Initial groundwork for analyzer actions in file analysis framework.

src/file_analysis/Info.cc

@@ -7,12 +7,14 @@
 
 #include "Action.h"
 #include "Extract.h"
+#include "analyzers/PE.h"
 
 using namespace file_analysis;
 
 // keep in order w/ declared enum values in file_analysis.bif
 static ActionInstantiator action_factory[] = {
     Extract::Instantiate,
+    PE_Analyzer::Instantiate,
 };
 
 static TableVal* empty_conn_id_set()

src/file_analysis/analyzers/PE.cc

@@ -0,0 +1,34 @@
+#include <string>
+
+#include "PE.h"
+#include "pe_pac.h"
+#include "util.h"
+
+using namespace file_analysis;
+
+PE_Analyzer::PE_Analyzer(Info* arg_info)
+    : Action(arg_info)
+	{
+	interp = new binpac::PE::File(this);
+
+	// Close the reverse flow.
+	interp->FlowEOF(false);
+	}
+
+PE_Analyzer::~PE_Analyzer()
+	{
+	delete interp;
+	}
+
+Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info)
+	{
+	return new PE_Analyzer(info);
+	}
+
+void PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
+	{
+	Action::DeliverStream(data, len);
+
+	// Data is exclusively sent into the "up" flow.
+	interp->NewData(true, data, data + len);
+	}

src/file_analysis/analyzers/PE.h

@@ -0,0 +1,31 @@
+#ifndef FILE_ANALYSIS_PE_H
+#define FILE_ANALYSIS_PE_H
+
+#include <string>
+
+#include "Val.h"
+#include "../Info.h"
+#include "pe_pac.h"
+
+namespace file_analysis {
+
+/**
+ * An action to simply extract files to disk.
+ */
+class PE_Analyzer : Action {
+public:
+	static Action* Instantiate(const RecordVal* args, Info* info);
+
+	~PE_Analyzer();
+
+	virtual void DeliverStream(const u_char* data, uint64 len);
+
+protected:
+
+	PE_Analyzer(Info* arg_info);
+	binpac::PE::File* interp;
+};
+
+} // namespace file_analysis
+
+#endif

src/file_analysis/analyzers/pe-analyzer.pac

@@ -0,0 +1,16 @@
+
+
+refine connection File += {
+
+	function proc_sig(sig: bytestring) : bool
+		%{
+		if ( strcmp("MZ", (const char *) ${sig}.data()) == 0 )
+			printf("yep: %s\n", ${sig}.data());
+		return true;
+		%}
+
+};
+
+refine typeattr DOSStub += &let {
+	proc : bool = $context.connection.proc_sig(signature);
+};

src/file_analysis/analyzers/pe-file.pac

@@ -0,0 +1,26 @@
+
+type TheFile() = record {
+	barf: DOSStub;
+} &byteorder=bigendian &length=-1;
+
+type DOSStub() = record {
+	signature                : bytestring &length=2;
+	UsedBytesInTheLastPage   : uint16;
+	FileSizeInPages          : uint16;
+	NumberOfRelocationItems  : uint16;
+	HeaderSizeInParagraphs   : uint16;
+	MinimumExtraParagraphs   : uint16;
+	MaximumExtraParagraphs   : uint16;
+	InitialRelativeSS        : uint16;
+	InitialSP                : uint16;
+	Checksum                 : uint16;
+	InitialIP                : uint16;
+	InitialRelativeCS        : uint16;
+	AddressOfRelocationTable : uint16;
+	OverlayNumber            : uint16;
+	Reserved                 : uint16[4];
+	OEMid                    : uint16;
+	OEMinfo                  : uint16;
+	Reserved2                : uint16[10];
+	AddressOfNewExeHeader    : uint32;
+} &byteorder=bigendian;

src/file_analysis/analyzers/pe.pac

@@ -0,0 +1,20 @@
+%include binpac.pac
+%include bro.pac
+
+analyzer PE withcontext {
+	connection: File;
+	flow:       Bytes;
+};
+
+connection File(bro_analyzer: BroFileAnalyzer) {
+	upflow = Bytes(true);
+	downflow = Bytes(false);
+};
+
+%include pe-file.pac
+
+flow Bytes(is_orig: bool) {
+	flowunit = TheFile() withcontext(connection, this);
+}
+ 
+%include pe-analyzer.pac