From d19b8b0266d6d8581792189d5ab0161ed15bb11b Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 3 Apr 2013 00:51:33 -0400
Subject: [PATCH] Checkpoint for discussion.

---
 src/file_analysis.bif                       |  3 ++-
 src/file_analysis/analyzers/pe-analyzer.pac | 16 ++++++----------
 src/file_analysis/analyzers/pe-file.pac     |  5 +++--
 3 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/src/file_analysis.bif b/src/file_analysis.bif
index 6ded10b251..89845e6f2c 100644
--- a/src/file_analysis.bif
+++ b/src/file_analysis.bif
@@ -128,4 +128,5 @@ function FileAnalysis::eof%(source: string%): any
 
 # Define file analysis framework events.
 
-event FileAnalysis::windows_pe_sig%(fi: FileAnalysis::Info, sig: string%);
+#event FileAnalysis::windows_pe_dosstub%(fi: FileAnalysis::Info, sig: string, checksum: count%);
+event FileAnalysis::windows_pe_dosstub%(checksum: count%);
diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac
index 77edfa3434..63f722b18c 100644
--- a/src/file_analysis/analyzers/pe-analyzer.pac
+++ b/src/file_analysis/analyzers/pe-analyzer.pac
@@ -6,21 +6,17 @@
 
 refine flow File += {
 
-	function proc_sig(sig: bytestring) : bool
+	function proc_dosstub(stub: DOSStub) : bool
 		%{
-		//val_list* vl = new val_list;
-		//StringVal *sigval = new StringVal(${sig}.length(), (const char*) ${sig}.begin());
-		//vl->append(sigval);
-		//mgr.QueueEvent(FileAnalysis::windows_pe_sig, vl);
-
-		BifEvent::FileAnalysis::generate_windows_pe_sig((Analyzer *) connection()->bro_analyzer(), 
-		                                                (Val *) connection()->bro_analyzer()->GetInfo(),
-		                                                new StringVal(${sig}.length(), (const char*) ${sig}.begin()));
+		BifEvent::FileAnalysis::generate_windows_pe_dosstub((Analyzer *) connection()->bro_analyzer(), 
+		                                                    //(Val *) connection()->bro_analyzer()->GetInfo(),
+		                                                    //new StringVal(${stub.signature}.length(), (const char*) ${stub.signature}.begin()),
+		                                                    ${stub.HeaderSizeInParagraphs});
 		return true;
 		%}
 
 };
 
 refine typeattr DOSStub += &let {
-	proc : bool = $context.flow.proc_sig(signature);
+	proc : bool = $context.flow.proc_dosstub(this);
 };
diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac
index 33cd1270f7..50647b7275 100644
--- a/src/file_analysis/analyzers/pe-file.pac
+++ b/src/file_analysis/analyzers/pe-file.pac
@@ -1,7 +1,8 @@
 
 type TheFile(fsize: uint64) = record {
 	dos_stub: DOSStub;
-} &byteorder=bigendian &length=fsize;
+	blah: bytestring &length=1316134912 &transient;
+} &transient &byteorder=littleendian;
 
 type DOSStub() = record {
 	signature                : bytestring &length=2;
@@ -23,4 +24,4 @@ type DOSStub() = record {
 	OEMinfo                  : uint16;
 	Reserved2                : uint16[10];
 	AddressOfNewExeHeader    : uint32;
-} &byteorder=bigendian;
\ No newline at end of file
+} &byteorder=littleendian &length=64;