diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2024-02-09 07:47:22 +0100 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2024-04-05 00:00:14 +0200 |
| commit | f1d23e359d9a2ec2b806e38fa809e4e554d2a5fb (patch) | |
| tree | d9d72907d8995cfdf6e033c09109bb5170a73af5 /src/lib/ndpi_main.c | |
| parent | 09bb383437c11ef55e926ed15cdf986c0d426827 (diff) | |
Add PE32/PE32+ risk detection (detect transmitted windows executables).add/pe-dissector
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src/lib/ndpi_main.c')
| -rw-r--r-- | src/lib/ndpi_main.c | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 7e277d121..84e0def13 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -8160,6 +8160,43 @@ static int ndpi_is_ntop_protocol(ndpi_protocol *ret) { /* ********************************************************************************* */ +static void ndpi_search_portable_executable(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + static const uint16_t dos_signature = 0x4d5a; /* MZ */ + static const uint32_t pe_signature = 0x50450000; /* PE */ + + NDPI_LOG_DBG(ndpi_struct, "search Portable Executable (PE) file\n"); + + if (flow->packet_counter > 5) + { + return; + } + + if (packet->payload_packet_len < 0x3C /* offset to PE header */ + 4) + { + return; + } + + if (ntohs(get_u_int16_t(packet->payload, 0)) != dos_signature) + { + return; + } + + uint32_t const pe_offset = le32toh(get_u_int32_t(packet->payload, 0x3C)); + if (packet->payload_packet_len <= pe_offset + 4 || + be32toh(get_u_int32_t(packet->payload, pe_offset)) != pe_signature) + { + return; + } + + NDPI_LOG_INFO(ndpi_struct, "found Portable Executable (PE) file\n"); + ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, "Portable Executable (PE32/PE32+) found"); +} + +/* ********************************************************************************* */ + static int ndpi_check_protocol_port_mismatch_exceptions(default_ports_tree_node_t *expected_proto, ndpi_protocol *returned_proto) { /* @@ -8553,6 +8590,10 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio flow->first_pkt_fully_encrypted = fully_enc_heuristic(ndpi_str, flow); } + if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) { + ndpi_search_portable_executable(ndpi_str, flow); + } + return(ret); } |