e3aaff8e |
/* |
e1cbc270 |
* Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved. |
43d7f6f6 |
* Copyright (C) 2007-2013 Sourcefire, Inc. |
c7543866 |
* |
2023340a |
* Authors: Tomasz Kojm |
e3aaff8e |
*
* This program is free software; you can redistribute it and/or modify |
bb34cb31 |
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation. |
e3aaff8e |
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software |
48b7b4a7 |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA. |
e3aaff8e |
*/
|
6d6e8271 |
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
|
517f7b7a |
#ifndef _WIN32 |
ee1b2a6c |
#include <sys/time.h> |
517f7b7a |
#endif |
e3aaff8e |
#include <stdio.h>
#include <string.h>
#include <stdlib.h> |
01eebc13 |
#include <libgen.h> |
0a80bd02 |
#include <errno.h> |
e3aaff8e |
#include <sys/types.h>
#include <sys/stat.h> |
7b1f1aaf |
#ifdef HAVE_UNISTD_H |
a7f5fd00 |
#include <unistd.h> |
b58fdfc2 |
#endif |
7b1f1aaf |
#ifdef HAVE_SYS_PARAM_H |
15edd45f |
#include <sys/param.h> |
b58fdfc2 |
#endif |
e3aaff8e |
#include <fcntl.h>
#include <dirent.h> |
63feb6cd |
#ifdef HAVE_SYS_TIMES_H
#include <sys/times.h>
#endif |
888f5794 |
|
7b1f1aaf |
#define DCONF_ARCH ctx->dconf->archive
#define DCONF_DOC ctx->dconf->doc
#define DCONF_MAIL ctx->dconf->mail |
bc93eda0 |
#define DCONF_OTHER ctx->dconf->other
|
e3aaff8e |
#include "clamav.h"
#include "others.h" |
bc93eda0 |
#include "dconf.h" |
85dd8460 |
#include "scanners.h" |
8000d078 |
#include "matcher-ac.h"
#include "matcher-bm.h" |
e3aaff8e |
#include "matcher.h" |
47bbbc56 |
#include "ole2_extract.h"
#include "vba_extract.h" |
341e5433 |
#include "msexpand.h" |
8d3aca30 |
#include "mbox.h" |
d3699d57 |
#include "libmspack.h" |
a9082ea2 |
#include "pe.h" |
8d3aca30 |
#include "elf.h" |
888f5794 |
#include "filetypes.h"
#include "htmlnorm.h" |
2b259453 |
#include "untar.h" |
c3a3be2d |
#include "special.h" |
6a31c2b4 |
#include "binhex.h" |
8d3aca30 |
/* #include "uuencode.h" */ |
7bbd5f7f |
#include "tnef.h" |
bf45bf13 |
#include "sis.h" |
2c313298 |
#include "pdf.h" |
bd988961 |
#include "str.h" |
52c2a8bd |
#include "rtf.h" |
01eebc13 |
#include "libclamunrar_iface/unrar_iface.h" |
9d96e4b6 |
#include "unarj.h" |
517f7b7a |
#include "nsis/nulsft.h" |
ed93f138 |
#include "autoit.h" |
015ce4a8 |
#include "textnorm.h" |
e3aaff8e |
#include <zlib.h> |
f133da7a |
#include "unzip.h" |
a6e38800 |
#include "dlp.h" |
c4934f41 |
#include "default.h" |
85885226 |
#include "cpio.h" |
89c14869 |
#include "macho.h" |
7ebede9b |
#include "ishield.h" |
0e605501 |
#include "7z_iface.h" |
998bcfa7 |
#include "fmap.h" |
511c2e79 |
#include "cache.h" |
b33354e5 |
#include "events.h" |
1fb9e80c |
#include "swf.h"
#include "jpeg.h" |
419a9d3d |
#include "png.h" |
583cd65f |
#include "iso9660.h" |
ca019d6d |
#include "dmg.h"
#include "xar.h" |
2c67b9ab |
#include "hfsplus.h" |
43d7f6f6 |
#include "xz_iface.h" |
e731850d |
#include "mbr.h" |
fce85dd7 |
#include "gpt.h" |
6c2feae2 |
#include "apm.h" |
8b77f741 |
#include "ooxml.h" |
30a75097 |
#include "xdp.h" |
a69adec1 |
#include "json_api.h" |
4823482e |
#include "msxml.h" |
059e90fc |
#include "tiff.h" |
9103b7e9 |
#include "hwp.h" |
