mirror of
https://github.com/zeek/zeek.git
synced 2025-10-05 08:08:19 +00:00
Parse PE section headers.
This commit is contained in:
Vlad Grigorescu
parent
8ffa81f390
commit
d98b5b88b5
3 changed files with 30 additions and 9 deletions
|
|
@ -39,11 +39,15 @@ hook set_file(f: fa_file) &priority=5
|
||||||
|
|
||||||
event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
|
event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
|
||||||
{
|
{
|
||||||
|
print "DOS header";
|
||||||
|
print h;
|
||||||
hook set_file(f);
|
hook set_file(f);
|
||||||
}
|
}
|
||||||
|
|
||||||
event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
|
event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
|
||||||
{
|
{
|
||||||
|
print "File header";
|
||||||
|
print h;
|
||||||
hook set_file(f);
|
hook set_file(f);
|
||||||
f$pe$compile_ts = h$ts;
|
f$pe$compile_ts = h$ts;
|
||||||
f$pe$machine = machine_types[h$machine];
|
f$pe$machine = machine_types[h$machine];
|
||||||
|
|
@ -53,6 +57,8 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
|
||||||
|
|
||||||
event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
|
event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
|
||||||
{
|
{
|
||||||
|
print "Optional header";
|
||||||
|
print h;
|
||||||
hook set_file(f);
|
hook set_file(f);
|
||||||
f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
|
f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
|
||||||
f$pe$subsystem = windows_subsystems[h$subsystem];
|
f$pe$subsystem = windows_subsystems[h$subsystem];
|
||||||
|
|
@ -60,6 +66,8 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
|
||||||
|
|
||||||
event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
|
event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
|
||||||
{
|
{
|
||||||
|
print "Section header";
|
||||||
|
print h;
|
||||||
hook set_file(f);
|
hook set_file(f);
|
||||||
|
|
||||||
print h;
|
print h;
|
||||||
|
|
@ -78,9 +86,6 @@ event file_new(f: fa_file)
|
||||||
{
|
{
|
||||||
if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ )
|
if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ )
|
||||||
{
|
{
|
||||||
#print "found a windows executable";
|
|
||||||
Files::add_analyzer(f, Files::ANALYZER_PE);
|
Files::add_analyzer(f, Files::ANALYZER_PE);
|
||||||
#FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT,
|
|
||||||
# $extract_filename=fmt("exe-%d", ++blah_counter)]);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ refine flow File += {
|
||||||
|
|
||||||
function proc_the_file(): bool
|
function proc_the_file(): bool
|
||||||
%{
|
%{
|
||||||
|
printf("Processed\n");
|
||||||
return true;
|
return true;
|
||||||
%}
|
%}
|
||||||
|
|
||||||
|
|
@ -203,4 +204,5 @@ refine typeattr IMAGE_SECTION_HEADER += &let {
|
||||||
|
|
||||||
refine typeattr TheFile += &let {
|
refine typeattr TheFile += &let {
|
||||||
proc: bool = $context.flow.proc_the_file();
|
proc: bool = $context.flow.proc_the_file();
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@ type TheFile = record {
|
||||||
dos_header : DOS_Header;
|
dos_header : DOS_Header;
|
||||||
dos_code : DOS_Code(dos_code_len);
|
dos_code : DOS_Code(dos_code_len);
|
||||||
pe_header : IMAGE_NT_HEADERS;
|
pe_header : IMAGE_NT_HEADERS;
|
||||||
section_headers : IMAGE_SECTION_HEADER[] &length=pe_header.optional_header.size_of_headers;
|
section_headers : IMAGE_SECTIONS(pe_header.file_header.NumberOfSections);
|
||||||
#pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
|
#pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
