PE analyzer checkpoint

scripts/base/init-bare.bro

@@ -2489,43 +2489,67 @@ type irc_join_info: record {
 ## .. bro:see:: irc_join_message
 type irc_join_list: set[irc_join_info];
 
-type PEHeader: record {
-#	Machine               : count;
-#	TimeDateStamp         : time;
-#	magic                   : uint16;
-#	major_linker_version    : uint8;
-#	minor_linker_version    : uint8;
-#	size_of_code            : uint32;
-#	size_of_init_data       : uint32;
-#	size_of_uninit_data     : uint32;
-#	addr_of_entry_point     : uint32;
-#	base_of_code            : uint32;
-#	base_of_data            : uint32;
-#	image_base              : uint32;
-#	section_alignment       : uint32;
-#	file_alignment          : uint32;
-#	os_version_major        : uint16;
-#	os_version_minor        : uint16;
-#	major_image_version     : uint16;
-#	minor_image_version     : uint16;
-#	major_subsys_version    : uint16;
-#	minor_subsys_version    : uint16;
-#	win32_version           : uint32;
-#	size_of_image           : uint32;
-#	checksum                : uint32;
-#	subsystem               : uint16;
-#	mem: case magic of {
-#		0x0b01  -> i32           : MEM_INFO32;
-#		0x0b02  -> i64           : MEM_INFO64;
-#		default -> InvalidPEFile : empty;
-#	};
-#	loader_flags            : uint32;
-#	number_of_rva_and_sizes : uint32;
-#
+module PE;
+export {
+type PE::DOSHeader: record {
+	signature                : string;
+	used_bytes_in_last_page  : count;
+	file_in_pages            : count;
+	num_reloc_items          : count;
+	header_in_paragraphs     : count;
+	min_extra_paragraphs     : count;
+	max_extra_paragraphs     : count;
+	init_relative_ss         : count;
+	init_sp                  : count;
+	checksum                 : count;
+	init_ip                  : count;
+	init_relative_cs         : count;
+	addr_of_reloc_table      : count;
+	overlay_num              : count;
+	oem_id                   : count;
+	oem_info                 : count;
+	addr_of_new_exe_header   : count;
+};
+
+type PE::FileHeader: record {
+	machine         : count;
+	ts              : time;
+	sym_table_ptr   : count;
+	num_syms        : count;
+	characteristics : set[count];
+};
+
+type PE::OptionalHeader: record {
+	magic                   : count;
+	major_linker_version    : count;
+	minor_linker_version    : count;
+	size_of_code            : count;
+	size_of_init_data       : count;
+	size_of_uninit_data     : count;
+	addr_of_entry_point     : count;
+	base_of_code            : count;
+	base_of_data            : count;
+	image_base              : count;
+	section_alignment       : count;
+	file_alignment          : count;
+	os_version_major        : count;
+	os_version_minor        : count;
+	major_image_version     : count;
+	minor_image_version     : count;
+	major_subsys_version    : count;
+	minor_subsys_version    : count;
+	win32_version           : count;
+	size_of_image           : count;
+	size_of_headers         : count;
+	checksum                : count;
+	subsystem               : count;
+	dll_characteristics     : set[count];
+	loader_flags            : count;
+	number_of_rva_and_sizes : count;
 };
 
 ## Record for Portable Executable (PE) section headers.
-type PESectionHeader: record {
+type PE::SectionHeader: record {
 	name                      : string;
 	virtual_size              : count;
 	virtual_addr              : count;
@@ -2535,8 +2559,10 @@ type PESectionHeader: record {
 	non_used_ptr_to_line_nums : count;
 	non_used_num_of_relocs    : count;
 	non_used_num_of_line_nums : count;
-	characteristics           : count;
+	characteristics           : set[count];
 };
+}
+module GLOBAL;
 
 ## Deprecated.
 ##

scripts/base/init-default.bro

@@ -44,4 +44,6 @@
 @load base/protocols/ssl
 @load base/protocols/syslog
 
+@load base/files/pe
+
 @load base/misc/find-checksum-offloading