dd2ed14d |
#include "msdoc.h" |
afe940da |
#include "execs.h" |
b03b2712 |
#include "egg.h" |
e3aaff8e |
#ifdef HAVE_BZLIB_H
#include <bzlib.h>
#endif
|
01eebc13 |
#include <fcntl.h> |
b2e7c931 |
#include <string.h>
|
3c91998b |
static int cli_scanfile(const char *filename, cli_ctx *ctx); |
4048c4f6 |
|
cb680655 |
static int cli_scandir(const char *dirname, cli_ctx *ctx) |
c7543866 |
{ |
7b1f1aaf |
DIR *dd;
struct dirent *dent;
STATBUF statbuf;
char *fname;
unsigned int viruses_found = 0; |
c7543866 |
|
288057e9 |
if ((dd = opendir(dirname)) != NULL) {
while ((dent = readdir(dd))) {
if (dent->d_ino) {
if (strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) { |
7b1f1aaf |
/* build the full name */
fname = cli_malloc(strlen(dirname) + strlen(dent->d_name) + 2); |
288057e9 |
if (!fname) { |
7b1f1aaf |
closedir(dd);
cli_dbgmsg("cli_scandir: Unable to allocate memory for filename\n");
return CL_EMEM;
}
sprintf(fname, "%s" PATHSEP "%s", dirname, dent->d_name);
/* stat the file */ |
288057e9 |
if (LSTAT(fname, &statbuf) != -1) {
if (S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) {
if (cli_scandir(fname, ctx) == CL_VIRUS) { |
7b1f1aaf |
free(fname);
|
288057e9 |
if (SCAN_ALLMATCHES) { |
7b1f1aaf |
viruses_found++;
continue;
} |
6ad45a29 |
closedir(dd);
return CL_VIRUS; |
7b1f1aaf |
} |
288057e9 |
} else {
if (S_ISREG(statbuf.st_mode)) {
if (cli_scanfile(fname, ctx) == CL_VIRUS) { |
7b1f1aaf |
free(fname);
|
288057e9 |
if (SCAN_ALLMATCHES) { |
7b1f1aaf |
viruses_found++;
continue;
} |
6ad45a29 |
closedir(dd);
return CL_VIRUS; |
7b1f1aaf |
}
}
}
}
free(fname);
}
}
} |
288057e9 |
} else { |
7b1f1aaf |
cli_dbgmsg("cli_scandir: Can't open directory %s.\n", dirname);
return CL_EOPEN; |
c7543866 |
}
closedir(dd); |
048a88e6 |
if (SCAN_ALLMATCHES && viruses_found) |
7b1f1aaf |
return CL_VIRUS; |
c7543866 |
return CL_CLEAN;
}
|
01eebc13 |
/**
* @brief Scan the metadata using cli_matchmeta() |
49df8ea7 |
* |
01eebc13 |
* @param metadata unrar metadata structure
* @param ctx scanning context structure |
49df8ea7 |
* @param files |
959a7b3f |
* @return cl_error_t Returns CL_CLEAN if nothing found, CL_VIRUS if something found, CL_EUNPACK if encrypted. |
01eebc13 |
*/ |
288057e9 |
static cl_error_t cli_unrar_scanmetadata(unrar_metadata_t *metadata, cli_ctx *ctx, unsigned int files) |
e3aaff8e |
{ |
01eebc13 |
cl_error_t status = CL_CLEAN; |
e3aaff8e |
|
d91ab809 |
cli_dbgmsg("RAR: %s, crc32: 0x%x, encrypted: %u, compressed: %u, normal: %u, method: %u, ratio: %u\n", |
288057e9 |
metadata->filename, metadata->crc, metadata->encrypted, (unsigned int)metadata->pack_size,
(unsigned int)metadata->unpack_size, metadata->method,
metadata->pack_size ? (unsigned int)(metadata->unpack_size / metadata->pack_size) : 0); |
a62ae54f |
|
01eebc13 |
if (CL_VIRUS == cli_matchmeta(ctx, metadata->filename, metadata->pack_size, metadata->unpack_size, metadata->encrypted, files, metadata->crc, NULL)) {
status = CL_VIRUS;
} else if (SCAN_HEURISTIC_ENCRYPTED_ARCHIVE && metadata->encrypted) { |
7b1f1aaf |
cli_dbgmsg("RAR: Encrypted files found in archive.\n"); |
01eebc13 |
status = CL_EUNPACK; |
133538e0 |
} |
a62ae54f |
|
01eebc13 |
return status; |
2dbcf700 |
}
|
288057e9 |
static cl_error_t cli_scanrar(const char *filepath, int desc, cli_ctx *ctx) |
133538e0 |
{ |
288057e9 |
cl_error_t status = CL_EPARSE; |
01eebc13 |
cl_unrar_error_t unrar_ret = UNRAR_ERR; |
288057e9 |
char *extract_dir = NULL; /* temp dir to write extracted files to */
unsigned int file_count = 0; |
7b1f1aaf |
unsigned int viruses_found = 0; |
133538e0 |
|
01eebc13 |
uint32_t nEncryptedFilesFound = 0; |
288057e9 |
uint32_t nTooLargeFilesFound = 0; |
133538e0 |
|
288057e9 |
void *hArchive = NULL; |
2b459819 |
|
288057e9 |
char *comment = NULL; |
01eebc13 |
uint32_t comment_size = 0; |
7b1f1aaf |
|
01eebc13 |
unrar_metadata_t metadata; |
288057e9 |
char *filename_base = NULL;
char *extract_fullpath = NULL;
char *comment_fullpath = NULL; |
01eebc13 |
if (filepath == NULL || ctx == NULL) {
cli_dbgmsg("RAR: Invalid arguments!\n");
return CL_EARG; |
7b1f1aaf |
}
|
01eebc13 |
cli_dbgmsg("in scanrar()\n");
/* Zero out the metadata struct before we read the header */
memset(&metadata, 0, sizeof(unrar_metadata_t)); |
288057e9 |
|
01eebc13 |
/* Determine file basename */
if (CL_SUCCESS != cli_basename(filepath, strlen(filepath), &filename_base)) {
status = CL_EARG;
goto done;
}
/* generate the temporary directory for extracted files. */
if (!(extract_dir = cli_gentemp_with_prefix(ctx->engine->tmpdir, filename_base))) {
status = CL_EMEM;
goto done;
}
if (mkdir(extract_dir, 0700)) {
cli_dbgmsg("RAR: Can't create temporary directory for extracted files %s\n", extract_dir);
status = CL_ETMPDIR;
goto done;
}
/*
* Open the archive.
*/
if (UNRAR_OK != (unrar_ret = cli_unrar_open(filepath, &hArchive, &comment, &comment_size, cli_debug_flag))) {
if (unrar_ret == UNRAR_ENCRYPTED) { |
7b1f1aaf |
cli_dbgmsg("RAR: Encrypted main header\n"); |
01eebc13 |
status = CL_EUNPACK;
goto done; |
7b1f1aaf |
} |
01eebc13 |
if (unrar_ret == UNRAR_EMEM) {
status = CL_EMEM;
goto done;
} else {
status = CL_EFORMAT;
goto done; |
7b1f1aaf |
}
}
|
01eebc13 |
/* If the archive header had a comment, write it to the comment dir. */
if ((comment != NULL) && (comment_size > 0)) {
int comment_fd = -1;
if (!(comment_fullpath = cli_gentemp_with_prefix(extract_dir, "comments"))) {
status = CL_EMEM;
goto done; |
7b1f1aaf |
} |
01eebc13 |
comment_fd = open(comment_fullpath, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0600);
if (comment_fd < 0) {
cli_dbgmsg("RAR: ERROR: Failed to open output file\n");
} else {
cli_dbgmsg("RAR: Writing the archive comment to temp file: %s\n", comment_fullpath);
if (0 == write(comment_fd, comment, comment_size)) {
cli_dbgmsg("RAR: ERROR: Failed to write to output file\n");
} else {
/* Scan the comment file */
status = cli_scanfile(comment_fullpath, ctx);
/* Delete the tempfile if not --leave-temps */
if (!ctx->engine->keeptmp)
if (cli_unlink(comment_fullpath))
cli_dbgmsg("RAR: Failed to unlink the extracted comment file: %s\n", comment_fullpath);
if ((status == CL_VIRUS) && SCAN_ALLMATCHES) {
status = CL_CLEAN;
viruses_found++;
}
if ((status == CL_VIRUS) || (status == CL_BREAK)) {
goto done;
}
} |
50876732 |
close(comment_fd); |
7b1f1aaf |
} |
01eebc13 |
} |
7b1f1aaf |
|
01eebc13 |
/*
* Read & scan each file header.
* Extract & scan each file. |
49df8ea7 |
* |
01eebc13 |
* Skip files if they will exceed max filesize or max scansize.
* Count the number of encrypted file headers and encrypted files.
* - Alert if there are encrypted files,
* if the Heuristic for encrypted archives is enabled,
* and if we have not detected a signature match.
*/
do {
status = CL_CLEAN; |
7b1f1aaf |
|
01eebc13 |
/* Zero out the metadata struct before we read the header */
memset(&metadata, 0, sizeof(unrar_metadata_t));
/*
* Get the header information for the next file in the archive.
*/
unrar_ret = cli_unrar_peek_file_header(hArchive, &metadata);
if (unrar_ret != UNRAR_OK) {
if (unrar_ret == UNRAR_ENCRYPTED) {
/* Found an encrypted file header, must skip. */
cli_dbgmsg("RAR: Encrypted file header, unable to reading file metadata and file contents. Skipping file...\n");
nEncryptedFilesFound += 1;
if (UNRAR_OK != cli_unrar_skip_file(hArchive)) {
/* Failed to skip! Break extraction loop. */
cli_dbgmsg("RAR: Failed to skip file. RAR archive extraction has failed.\n");
break;
}
} else if (unrar_ret == UNRAR_BREAK) {
/* No more files. Break extraction loop. */
cli_dbgmsg("RAR: No more files in archive.\n");
break;
} else {
/* Memory error or some other error reading the header info. */
cli_dbgmsg("RAR: Error (%u) reading file header!\n", unrar_ret);
break; |
7b1f1aaf |
} |
288057e9 |
} else { |
01eebc13 |
file_count += 1;
/*
* Scan the metadata for the file in question since the content was clean, or we're running in all-match.
*/ |
959a7b3f |
status = cli_unrar_scanmetadata(&metadata, ctx, file_count); |
01eebc13 |
if ((status == CL_VIRUS) && SCAN_ALLMATCHES) {
status = CL_CLEAN; |
7b1f1aaf |
viruses_found++;
} |
01eebc13 |
if ((status == CL_VIRUS) || (status == CL_BREAK)) {
break;
}
/* Check if we've already exceeded the scan limit */
if (cli_checklimits("RAR", ctx, 0, 0, 0))
break; |
288057e9 |
|
01eebc13 |
if (metadata.is_dir) {
/* Entry is a directory. Skip. */
cli_dbgmsg("RAR: Found directory. Skipping to next file.\n");
if (UNRAR_OK != cli_unrar_skip_file(hArchive)) {
/* Failed to skip! Break extraction loop. */
cli_dbgmsg("RAR: Failed to skip directory. RAR archive extraction has failed.\n");
break;
}
} else if (cli_checklimits("RAR", ctx, metadata.unpack_size, 0, 0)) { |
49df8ea7 |
/* File size exceeds maxfilesize, must skip extraction. |
01eebc13 |
* Although we may be able to scan the metadata */
nTooLargeFilesFound += 1;
cli_dbgmsg("RAR: Next file is too large (%" PRIu64 " bytes); it would exceed max scansize. Skipping to next file.\n", metadata.unpack_size);
if (UNRAR_OK != cli_unrar_skip_file(hArchive)) {
/* Failed to skip! Break extraction loop. */
cli_dbgmsg("RAR: Failed to skip file. RAR archive extraction has failed.\n");
break;
}
} else if (metadata.encrypted != 0) {
/* Found an encrypted file, must skip. */
cli_dbgmsg("RAR: Encrypted file, unable to extract file contents. Skipping file...\n");
nEncryptedFilesFound += 1;
if (UNRAR_OK != cli_unrar_skip_file(hArchive)) {
/* Failed to skip! Break extraction loop. */
cli_dbgmsg("RAR: Failed to skip file. RAR archive extraction has failed.\n");
break;
}
} else {
/*
* Extract the file...
*/ |
f8b3d2e5 |
extract_fullpath = cli_gentemp(extract_dir); |
01eebc13 |
if (NULL == extract_fullpath) {
cli_dbgmsg("RAR: Memory error allocating filename for extracted file.");
status = CL_EMEM;
break;
}
cli_dbgmsg("RAR: Extracting file: %s to %s\n", metadata.filename, extract_fullpath);
unrar_ret = cli_unrar_extract_file(hArchive, extract_fullpath, NULL);
if (unrar_ret != UNRAR_OK) { |
49df8ea7 |
/* |
01eebc13 |
* Some other error extracting the file
*/
cli_dbgmsg("RAR: Error extracting file: %s\n", metadata.filename);
|
49df8ea7 |
/* TODO: |
01eebc13 |
* may need to manually skip the file depending on what, specifically, cli_unrar_extract_file() returned.
*/
} else { |
9bc3a3a5 |
/*
* File should be extracted...
* ... make sure we have read permissions to the file.
*/
#ifdef _WIN32
if (0 != _access_s(extract_fullpath, R_OK)) {
#else
if (0 != access(extract_fullpath, R_OK)) {
#endif
cli_dbgmsg("RAR: Don't have read permissions, attempting to change file permissions to make it readable..\n");
#ifdef _WIN32
if (0 != _chmod(extract_fullpath, _S_IREAD)) {
#else
if (0 != chmod(extract_fullpath, S_IRUSR | S_IRGRP)) {
#endif
cli_dbgmsg("RAR: Failed to change permission bits so the extracted file is readable..\n");
}
}
/* |
01eebc13 |
* ... scan the extracted file.
*/
cli_dbgmsg("RAR: Extraction complete. Scanning now...\n");
status = cli_scanfile(extract_fullpath, ctx);
if (status == CL_EOPEN) {
cli_dbgmsg("RAR: File not found, Extraction failed!\n");
status = CL_CLEAN;
} else {
/* Delete the tempfile if not --leave-temps */
if (!ctx->engine->keeptmp)
if (cli_unlink(extract_fullpath))
cli_dbgmsg("RAR: Failed to unlink the extracted file: %s\n", extract_fullpath);
if (status == CL_VIRUS) {
cli_dbgmsg("RAR: infected with %s\n", cli_get_last_virus(ctx));
status = CL_VIRUS;
viruses_found++;
}
}
}
/* Free up that the filepath */
if (NULL != extract_fullpath) {
free(extract_fullpath);
extract_fullpath = NULL;
}
} |
7b1f1aaf |
}
|
01eebc13 |
if (status == CL_VIRUS) { |
048a88e6 |
if (SCAN_ALLMATCHES) |
01eebc13 |
status = CL_SUCCESS; |
7b1f1aaf |
else
break;
}
|
01eebc13 |
if (ctx->engine->maxscansize && ctx->scansize >= ctx->engine->maxscansize) {
status = CL_CLEAN;
break;
} |
7b1f1aaf |
|
01eebc13 |
/*
* TODO: Free up any malloced metadata...
*/
if (metadata.filename != NULL) {
free(metadata.filename);
metadata.filename = NULL;
} |
7b1f1aaf |
|
01eebc13 |
} while (status == CL_CLEAN); |
7b1f1aaf |
|
01eebc13 |
if (status == CL_BREAK)
status = CL_CLEAN; |
7b1f1aaf |
|
01eebc13 |
done:
if (NULL != comment) {
free(comment);
comment = NULL;
} |
e3aaff8e |
|
01eebc13 |
if (NULL != comment_fullpath) {
if (!ctx->engine->keeptmp) {
cli_rmdirs(comment_fullpath);
}
free(comment_fullpath);
comment_fullpath = NULL;
} |
cf68af72 |
|
01eebc13 |
if (NULL != hArchive) {
cli_unrar_close(hArchive);
hArchive = NULL;
} |
e3aaff8e |
|
01eebc13 |
if (NULL != filename_base) {
free(filename_base);
filename_base = NULL;
} |
133538e0 |
|
01eebc13 |
if (metadata.filename != NULL) {
free(metadata.filename);
metadata.filename = NULL;
}
if (NULL != extract_fullpath) {
free(extract_fullpath);
extract_fullpath = NULL; |
e3aaff8e |
} |
01eebc13 |
if (NULL != extract_dir) {
if (!ctx->engine->keeptmp) {
cli_rmdirs(extract_dir);
}
free(extract_dir);
extract_dir = NULL;
}
/* If return value was a failure due to encryption, scan the un-extracted archive just in case... */
if ((CL_VIRUS != status) && ((CL_EUNPACK == status) || (nEncryptedFilesFound > 0))) {
status = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR, NULL);
/* If no virus, and user requests enabled the Heuristic for encrypted archives... */
if ((status != CL_VIRUS) && SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) {
if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Encrypted.RAR")) {
status = CL_VIRUS;
}
}
if (status != CL_VIRUS) {
status = CL_CLEAN;
}
}
cli_dbgmsg("RAR: Exit code: %d\n", status); |
7761c6eb |
|
048a88e6 |
if (SCAN_ALLMATCHES && viruses_found) |
01eebc13 |
status = CL_VIRUS;
return status; |
e3aaff8e |
}
|
b03b2712 |
/**
* @brief Scan the metadata using cli_matchmeta()
*
* @param metadata egg metadata structure
* @param ctx scanning context structure
* @param files number of files
* @return cl_error_t Returns CL_CLEAN if nothing found, CL_VIRUS if something found, CL_EUNPACK if encrypted.
*/
static cl_error_t cli_egg_scanmetadata(cl_egg_metadata *metadata, cli_ctx *ctx, unsigned int files)
{
cl_error_t status = CL_CLEAN;
cli_dbgmsg("EGG: %s, encrypted: %u, compressed: %u, normal: %u, ratio: %u\n",
metadata->filename, metadata->encrypted, (unsigned int)metadata->pack_size,
(unsigned int)metadata->unpack_size,
metadata->pack_size ? (unsigned int)(metadata->unpack_size / metadata->pack_size) : 0);
if (CL_VIRUS == cli_matchmeta(ctx, metadata->filename, metadata->pack_size, metadata->unpack_size, metadata->encrypted, files, 0, NULL)) {
status = CL_VIRUS;
} else if (SCAN_HEURISTIC_ENCRYPTED_ARCHIVE && metadata->encrypted) {
cli_dbgmsg("EGG: Encrypted files found in archive.\n");
status = CL_EUNPACK;
}
done:
return status;
}
static cl_error_t cli_scanegg(cli_ctx *ctx, size_t sfx_offset)
{
cl_error_t status = CL_EPARSE; |
3f7ec139 |
cl_error_t egg_ret = CL_EPARSE; |
b03b2712 |
char *buffer = NULL;
size_t buffer_len = 0;
char *extract_dir = NULL; /* temp dir to write extracted files to */
unsigned int file_count = 0;
unsigned int viruses_found = 0;
uint32_t nEncryptedFilesFound = 0;
uint32_t nTooLargeFilesFound = 0;
void *hArchive = NULL;
|
c4e4fbc1 |
char **comments = NULL;
uint32_t nComments = 0; |
b03b2712 |
cl_egg_metadata metadata;
char *filename_base = NULL;
char *extract_fullpath = NULL;
char *comment_fullpath = NULL;
if (ctx == NULL) {
cli_dbgmsg("EGG: Invalid arguments!\n");
return CL_EARG;
}
cli_dbgmsg("in scanegg()\n");
/* Zero out the metadata struct before we read the header */
memset(&metadata, 0, sizeof(cl_egg_metadata));
/* Determine file basename */
if (NULL != ctx->sub_filepath) {
if (CL_SUCCESS != cli_basename(ctx->sub_filepath, strlen(ctx->sub_filepath), &filename_base)) {
status = CL_EARG;
goto done;
}
}
if (ctx->engine->keeptmp) {
/* generate the temporary directory for extracted files. */
if (!(extract_dir = cli_gentemp_with_prefix(ctx->engine->tmpdir, filename_base))) {
status = CL_EMEM;
goto done;
}
if (mkdir(extract_dir, 0700)) {
cli_dbgmsg("EGG: Can't create temporary directory for extracted files %s\n", extract_dir);
status = CL_ETMPDIR;
goto done;
}
}
/*
* Open the archive.
*/ |
c4e4fbc1 |
if (CL_SUCCESS != (egg_ret = cli_egg_open(*ctx->fmap, sfx_offset, &hArchive, &comments, &nComments))) { |
3f7ec139 |
if (egg_ret == CL_EUNPACK) { |
b03b2712 |
cli_dbgmsg("EGG: Encrypted main header\n");
status = CL_EUNPACK;
goto done;
} |
3f7ec139 |
if (egg_ret == CL_EMEM) { |
b03b2712 |
status = CL_EMEM;
goto done;
} else {
status = CL_EFORMAT;
goto done;
}
}
/* If the archive header had a comment, write it to the comment dir. */ |
c4e4fbc1 |
if (comments != NULL) {
uint32_t i;
for (i = 0; i < nComments; i++) {
/*
* Drop the comment to a temp file, if requested
*/
if (ctx->engine->keeptmp) {
int comment_fd = -1;
size_t prefixLen = strlen("comments_") + 5;
char * prefix = (char*)malloc(prefixLen + 1); |
b03b2712 |
|
c4e4fbc1 |
snprintf(prefix, prefixLen, "comments_%u", i);
prefix[prefixLen] = '\0';
if (!(comment_fullpath = cli_gentemp_with_prefix(extract_dir, prefix))) {
free(prefix);
status = CL_EMEM;
goto done;
}
free(prefix);
prefix = NULL;
comment_fd = open(comment_fullpath, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0600);
if (comment_fd < 0) {
cli_dbgmsg("EGG: ERROR: Failed to open output file\n"); |
b03b2712 |
} else { |
c4e4fbc1 |
cli_dbgmsg("EGG: Writing the archive comment to temp file: %s\n", comment_fullpath);
if (0 == write(comment_fd, comments[i], nComments)) {
cli_dbgmsg("EGG: ERROR: Failed to write to output file\n");
} else {
close(comment_fd);
comment_fd = -1;
} |
b03b2712 |
} |
c4e4fbc1 |
free(comment_fullpath);
comment_fullpath = NULL; |
b03b2712 |
}
|
c4e4fbc1 |
/*
* Scan the comment.
*/
status = cli_mem_scandesc(comments[i], strlen(comments[i]), ctx); |
b03b2712 |
|
c4e4fbc1 |
if ((status == CL_VIRUS) && SCAN_ALLMATCHES) {
status = CL_CLEAN;
viruses_found++;
}
if ((status == CL_VIRUS) || (status == CL_BREAK)) {
goto done;
} |
b03b2712 |
}
}
/*
* Read & scan each file header.
* Extract & scan each file.
*
* Skip files if they will exceed max filesize or max scansize.
* Count the number of encrypted file headers and encrypted files.
* - Alert if there are encrypted files,
* if the Heuristic for encrypted archives is enabled,
* and if we have not detected a signature match.
*/
do {
status = CL_CLEAN;
/* Zero out the metadata struct before we read the header */
memset(&metadata, 0, sizeof(unrar_metadata_t));
/*
* Get the header information for the next file in the archive.
*/
egg_ret = cli_egg_peek_file_header(hArchive, &metadata); |
3f7ec139 |
if (egg_ret != CL_SUCCESS) {
if (egg_ret == CL_EUNPACK) { |
b03b2712 |
/* Found an encrypted file header, must skip. */
cli_dbgmsg("EGG: Encrypted file header, unable to reading file metadata and file contents. Skipping file...\n");
nEncryptedFilesFound += 1;
|
3f7ec139 |
if (CL_SUCCESS != cli_egg_skip_file(hArchive)) { |
b03b2712 |
/* Failed to skip! Break extraction loop. */
cli_dbgmsg("EGG: Failed to skip file. EGG archive extraction has failed.\n");
break;
} |
3f7ec139 |
} else if (egg_ret == CL_BREAK) { |
b03b2712 |
/* No more files. Break extraction loop. */
cli_dbgmsg("EGG: No more files in archive.\n");
break;
} else {
/* Memory error or some other error reading the header info. */
cli_dbgmsg("EGG: Error (%u) reading file header!\n", egg_ret);
break;
}
} else {
file_count += 1;
/*
* Scan the metadata for the file in question since the content was clean, or we're running in all-match.
*/
status = cli_egg_scanmetadata(&metadata, ctx, file_count);
if ((status == CL_VIRUS) && SCAN_ALLMATCHES) {
status = CL_CLEAN;
viruses_found++;
}
if ((status == CL_VIRUS) || (status == CL_BREAK)) {
break;
}
/* Check if we've already exceeded the scan limit */
if (cli_checklimits("EGG", ctx, 0, 0, 0))
break;
if (metadata.is_dir) {
/* Entry is a directory. Skip. */
cli_dbgmsg("EGG: Found directory. Skipping to next file.\n");
|
3f7ec139 |
if (CL_SUCCESS != cli_egg_skip_file(hArchive)) { |
b03b2712 |
/* Failed to skip! Break extraction loop. */
cli_dbgmsg("EGG: Failed to skip directory. EGG archive extraction has failed.\n");
break;
}
} else if (cli_checklimits("EGG", ctx, metadata.unpack_size, 0, 0)) {
/* File size exceeds maxfilesize, must skip extraction.
