[Bro] PE file parser fuzzing
Jon Siwek
jsiwek at corelight.com
Thu Aug 23 07:06:55 PDT 2018
On Wed, Aug 22, 2018 at 5:38 PM Maksim Shudrak <mxmssh at gmail.com> wrote:
> In this case, Bro will call "hash" analyzer and ignore PE. It looks like the PE file analyzer is not loaded/initialized, the debug log reports only the following modules being loaded:
> [FjjsZfY8GArx2E0Ih] Add analyzer MD5
> [FjjsZfY8GArx2E0Ih] Add analyzer SHA1
I didn't understand how exactly you tried to instrument Bro w/ your
fuzzing code, but here just seems like the problem is you were
expecting Bro to add the PE analyzer unconditionally when in reality
it's only added if the data passed in for file analysis actually looks
like it could be valid PE. You can see that
scripts/base/files/pe/main.bro is what registers the PE analyzer upon
matching the "application/x-dosexec" type whose signature is defined
in scripts/base/frameworks/files/magic/libmagic.sig (e.g. looks for
data starting with "MZ"). If you want the PE analyzer attached
unconditionally, you could try loading your own script that does:
event file_new(f: fa_file) { Files::add_analyzer(f, Files::ANALYZER_PE); }
- Jon
More information about the Bro
mailing list