- Timestamp:
- 03/20/07 22:41:23 (1 year ago)
- Files:
-
- pehunter/README (modified) (1 diff)
- pehunter/pehunter.c (modified) (2 diffs)
- pehunter/pehunter.h (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
pehunter/README
r1134 r1148 1 PE Hunter is a plugin for snort (aka dynamic preprocessor) which extracts 2 Windows executables (files in PE format) from the network stream and dumps them 3 to disk. 1 PE Hunter is a plugin for snort (aka dynamic preprocessor) for extracting 2 Windows executables (files in PE format) from the network stream. 4 3 5 4 It first spots a PE header and then uses a simple heuristik to calculate the 6 file length. Starting at the position of the header, the resulting number of5 file length. Starting at the header offset in a stream, the resulting number of 7 6 bytes is then dumped to a file. 8 7 pehunter/pehunter.c
r1134 r1148 196 196 197 197 /* Spot DOS header */ 198 if ( (session_data->len - parsedBytes) < sizeof(IMAGE_DOS_HEADER)) return(0);198 if (session_data->len < (sizeof(IMAGE_DOS_HEADER) + parsedBytes)) return(0); 199 199 dosHeader = (IMAGE_DOS_HEADER *)(session_data->data + parsedBytes); 200 200 if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) return(0); … … 202 202 if (_pehunterConfig.debug) _dpd.logMsg("DOS header found at offset %lu.\n", pos); 203 203 204 if ( (session_data->len - parsedBytes - dosHeader->e_lfanew) < sizeof(IMAGE_NT_HEADERS32)) return(0);204 if (session_data->len < (sizeof(IMAGE_NT_HEADERS32) + parsedBytes + dosHeader->e_lfanew)) return(0); 205 205 parsedBytes += dosHeader->e_lfanew; 206 if (_pehunterConfig.debug) _dpd.logMsg("DOS header e_lfanew is %lu, parsedBytes is %lu.\n", dosHeader->e_lfanew, parsedBytes); 206 207 207 208 /* image file header */ 209 if ((session_data->len) < (sizeof(IMAGE_NT_HEADERS32) + parsedBytes)) return(0); 208 210 peHeader = (IMAGE_NT_HEADERS32*)(session_data->data + parsedBytes); 209 211 if (peHeader->Signature == IMAGE_NT_SIGNATURE) 210 212 { 211 213 if (_pehunterConfig.debug) _dpd.logMsg("NT header found at offset %lu.\n", parsedBytes); 212 if ((session_data->len - parsedBytes) < sizeof(IMAGE_NT_HEADERS32)) return(0);213 214 parsedBytes += sizeof(IMAGE_NT_HEADERS32); 214 215 215 216 216 /* loop through section table */ 217 217 for (i=0; i<peHeader->FileHeader.NumberOfSections; i++) { 218 if ( (session_data->len - parsedBytes) < sizeof(IMAGE_SECTION_HEADER)) return(0);218 if (session_data->len < (sizeof(IMAGE_SECTION_HEADER) + parsedBytes)) return(0); 219 219 sectHeader = (IMAGE_SECTION_HEADER *)(session_data->data + parsedBytes); 220 if (_pehunterConfig.debug) _dpd.logMsg("Section header found at offset %lu.\n", parsedBytes); 220 221 parsedBytes += sizeof(IMAGE_SECTION_HEADER); 221 if (_pehunterConfig.debug) _dpd.logMsg("Section % u: starts at offset %u (%u bytes)\n",222 i, sectHeader-> PointerToRawData, sectHeader->SizeOfRawData);222 if (_pehunterConfig.debug) _dpd.logMsg("Section %lu (%s): starts at offset %lu (%u bytes)\n", 223 i, sectHeader->Name, sectHeader->PointerToRawData, sectHeader->SizeOfRawData); 223 224 if (maxOffset < sectHeader->PointerToRawData) { 224 225 maxOffset = sectHeader->PointerToRawData; pehunter/pehunter.h
r1134 r1148 37 37 38 38 typedef struct _IMAGE_SECTION_HEADER { 39 u_int8_tName[IMAGE_SIZEOF_SHORT_NAME];39 char Name[IMAGE_SIZEOF_SHORT_NAME]; 40 40 union { 41 41 u_int32_t PhysicalAddress;