|
||||||
#data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections];
|
#data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections];
|
||||||
#data_sections : DATA_SECTIONS[] &length=data_len;
|
#data_sections : DATA_SECTIONS[] &length=data_len;
|
||||||
|
|
@ -41,7 +41,7 @@ type DOS_Code(len: uint32) = record {
|
||||||
type IMAGE_NT_HEADERS = record {
|
type IMAGE_NT_HEADERS = record {
|
||||||
PESignature : uint32;
|
PESignature : uint32;
|
||||||
file_header : IMAGE_FILE_HEADER;
|
file_header : IMAGE_FILE_HEADER;
|
||||||
optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader) &length=file_header.SizeOfOptionalHeader;
|
optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader;
|
||||||
} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(optional_header);
|
} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(optional_header);
|
||||||
|
|
||||||
type IMAGE_FILE_HEADER = record {
|
type IMAGE_FILE_HEADER = record {
|
||||||
|
|
@ -54,7 +54,7 @@ type IMAGE_FILE_HEADER = record {
|
||||||
Characteristics : uint16;
|
Characteristics : uint16;
|
||||||
};
|
};
|
||||||
|
|
||||||
type IMAGE_OPTIONAL_HEADER(len: uint16) = record {
|
type IMAGE_OPTIONAL_HEADER(len: uint16, number_of_sections: uint16) = record {
|
||||||
magic : uint16;
|
magic : uint16;
|
||||||
major_linker_version : uint8;
|
major_linker_version : uint8;
|
||||||
minor_linker_version : uint8;
|
minor_linker_version : uint8;
|
||||||
|
|
@ -80,12 +80,13 @@ type IMAGE_OPTIONAL_HEADER(len: uint16) = record {
|
||||||
subsystem : uint16;
|
subsystem : uint16;
|
||||||
dll_characteristics : uint16;
|
dll_characteristics : uint16;
|
||||||
mem: case magic of {
|
mem: case magic of {
|
||||||
0x0b01 -> i32 : MEM_INFO32;
|
267 -> i32 : MEM_INFO32;
|
||||||
0x0b02 -> i64 : MEM_INFO64;
|
268 -> i64 : MEM_INFO64;
|
||||||
default -> InvalidPEFile : empty;
|
default -> InvalidPEFile : empty;
|
||||||
};
|
};
|
||||||
loader_flags : uint32;
|
loader_flags : uint32;
|
||||||
number_of_rva_and_sizes : uint32;
|
number_of_rva_and_sizes : uint32;
|
||||||
|
rvas : IMAGE_RVAS(number_of_rva_and_sizes);
|
||||||
} &byteorder=littleendian &length=len;
|
} &byteorder=littleendian &length=len;
|
||||||
|
|
||||||
type MEM_INFO32 = record {
|
type MEM_INFO32 = record {
|
||||||
|
|
@ -102,6 +103,10 @@ type MEM_INFO64 = record {
|
||||||
size_of_heap_commit : uint64;
|
size_of_heap_commit : uint64;
|
||||||
} &byteorder=littleendian &length=32;
|
} &byteorder=littleendian &length=32;
|
||||||
|
|
||||||
|
type IMAGE_SECTIONS(num: uint16) = record {
|
||||||
|
sections : IMAGE_SECTION_HEADER[num];
|
||||||
|
} &length=num*40;
|
||||||
|
|
||||||
type IMAGE_SECTION_HEADER = record {
|
type IMAGE_SECTION_HEADER = record {
|
||||||
name : bytestring &length=8;
|
name : bytestring &length=8;
|
||||||
virtual_size : uint32;
|
virtual_size : uint32;
|
||||||
|
|
@ -129,6 +134,15 @@ type IMAGE_IMPORT_DIRECTORY = record {
|
||||||
rva_import_addr_table : uint32;
|
rva_import_addr_table : uint32;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
type IMAGE_RVAS(num: uint32) = record {
|
||||||
|
rvas : IMAGE_RVA[num];
|
||||||
|
} &length=num*8;
|
||||||
|
|
||||||
|
type IMAGE_RVA = record {
|
||||||
|
virtual_address : uint32;
|
||||||
|
size : uint32;
|
||||||
|
} &length=8;
|
||||||
|
|
||||||
type DATA_SECTIONS = record {
|
type DATA_SECTIONS = record {
|
||||||
blah: uint8;
|
blah: uint8;
|
||||||
};
|
};
|
||||||
Loading…
Add table
Add a link
Reference in a new issue