Checkpoint for discussion.

src/file_analysis/analyzers/pe-analyzer.pac

@@ -6,21 +6,17 @@
 
 refine flow File += {
 
-	function proc_sig(sig: bytestring) : bool
+	function proc_dosstub(stub: DOSStub) : bool
 		%{
-		//val_list* vl = new val_list;
-		//StringVal *sigval = new StringVal(${sig}.length(), (const char*) ${sig}.begin());
-		//vl->append(sigval);
-		//mgr.QueueEvent(FileAnalysis::windows_pe_sig, vl);
-
-		BifEvent::FileAnalysis::generate_windows_pe_sig((Analyzer *) connection()->bro_analyzer(), 
-		                                                (Val *) connection()->bro_analyzer()->GetInfo(),
-		                                                new StringVal(${sig}.length(), (const char*) ${sig}.begin()));
+		BifEvent::FileAnalysis::generate_windows_pe_dosstub((Analyzer *) connection()->bro_analyzer(), 
+		                                                    //(Val *) connection()->bro_analyzer()->GetInfo(),
+		                                                    //new StringVal(${stub.signature}.length(), (const char*) ${stub.signature}.begin()),
+		                                                    ${stub.HeaderSizeInParagraphs});
 		return true;
 		%}
 
 };
 
 refine typeattr DOSStub += &let {
-	proc : bool = $context.flow.proc_sig(signature);
+	proc : bool = $context.flow.proc_dosstub(this);
 };

src/file_analysis/analyzers/pe-file.pac

@@ -1,7 +1,8 @@
 
 type TheFile(fsize: uint64) = record {
 	dos_stub: DOSStub;
-} &byteorder=bigendian &length=fsize;
+	blah: bytestring &length=1316134912 &transient;
+} &transient &byteorder=littleendian;
 
 type DOSStub() = record {
 	signature                : bytestring &length=2;
@@ -23,4 +24,4 @@ type DOSStub() = record {
 	OEMinfo                  : uint16;
 	Reserved2                : uint16[10];
 	AddressOfNewExeHeader    : uint32;
-} &byteorder=bigendian;
+} &byteorder=littleendian &length=64;