mirror of
https://github.com/zeek/zeek.git
synced 2025-10-15 04:58:21 +00:00
71 lines
No EOL
2.5 KiB
JavaScript
71 lines
No EOL
2.5 KiB
JavaScript
|
|
%extern{
|
|
#include "Event.h"
|
|
#include "file_analysis/File.h"
|
|
#include "file_analysis.bif.func_h"
|
|
%}
|
|
|
|
refine flow File += {
|
|
|
|
function proc_the_file(): bool
|
|
%{
|
|
printf("ending the flow!\n");
|
|
connection()->bro_analyzer()->EndOfFile();
|
|
connection()->FlowEOF(true);
|
|
connection()->FlowEOF(false);
|
|
return true;
|
|
%}
|
|
|
|
function proc_dos_header(h: DOS_Header): bool
|
|
%{
|
|
BifEvent::generate_file_pe_dosstub((Analyzer *) connection()->bro_analyzer(),
|
|
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
|
|
${h.AddressOfNewExeHeader}-64);
|
|
return true;
|
|
%}
|
|
|
|
function proc_pe_header(h: IMAGE_NT_HEADERS): bool
|
|
%{
|
|
BifEvent::generate_file_pe_timestamp((Analyzer *) connection()->bro_analyzer(),
|
|
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
|
|
${h.file_header.TimeDateStamp});
|
|
return true;
|
|
%}
|
|
|
|
|
|
function proc_section_header(h: IMAGE_SECTION_HEADER): bool
|
|
%{
|
|
RecordVal* section_header = new RecordVal(BifType::Record::PESectionHeader);
|
|
section_header->Assign(0, new StringVal(${h.name}.length(), (const char*) ${h.name}.data()));
|
|
section_header->Assign(1, new Val(${h.virtual_size}, TYPE_COUNT));
|
|
section_header->Assign(2, new Val(${h.virtual_addr}, TYPE_COUNT));
|
|
section_header->Assign(3, new Val(${h.size_of_raw_data}, TYPE_COUNT));
|
|
section_header->Assign(4, new Val(${h.ptr_to_raw_data}, TYPE_COUNT));
|
|
section_header->Assign(5, new Val(${h.non_used_ptr_to_relocs}, TYPE_COUNT));
|
|
section_header->Assign(6, new Val(${h.non_used_ptr_to_line_nums}, TYPE_COUNT));
|
|
section_header->Assign(7, new Val(${h.non_used_num_of_relocs}, TYPE_COUNT));
|
|
section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT));
|
|
section_header->Assign(9, new Val(${h.characteristics}, TYPE_COUNT));
|
|
|
|
BifEvent::generate_file_pe_section_header((Analyzer *) connection()->bro_analyzer(),
|
|
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
|
|
section_header);
|
|
return true;
|
|
%}
|
|
};
|
|
|
|
refine typeattr DOS_Header += &let {
|
|
proc : bool = $context.flow.proc_dos_header(this);
|
|
};
|
|
|
|
refine typeattr IMAGE_NT_HEADERS += &let {
|
|
proc : bool = $context.flow.proc_pe_header(this);
|
|
};
|
|
|
|
refine typeattr IMAGE_SECTION_HEADER += &let {
|
|
proc: bool = $context.flow.proc_section_header(this);
|
|
};
|
|
|
|
refine typeattr TheFile += &let {
|
|
proc: bool = $context.flow.proc_the_file();
|
|
}; |