Checkpoint for discussion.

2025-10-04 23:58:20 +00:00 · 2013-04-03 00:51:33 -04:00 · 2013-04-03 00:51:33 -04:00 · d19b8b0266
commit d19b8b0266
parent cb040b6da4
3 changed files with 11 additions and 13 deletions
--- a/src/file_analysis.bif
+++ b/src/file_analysis.bif
@ -128,4 +128,5 @@ function FileAnalysis::eof%(source: string%): any
 # Define file analysis framework events.
-event FileAnalysis::windows_pe_sig%(fi: FileAnalysis::Info, sig: string%);
+#event FileAnalysis::windows_pe_dosstub%(fi: FileAnalysis::Info, sig: string, checksum: count%);
 event FileAnalysis::windows_pe_dosstub%(checksum: count%);
--- a/src/file_analysis/analyzers/pe-analyzer.pac
+++ b/src/file_analysis/analyzers/pe-analyzer.pac
@ -6,21 +6,17 @@
 refine flow File += {
-	function proc_sig(sig: bytestring) : bool
+	function proc_dosstub(stub: DOSStub) : bool
 		%{
-		//val_list* vl = new val_list;
+		BifEvent::FileAnalysis::generate_windows_pe_dosstub((Analyzer *) connection()->bro_analyzer(), 
-		//StringVal *sigval = new StringVal(${sig}.length(), (const char*) ${sig}.begin());
+		                                                    //(Val *) connection()->bro_analyzer()->GetInfo(),
-		//vl->append(sigval);
+		                                                    //new StringVal(${stub.signature}.length(), (const char*) ${stub.signature}.begin()),
-		//mgr.QueueEvent(FileAnalysis::windows_pe_sig, vl);
+		                                                    ${stub.HeaderSizeInParagraphs});
 		BifEvent::FileAnalysis::generate_windows_pe_sig((Analyzer *) connection()->bro_analyzer(), 
 		                                                (Val *) connection()->bro_analyzer()->GetInfo(),
 		                                                new StringVal(${sig}.length(), (const char*) ${sig}.begin()));
 		return true;
 		%}
 };
 refine typeattr DOSStub += &let {
-	proc : bool = $context.flow.proc_sig(signature);
+	proc : bool = $context.flow.proc_dosstub(this);
 };
--- a/src/file_analysis/analyzers/pe-file.pac
+++ b/src/file_analysis/analyzers/pe-file.pac
@ -1,7 +1,8 @@
 type TheFile(fsize: uint64) = record {
 	dos_stub: DOSStub;
-} &byteorder=bigendian &length=fsize;
+	blah: bytestring &length=1316134912 &transient;
 } &transient &byteorder=littleendian;
 type DOSStub() = record {
 	signature                : bytestring &length=2;
@ -23,4 +24,4 @@ type DOSStub() = record {
 	OEMinfo                  : uint16;
 	Reserved2                : uint16[10];
 	AddressOfNewExeHeader    : uint32;
-} &byteorder=bigendian;
+} &byteorder=littleendian &length=64;