Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 04:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Remove the .idata parsing, as it can be more complicated in some cases.

Browse source
This commit is contained in:
Vlad Grigorescu 2015-04-19 18:15:21 -04:00
parent 546cbf50c9
commit ea36686524
5 changed files with 16 additions and 206 deletions
Download patch file Download diff file Expand all files Collapse all files

15
scripts/base/files/pe/main.bro
View file

@ -29,10 +29,13 @@ export {
section_names: vector of string &log &optional;
};
global set_file: hook(f: fa_file);
}
redef record Info += {
confirmed: bool &default=F;
};
redef record fa_file += {
pe: Info &optional;
};
@ -75,6 +78,12 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
{
hook set_file(f);
if ( h$magic == 0x10b || h$magic == 0x20b )
f$pe$confirmed = T;
else
return;
f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
f$pe$subsystem = windows_subsystems[h$subsystem];
for ( c in h$dll_characteristics )
@ -99,9 +108,9 @@ event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
f$pe$section_names[|f$pe$section_names|] = h$name;
}
event file_state_remove(f: fa_file)
event file_state_remove(f: fa_file) &priority=-5
{
if ( f?$pe )
if ( f?$pe && f$pe$confirmed )
Log::write(LOG, f$pe);
}