root/pehunter/pehunter.h

/*
 * pehunter.h
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * Copyright (C) 2007 Tillmann Werner <tillmann.werner@gmx.de>
 */

#ifndef __PEHUNTER_H__
#define __PEHUNTER_H__

#include "sf_snort_packet.h"
#include "sf_dynamic_preprocessor.h"

#include "spp_pehunter.h"


/* PE file format stuff below taken from winnt.h */

#define IMAGE_DOS_SIGNATURE                     0x5A4D          // MZ
#define IMAGE_NT_SIGNATURE                      0x00004550      // PE00
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES        16
#define IMAGE_SIZEOF_SHORT_NAME                 8
#define IMAGE_SIZEOF_SECTION_HEADER             40

typedef struct _IMAGE_SECTION_HEADER {
        char    Name[IMAGE_SIZEOF_SHORT_NAME];
        union {
                u_int32_t       PhysicalAddress;
                u_int32_t       VirtualSize;
        } Misc;
        u_int32_t       VirtualAddress;
        u_int32_t       SizeOfRawData;
        u_int32_t       PointerToRawData;
        u_int32_t       PointerToRelocations;
        u_int32_t       PointerToLinenumbers;
        u_int16_t       NumberOfRelocations;
        u_int16_t       NumberOfLinenumbers;
        u_int32_t       Characteristics;
} IMAGE_SECTION_HEADER;

typedef struct _IMAGE_DATA_DIRECTORY {
  u_int32_t     VirtualAddress;
  u_int32_t     Size;
} IMAGE_DATA_DIRECTORY;

typedef struct _IMAGE_FILE_HEADER {
        u_int16_t       Machine;
        u_int16_t       NumberOfSections;
        u_int32_t       TimeDateStamp;
        u_int32_t       PointerToSymbolTable;
        u_int32_t       NumberOfSymbols;
        u_int16_t       SizeOfOptionalHeader;
        u_int16_t       Characteristics;
} IMAGE_FILE_HEADER;

typedef struct _IMAGE_OPTIONAL_HEADER {

  /* Standard fields */
  u_int16_t     Magic;
  u_int8_t      MajorLinkerVersion;
  u_int8_t      MinorLinkerVersion;
  u_int32_t     SizeOfCode;
  u_int32_t     SizeOfInitializedData;
  u_int32_t     SizeOfUninitializedData;
  u_int32_t     AddressOfEntryPoint;
  u_int32_t     BaseOfCode;
  u_int32_t     BaseOfData;

  /* NT additional fields */
  u_int32_t     ImageBase;
  u_int32_t     SectionAlignment;
  u_int32_t     FileAlignment;
  u_int16_t     MajorOperatingSystemVersion;
  u_int16_t     MinorOperatingSystemVersion;
  u_int16_t     MajorImageVersion;
  u_int16_t     MinorImageVersion;
  u_int16_t     MajorSubsystemVersion;
  u_int16_t     MinorSubsystemVersion;
  u_int32_t     Win32VersionValue;
  u_int32_t     SizeOfImage;
  u_int32_t     SizeOfHeaders;
  u_int32_t     CheckSum;
  u_int16_t     Subsystem;
  u_int16_t     DllCharacteristics;
  u_int32_t     SizeOfStackReserve;
  u_int32_t     SizeOfStackCommit;
  u_int32_t     SizeOfHeapReserve;
  u_int32_t     SizeOfHeapCommit;
  u_int32_t     LoaderFlags;
  u_int32_t     NumberOfRvaAndSizes;
  IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; // 0x60
} IMAGE_OPTIONAL_HEADER32;

typedef struct _IMAGE_DOS_HEADER {
        u_int16_t e_magic;                      // 00: MZ Header signature
        u_int16_t e_cblp;                       // 02: Bytes on last page of file
        u_int16_t e_cp;                         // 04: Pages in file
        u_int16_t e_crlc;                       // 06: Relocations
        u_int16_t e_cparhdr;                    // 08: Size of header in paragraphs
        u_int16_t e_minalloc;                   // 0a: Minimum extra paragraphs needed
        u_int16_t e_maxalloc;                   // 0c: Maximum extra paragraphs needed
        u_int16_t e_ss;                         // 0e: Initial (relative) SS value
        u_int16_t e_sp;                         // 10: Initial SP value
        u_int16_t e_csum;                       // 12: Checksum
        u_int16_t e_ip;                         // 14: Initial IP value
        u_int16_t e_cs;                         // 16: Initial (relative) CS value
        u_int16_t e_lfarlc;                     // 18: File address of relocation table
        u_int16_t e_ovno;                       // 1a: Overlay number
        u_int16_t e_res[4];                     // 1c: Reserved words
        u_int16_t e_oemid;                      // OEM identifier (for e_oeminfo)
        u_int16_t e_oeminfo;                    // 26: OEM information; e_oemid specific
        u_int16_t e_res2[10];                   // 28: Reserved words
        u_int32_t e_lfanew;                     // 3c: Offset to extended header
} IMAGE_DOS_HEADER;

typedef struct _IMAGE_NT_HEADERS {
        u_int32_t       Signature;              // "PE00"
        IMAGE_FILE_HEADER FileHeader;           // 0x04
        IMAGE_OPTIONAL_HEADER32 OptionalHeader; // 0x18
} IMAGE_NT_HEADERS32;

/* end of PE file format stuff */


typedef struct _SessionData {
        u_int8_t                match;
        u_int8_t                dumped;
        u_int32_t               len;
        u_int32_t               matchpos;
        u_int32_t               filelen;
        u_char                  *data;
        IMAGE_DOS_HEADER        *dosHeader;
        IMAGE_NT_HEADERS32      *peHeader;
        IMAGE_SECTION_HEADER    *sectHeader;
} SessionData;

int Hunt(SFSnortPacket *p);

#endif  /* __PEHUNTER_H__ */