h"
|
||||
#include "file_analysis.bif.func_h"
|
||||
%}
|
||||
|
||||
refine connection File += {
|
||||
refine flow File += {
|
||||
|
||||
function proc_sig(sig: bytestring) : bool
|
||||
%{
|
||||
if ( strcmp("MZ", (const char *) ${sig}.data()) == 0 )
|
||||
printf("yep: %s\n", ${sig}.data());
|
||||
//val_list* vl = new val_list;
|
||||
//StringVal *sigval = new StringVal(${sig}.length(), (const char*) ${sig}.begin());
|
||||
//vl->append(sigval);
|
||||
//mgr.QueueEvent(FileAnalysis::windows_pe_sig, vl);
|
||||
|
||||
BifEvent::FileAnalysis::generate_windows_pe_sig((Analyzer *) connection()->bro_analyzer(),
|
||||
(Val *) connection()->bro_analyzer()->GetInfo(),
|
||||
new StringVal(${sig}.length(), (const char*) ${sig}.begin()));
|
||||
return true;
|
||||
%}
|
||||
|
||||
};
|
||||
|
||||
refine typeattr DOSStub += &let {
|
||||
proc : bool = $context.connection.proc_sig(signature);
|
||||
proc : bool = $context.flow.proc_sig(signature);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
|
||||
type TheFile() = record {
|
||||
barf: DOSStub;
|
||||
} &byteorder=bigendian &length=-1;
|
||||
type TheFile(fsize: uint64) = record {
|
||||
dos_stub: DOSStub;
|
||||
} &byteorder=bigendian &length=fsize;
|
||||
|
||||
type DOSStub() = record {
|
||||
signature : bytestring &length=2;
|
||||
|
|
|
|||
|
|
@ -2,19 +2,19 @@
|
|||
%include bro.pac
|
||||
|
||||
analyzer PE withcontext {
|
||||
connection: File;
|
||||
flow: Bytes;
|
||||
connection: MockConnection;
|
||||
flow: File;
|
||||
};
|
||||
|
||||
connection File(bro_analyzer: BroFileAnalyzer) {
|
||||
upflow = Bytes(true);
|
||||
downflow = Bytes(false);
|
||||
connection MockConnection(bro_analyzer: BroFileAnalyzer) {
|
||||
upflow = File(0);
|
||||
downflow = File(0);
|
||||
};
|
||||
|
||||
%include pe-file.pac
|
||||
|
||||
flow Bytes(is_orig: bool) {
|
||||
flowunit = TheFile() withcontext(connection, this);
|
||||
flow File(fsize: uint64) {
|
||||
flowunit = TheFile(fsize) withcontext(connection, this);
|
||||
}
|
||||
|
||||
%include pe-analyzer.pac
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue