mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
A bit of final script cleanup.
This commit is contained in:
Vlad Grigorescu
parent
71230fec81
commit
e3d63bfee8
2 changed files with 37 additions and 14 deletions
|
|
@ -70,6 +70,25 @@ export {
|
||||||
[14] = "XBOX"
|
[14] = "XBOX"
|
||||||
} &default=function(i: count):string { return fmt("unknown-%d", i); };
|
} &default=function(i: count):string { return fmt("unknown-%d", i); };
|
||||||
|
|
||||||
|
const directories: table[count] of string = {
|
||||||
|
[0] = "Export Table",
|
||||||
|
[1] = "Import Table",
|
||||||
|
[2] = "Resource Table",
|
||||||
|
[3] = "Exception Table",
|
||||||
|
[4] = "Certificate Table",
|
||||||
|
[5] = "Base Relocation Table",
|
||||||
|
[6] = "Debug",
|
||||||
|
[7] = "Architecture",
|
||||||
|
[8] = "Global Ptr",
|
||||||
|
[9] = "TLS Table",
|
||||||
|
[10] = "Load Config Table",
|
||||||
|
[11] = "Bound Import",
|
||||||
|
[12] = "IAT",
|
||||||
|
[13] = "Delay Import Descriptor",
|
||||||
|
[14] = "CLR Runtime Header",
|
||||||
|
[15] = "Reserved"
|
||||||
|
} &default=function(i: count):string { return fmt("unknown-%d", i); };
|
||||||
|
|
||||||
const section_characteristics: table[count] of string = {
|
const section_characteristics: table[count] of string = {
|
||||||
[0x8] = "TYPE_NO_PAD",
|
[0x8] = "TYPE_NO_PAD",
|
||||||
[0x20] = "CNT_CODE",
|
[0x20] = "CNT_CODE",
|
||||||
|
|
|
||||||
|
|
@ -77,10 +77,7 @@ event bro_init() &priority=5
|
||||||
hook set_file(f: fa_file) &priority=5
|
hook set_file(f: fa_file) &priority=5
|
||||||
{
|
{
|
||||||
if ( ! f?$pe )
|
if ( ! f?$pe )
|
||||||
{
|
|
||||||
local c: set[string] = set();
|
|
||||||
f$pe = [$ts=network_time(), $id=f$id];
|
f$pe = [$ts=network_time(), $id=f$id];
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
|
event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
|
||||||
|
|
@ -91,12 +88,14 @@ event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
|
||||||
event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
|
event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
|
||||||
{
|
{
|
||||||
hook set_file(f);
|
hook set_file(f);
|
||||||
f$pe$is_exe = h$optional_header_size > 0;
|
|
||||||
f$pe$compile_ts = h$ts;
|
|
||||||
f$pe$machine = machine_types[h$machine];
|
f$pe$machine = machine_types[h$machine];
|
||||||
|
f$pe$compile_ts = h$ts;
|
||||||
|
f$pe$is_exe = ( h$optional_header_size > 0 );
|
||||||
|
|
||||||
for ( c in h$characteristics )
|
for ( c in h$characteristics )
|
||||||
{
|
{
|
||||||
if ( c == 0x100 )
|
if ( file_characteristics[c] == "32BIT_MACHINE" )
|
||||||
f$pe$is_64bit = F;
|
f$pe$is_64bit = F;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -104,32 +103,37 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
|
||||||
event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
|
event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
|
||||||
{
|
{
|
||||||
hook set_file(f);
|
hook set_file(f);
|
||||||
|
|
||||||
|
# Only EXEs have optional headers
|
||||||
if ( ! f$pe$is_exe )
|
if ( ! f$pe$is_exe )
|
||||||
return;
|
return;
|
||||||
|
|
||||||
f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
|
f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
|
||||||
f$pe$subsystem = windows_subsystems[h$subsystem];
|
f$pe$subsystem = windows_subsystems[h$subsystem];
|
||||||
|
|
||||||
for ( c in h$dll_characteristics )
|
for ( c in h$dll_characteristics )
|
||||||
{
|
{
|
||||||
if ( c == 0x40 )
|
if ( dll_characteristics[c] == "DYNAMIC_BASE" )
|
||||||
f$pe$uses_aslr = T;
|
f$pe$uses_aslr = T;
|
||||||
if ( c == 0x80 )
|
if ( dll_characteristics[c] == "FORCE_INTEGRITY" )
|
||||||
f$pe$uses_code_integrity = T;
|
f$pe$uses_code_integrity = T;
|
||||||
if ( c == 0x100 )
|
if ( dll_characteristics[c] == "NX_COMPAT" )
|
||||||
f$pe$uses_dep = T;
|
f$pe$uses_dep = T;
|
||||||
if ( c == 0x400 )
|
if ( dll_characteristics[c] == "NO_SEH" )
|
||||||
f$pe$uses_seh = F;
|
f$pe$uses_seh = F;
|
||||||
}
|
}
|
||||||
|
|
||||||
f$pe$has_export_table = (|h$table_sizes| > 0 && h$table_sizes[0] > 0);
|
f$pe$has_export_table = (|h$table_sizes| > 0 && h$table_sizes[0] > 0);
|
||||||
f$pe$has_import_table = (|h$table_sizes| > 1 && h$table_sizes[1] > 0);
|
f$pe$has_import_table = (|h$table_sizes| > 1 && h$table_sizes[1] > 0);
|
||||||
f$pe$has_cert_table = (|h$table_sizes| > 4 && h$table_sizes[4] > 0);
|
f$pe$has_cert_table = (|h$table_sizes| > 4 && h$table_sizes[4] > 0);
|
||||||
f$pe$has_debug_data = (|h$table_sizes| > 6 && h$table_sizes[6] > 0);
|
f$pe$has_debug_data = (|h$table_sizes| > 6 && h$table_sizes[6] > 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
|
event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
|
||||||
{
|
{
|
||||||
hook set_file(f);
|
hook set_file(f);
|
||||||
|
|
||||||
|
# Only EXEs have section headers
|
||||||
if ( ! f$pe$is_exe )
|
if ( ! f$pe$is_exe )
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
|
@ -140,7 +144,7 @@ event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
|
||||||
|
|
||||||
event file_state_remove(f: fa_file) &priority=-5
|
event file_state_remove(f: fa_file) &priority=-5
|
||||||
{
|
{
|
||||||
if ( f?$pe )
|
if ( f?$pe && f$pe?$machine )
|
||||||
Log::write(LOG, f$pe);
|
Log::write(LOG, f$pe);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue