diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.bro index 4dc21ec179..22f246a3e9 100644 --- a/scripts/base/files/pe/consts.bro +++ b/scripts/base/files/pe/consts.bro @@ -70,6 +70,25 @@ export { [14] = "XBOX" } &default=function(i: count):string { return fmt("unknown-%d", i); }; + const directories: table[count] of string = { + [0] = "Export Table", + [1] = "Import Table", + [2] = "Resource Table", + [3] = "Exception Table", + [4] = "Certificate Table", + [5] = "Base Relocation Table", + [6] = "Debug", + [7] = "Architecture", + [8] = "Global Ptr", + [9] = "TLS Table", + [10] = "Load Config Table", + [11] = "Bound Import", + [12] = "IAT", + [13] = "Delay Import Descriptor", + [14] = "CLR Runtime Header", + [15] = "Reserved" + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + const section_characteristics: table[count] of string = { [0x8] = "TYPE_NO_PAD", [0x20] = "CNT_CODE", diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index 7ab8f64bec..eb2f5a7f67 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -77,10 +77,7 @@ event bro_init() &priority=5 hook set_file(f: fa_file) &priority=5 { if ( ! f?$pe ) - { - local c: set[string] = set(); f$pe = [$ts=network_time(), $id=f$id]; - } } event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 @@ -91,12 +88,14 @@ event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 { hook set_file(f); - f$pe$is_exe = h$optional_header_size > 0; - f$pe$compile_ts = h$ts; + f$pe$machine = machine_types[h$machine]; + f$pe$compile_ts = h$ts; + f$pe$is_exe = ( h$optional_header_size > 0 ); + for ( c in h$characteristics ) { - if ( c == 0x100 ) + if ( file_characteristics[c] == "32BIT_MACHINE" ) f$pe$is_64bit = F; } } @@ -104,32 +103,37 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 { hook set_file(f); + + # Only EXEs have optional headers if ( ! f$pe$is_exe ) return; - f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; + f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; f$pe$subsystem = windows_subsystems[h$subsystem]; + for ( c in h$dll_characteristics ) { - if ( c == 0x40 ) + if ( dll_characteristics[c] == "DYNAMIC_BASE" ) f$pe$uses_aslr = T; - if ( c == 0x80 ) + if ( dll_characteristics[c] == "FORCE_INTEGRITY" ) f$pe$uses_code_integrity = T; - if ( c == 0x100 ) + if ( dll_characteristics[c] == "NX_COMPAT" ) f$pe$uses_dep = T; - if ( c == 0x400 ) + if ( dll_characteristics[c] == "NO_SEH" ) f$pe$uses_seh = F; } f$pe$has_export_table = (|h$table_sizes| > 0 && h$table_sizes[0] > 0); f$pe$has_import_table = (|h$table_sizes| > 1 && h$table_sizes[1] > 0); - f$pe$has_cert_table = (|h$table_sizes| > 4 && h$table_sizes[4] > 0); - f$pe$has_debug_data = (|h$table_sizes| > 6 && h$table_sizes[6] > 0); + f$pe$has_cert_table = (|h$table_sizes| > 4 && h$table_sizes[4] > 0); + f$pe$has_debug_data = (|h$table_sizes| > 6 && h$table_sizes[6] > 0); } event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 { hook set_file(f); + + # Only EXEs have section headers if ( ! f$pe$is_exe ) return; @@ -140,7 +144,7 @@ event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 event file_state_remove(f: fa_file) &priority=-5 { - if ( f?$pe ) + if ( f?$pe && f$pe?$machine ) Log::write(LOG, f$pe); }