Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 23:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Checkpoint

Browse source
This commit is contained in:
Seth Hall 2013-04-01 09:00:07 -04:00
parent e0276384e7
commit cb040b6da4
7 changed files with 60 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/file_analysis.bif
View file

@ -125,3 +125,7 @@ function FileAnalysis::eof%(source: string%): any
file_mgr->EndOfFile(source->CheckString()); file_mgr->EndOfFile(source->CheckString());
return 0; return 0;
%} %}
# Define file analysis framework events.
event FileAnalysis::windows_pe_sig%(fi: FileAnalysis::Info, sig: string%);

4
src/file_analysis/ActionSet.cc
View file

@ -5,6 +5,8 @@
#include "DataEvent.h" #include "DataEvent.h"
#include "Hash.h" #include "Hash.h"
#include "analyzers/PE.h"
using namespace file_analysis; using namespace file_analysis;
// keep in order w/ declared enum values in file_analysis.bif // keep in order w/ declared enum values in file_analysis.bif
@ -14,6 +16,8 @@ static ActionInstantiator action_factory[] = {
SHA1::Instantiate, SHA1::Instantiate,
SHA256::Instantiate, SHA256::Instantiate,
DataEvent::Instantiate, DataEvent::Instantiate,
PE_Analyzer::Instantiate,
}; };
static void action_del_func(void* v) static void action_del_func(void* v)

33
src/file_analysis/analyzers/PE.cc
View file

@ -6,13 +6,11 @@
using namespace file_analysis; using namespace file_analysis;
PE_Analyzer::PE_Analyzer(Info* arg_info) PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info, uint64 fsize)
: Action(arg_info, BifEnum::FileAnalysis::ACTION_PE_ANALYZER) : Action(args, info)
{ {
interp = new binpac::PE::File(this); conn = new binpac::PE::MockConnection(this);
interp = new binpac::PE::File(conn, fsize);
// Close the reverse flow.
interp->FlowEOF(false);
} }
PE_Analyzer::~PE_Analyzer() PE_Analyzer::~PE_Analyzer()
@ -20,17 +18,32 @@ PE_Analyzer::~PE_Analyzer()
delete interp; delete interp;
} }
Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info) Action* PE_Analyzer::Instantiate(RecordVal* args, Info* info)
{ {
return new PE_Analyzer(info); using BifType::Record::FileAnalysis::Info;
const char* field = "total_bytes";
Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field));
if ( ! filesize )
// TODO: this should be a reporter message? or better yet stop relying on the file size.
return 0;
bro_uint_t fsize = filesize->AsCount();
return new PE_Analyzer(args, info, fsize);
} }
bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
{ {
Action::DeliverStream(data, len); Action::DeliverStream(data, len);
// Data is exclusively sent into the "up" flow. try
interp->NewData(true, data, data + len); {
interp->NewData(data, data + len);
}
catch ( const binpac::Exception& e )
{
printf("Binpac exception: %s\n", e.c_msg());
}
return true; return true;
} }

8
src/file_analysis/analyzers/PE.h
View file

@ -14,16 +14,18 @@ namespace file_analysis {
*/ */
class PE_Analyzer : Action { class PE_Analyzer : Action {
public: public:
static Action* Instantiate(const RecordVal* args, Info* info); static Action* Instantiate(RecordVal* args, Info* info);
~PE_Analyzer(); ~PE_Analyzer();
virtual bool DeliverStream(const u_char* data, uint64 len); virtual bool DeliverStream(const u_char* data, uint64 len);
protected: protected:
PE_Analyzer(RecordVal* args, Info* info, uint64 fsize);
PE_Analyzer(Info* arg_info);
binpac::PE::File* interp; binpac::PE::File* interp;
binpac::PE::MockConnection* conn;
uint64 fsize;
}; };
} // namespace file_analysis } // namespace file_analysis

18
src/file_analysis/analyzers/pe-analyzer.pac
View file

@ -1,16 +1,26 @@
%extern{
#include "Event.h"
#include "file_analysis.bif.func_h"
%}
refine connection File += { refine flow File += {
function proc_sig(sig: bytestring) : bool function proc_sig(sig: bytestring) : bool
%{ %{
if ( strcmp("MZ", (const char *) ${sig}.data()) == 0 ) //val_list* vl = new val_list;
printf("yep: %s\n", ${sig}.data()); //StringVal *sigval = new StringVal(${sig}.length(), (const char*) ${sig}.begin());
//vl->append(sigval);
//mgr.QueueEvent(FileAnalysis::windows_pe_sig, vl);
BifEvent::FileAnalysis::generate_windows_pe_sig((Analyzer *) connection()->bro_analyzer(),
(Val *) connection()->bro_analyzer()->GetInfo(),
new StringVal(${sig}.length(), (const char*) ${sig}.begin()));
return true; return true;
%} %}
}; };
refine typeattr DOSStub += &let { refine typeattr DOSStub += &let {
proc : bool = $context.connection.proc_sig(signature); proc : bool = $context.flow.proc_sig(signature);
}; };

6
src/file_analysis/analyzers/pe-file.pac
View file

@ -1,7 +1,7 @@
type TheFile() = record { type TheFile(fsize: uint64) = record {
barf: DOSStub; dos_stub: DOSStub;
} &byteorder=bigendian &length=-1; } &byteorder=bigendian &length=fsize;
type DOSStub() = record { type DOSStub() = record {
signature : bytestring &length=2; signature : bytestring &length=2;

14
src/file_analysis/analyzers/pe.pac
View file

@ -2,19 +2,19 @@
%include bro.pac %include bro.pac
analyzer PE withcontext { analyzer PE withcontext {
connection: File; connection: MockConnection;
flow: Bytes; flow: File;
}; };
connection File(bro_analyzer: BroFileAnalyzer) { connection MockConnection(bro_analyzer: BroFileAnalyzer) {
upflow = Bytes(true); upflow = File(0);
downflow = Bytes(false); downflow = File(0);
}; };
%include pe-file.pac %include pe-file.pac
flow Bytes(is_orig: bool) { flow File(fsize: uint64) {
flowunit = TheFile() withcontext(connection, this); flowunit = TheFile(fsize) withcontext(connection, this);
} }
%include pe-analyzer.pac %include pe-analyzer.pac