Created
November 25, 2014 17:49
-
-
Save jeffgeiger/d3b09e8c3e0c1a514ee5 to your computer and use it in GitHub Desktop.
File extraction with executables and archives
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global ext_map: table[string] of string = { | |
| ["application/x-dosexec"] = "exe", | |
| ["application/zip"] = "zip", | |
| ["application/x-gtar"] = "gzip", | |
| ["application/x-rar-compressed"] = "rar", | |
| ["application/x-apple-diskimage"] = "dmg", | |
| ["application/x-7z-compressed"] = "tz", | |
| ["application/x-gzip"] = "gz", | |
| ["application/x-bzip2"] = "bz", | |
| ["application/x-lzma"] = "lzma", | |
| ["application/x-tar"] = "tar", | |
| ["application/x-cpio"] = "cpio", | |
| ["application/x-shar"] = "shar", | |
| } &default =""; | |
| event file_new(f: fa_file) | |
| { | |
| local ext = ""; | |
| if ( f?$mime_type ) | |
| ext = ext_map[f$mime_type]; | |
| local fname = fmt("%s-%s.%s", f$source, f$id, ext); | |
| # Extract any outbound file | |
| for ( cx in f?$conns ) | |
| if ( cx?$conn?$local_orig ) | |
| Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); | |
| # Extract any inbound file that hits on interesting types | |
| if ( f?$mime_type !in ext_map ) | |
| return; | |
| Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment