Initial groundwork for analyzer actions in file analysis framework.

2025-10-06 16:48:19 +00:00 · 2013-02-22 02:36:41 -05:00 · 2013-02-22 02:36:41 -05:00 · efc76fd052
commit efc76fd052
parent f8af42cf9a
9 changed files with 137 additions and 0 deletions
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -176,6 +176,7 @@ macro(BINPAC_TARGET pacFile)
                       COMMAND ${BinPAC_EXE}
                       ARGS -q -d ${CMAKE_CURRENT_BINARY_DIR}
                            -I ${CMAKE_CURRENT_SOURCE_DIR}
+                            -I ${CMAKE_CURRENT_SOURCE_DIR}/file_analysis/analyzers
                            ${CMAKE_CURRENT_SOURCE_DIR}/${pacFile}
                       DEPENDS ${BinPAC_EXE} ${pacFile}
                               ${BINPAC_AUXSRC} ${ARGN}
@ -222,6 +223,9 @@ binpac_target(syslog.pac
 binpac_target(modbus.pac
    modbus-protocol.pac modbus-analyzer.pac)

+binpac_target(file_analysis/analyzers/pe.pac
+    file_analysis/analyzers/pe-file.pac file_analysis/analyzers/pe-analyzer.pac)
+
 ########################################################################
 ## bro target

@ -453,6 +457,7 @@ set(bro_SRCS
    file_analysis/InfoTimer.cc
    file_analysis/Action.h
    file_analysis/Extract.cc
+    file_analysis/analyzers/PE.cc

    nb_dns.c
    digest.h
--- a/src/binpac_bro.h
+++ b/src/binpac_bro.h
@ -7,6 +7,7 @@ class PortVal;

 #include "util.h"
 #include "Analyzer.h"
+#include "file_analysis/Action.h"
 #include "Val.h"
 #include "event.bif.func_h"

@ -15,6 +16,7 @@ class PortVal;
 namespace binpac {

 typedef Analyzer* BroAnalyzer;
+typedef file_analysis::Action BroFileAnalyzer;
 typedef Val* BroVal;
 typedef PortVal* BroPortVal;
 typedef StringVal* BroStringVal;
--- a/src/file_analysis.bif
+++ b/src/file_analysis.bif
@ -57,6 +57,7 @@ enum Trigger %{

 enum Action %{
 	ACTION_EXTRACT,
+	ACTION_PE_ANALYZER,
 %}

 function FileAnalysis::postpone_timeout%(file_id: string%): bool
--- a/src/file_analysis/Info.cc
+++ b/src/file_analysis/Info.cc
@ -7,12 +7,14 @@

 #include "Action.h"
 #include "Extract.h"
+#include "analyzers/PE.h"

 using namespace file_analysis;

 // keep in order w/ declared enum values in file_analysis.bif
 static ActionInstantiator action_factory[] = {
    Extract::Instantiate,
+    PE_Analyzer::Instantiate,
 };

 static TableVal* empty_conn_id_set()
--- a/src/file_analysis/analyzers/PE.cc
+++ b/src/file_analysis/analyzers/PE.cc
@ -0,0 +1,34 @@
+#include <string>
+
+#include "PE.h"
+#include "pe_pac.h"
+#include "util.h"
+
+using namespace file_analysis;
+
+PE_Analyzer::PE_Analyzer(Info* arg_info)
+    : Action(arg_info)
+	{
+	interp = new binpac::PE::File(this);
+
+	// Close the reverse flow.
+	interp->FlowEOF(false);
+	}
+
+PE_Analyzer::~PE_Analyzer()
+	{
+	delete interp;
+	}
+
+Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info)
+	{
+	return new PE_Analyzer(info);
+	}
+
+void PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
+	{
+	Action::DeliverStream(data, len);
+
+	// Data is exclusively sent into the "up" flow.
+	interp->NewData(true, data, data + len);
+	}
--- a/src/file_analysis/analyzers/PE.h
+++ b/src/file_analysis/analyzers/PE.h
@ -0,0 +1,31 @@
+#ifndef FILE_ANALYSIS_PE_H
+#define FILE_ANALYSIS_PE_H
+
+#include <string>
+
+#include "Val.h"
+#include "../Info.h"
+#include "pe_pac.h"
+
+namespace file_analysis {
+
+/**
+ * An action to simply extract files to disk.
+ */
+class PE_Analyzer : Action {
+public:
+	static Action* Instantiate(const RecordVal* args, Info* info);
+
+	~PE_Analyzer();
+
+	virtual void DeliverStream(const u_char* data, uint64 len);
+
+protected:
+
+	PE_Analyzer(Info* arg_info);
+	binpac::PE::File* interp;
+};
+
+} // namespace file_analysis
+
+#endif
--- a/src/file_analysis/analyzers/pe-analyzer.pac
+++ b/src/file_analysis/analyzers/pe-analyzer.pac
@ -0,0 +1,16 @@
+
+
+refine connection File += {
+
+	function proc_sig(sig: bytestring) : bool
+		%{
+		if ( strcmp("MZ", (const char *) ${sig}.data()) == 0 )
+			printf("yep: %s\n", ${sig}.data());
+		return true;
+		%}
+
+};
+
+refine typeattr DOSStub += &let {
+	proc : bool = $context.connection.proc_sig(signature);
+};
--- a/src/file_analysis/analyzers/pe-file.pac
+++ b/src/file_analysis/analyzers/pe-file.pac
@ -0,0 +1,26 @@
+
+type TheFile() = record {
+	barf: DOSStub;
+} &byteorder=bigendian &length=-1;
+
+type DOSStub() = record {
+	signature                : bytestring &length=2;
+	UsedBytesInTheLastPage   : uint16;
+	FileSizeInPages          : uint16;
+	NumberOfRelocationItems  : uint16;
+	HeaderSizeInParagraphs   : uint16;
+	MinimumExtraParagraphs   : uint16;
+	MaximumExtraParagraphs   : uint16;
+	InitialRelativeSS        : uint16;
+	InitialSP                : uint16;
+	Checksum                 : uint16;
+	InitialIP                : uint16;
+	InitialRelativeCS        : uint16;
+	AddressOfRelocationTable : uint16;
+	OverlayNumber            : uint16;
+	Reserved                 : uint16[4];
+	OEMid                    : uint16;
+	OEMinfo                  : uint16;
+	Reserved2                : uint16[10];
+	AddressOfNewExeHeader    : uint32;
+} &byteorder=bigendian;
--- a/src/file_analysis/analyzers/pe.pac
+++ b/src/file_analysis/analyzers/pe.pac
@ -0,0 +1,20 @@
+%include binpac.pac
+%include bro.pac
+
+analyzer PE withcontext {
+	connection: File;
+	flow:       Bytes;
+};
+
+connection File(bro_analyzer: BroFileAnalyzer) {
+	upflow = Bytes(true);
+	downflow = Bytes(false);
+};
+
+%include pe-file.pac
+
+flow Bytes(is_orig: bool) {
+	flowunit = TheFile() withcontext(connection, this);
+}
+ 
+%include pe-analyzer.pac