* Although we may be able to scan the metadata */
nTooLargeFilesFound += 1;
cli_dbgmsg("EGG: Next file is too large (%" PRIu64 " bytes); it would exceed max scansize. Skipping to next file.\n", metadata.unpack_size);
|
3f7ec139 |
if (CL_SUCCESS != cli_egg_skip_file(hArchive)) { |
b03b2712 |
/* Failed to skip! Break extraction loop. */
cli_dbgmsg("EGG: Failed to skip file. EGG archive extraction has failed.\n");
break;
}
} else if (metadata.encrypted != 0) {
/* Found an encrypted file, must skip. */
cli_dbgmsg("EGG: Encrypted file, unable to extract file contents. Skipping file...\n");
nEncryptedFilesFound += 1;
|
3f7ec139 |
if (CL_SUCCESS != cli_egg_skip_file(hArchive)) { |
b03b2712 |
/* Failed to skip! Break extraction loop. */
cli_dbgmsg("EGG: Failed to skip file. EGG archive extraction has failed.\n");
break;
}
} else {
/*
* Extract the file...
*/
char *extract_filename = NULL;
char *extract_buffer = NULL;
size_t extract_buffer_len = 0;
cli_dbgmsg("EGG: Extracting file: %s\n", metadata.filename);
egg_ret = cli_egg_extract_file(hArchive, (const char **)&extract_filename, (const char **)&extract_buffer, &extract_buffer_len); |
3f7ec139 |
if (egg_ret != CL_SUCCESS) { |
b03b2712 |
/*
* Some other error extracting the file
*/
cli_dbgmsg("EGG: Error extracting file: %s\n", metadata.filename);
} else if (!extract_buffer || 0 == extract_buffer_len) {
/*
* Empty file. Skip.
*/
cli_dbgmsg("EGG: Skipping empty file: %s\n", metadata.filename);
} else {
/*
* Drop to a temp file, if requested.
*/
if (ctx->engine->keeptmp) {
int extracted_fd = -1;
if (!(extract_fullpath = cli_gentemp(extract_dir))) {
status = CL_EMEM;
break;
}
extracted_fd = open(extract_fullpath, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0600);
if (extracted_fd < 0) {
cli_dbgmsg("EGG: ERROR: Failed to open output file\n");
} else {
cli_dbgmsg("EGG: Writing the extracted file contents to temp file: %s\n", extract_fullpath);
if (0 == write(extracted_fd, extract_buffer, extract_buffer_len)) {
cli_dbgmsg("EGG: ERROR: Failed to write to output file\n");
} else {
close(extracted_fd);
extracted_fd = -1;
}
}
}
/*
* Scan the extracted file (buffer)...
*/
cli_dbgmsg("EGG: Extraction complete. Scanning now...\n");
status = cli_mem_scandesc(extract_buffer, extract_buffer_len, ctx);
if (status == CL_VIRUS) {
cli_dbgmsg("EGG: infected with %s\n", cli_get_last_virus(ctx));
status = CL_VIRUS;
viruses_found++;
}
if (NULL != extract_filename) {
free(extract_filename);
extract_filename = NULL;
}
if (NULL != extract_buffer) {
free(extract_buffer);
extract_buffer = NULL;
}
}
/* Free up that the filepath */
if (NULL != extract_fullpath) {
free(extract_fullpath);
extract_fullpath = NULL;
}
}
}
if (status == CL_VIRUS) {
if (SCAN_ALLMATCHES)
status = CL_SUCCESS;
else
break;
}
if (ctx->engine->maxscansize && ctx->scansize >= ctx->engine->maxscansize) {
status = CL_CLEAN;
break;
}
/*
* TODO: Free up any malloced metadata...
*/
if (metadata.filename != NULL) {
free(metadata.filename);
metadata.filename = NULL;
}
} while (status == CL_CLEAN);
if (status == CL_BREAK)
status = CL_CLEAN;
done:
if (NULL != comment_fullpath) {
free(comment_fullpath);
comment_fullpath = NULL;
}
if (NULL != hArchive) {
cli_egg_close(hArchive);
hArchive = NULL;
}
if (NULL != filename_base) {
free(filename_base);
filename_base = NULL;
}
if (metadata.filename != NULL) {
free(metadata.filename);
metadata.filename = NULL;
}
if (NULL != extract_fullpath) {
free(extract_fullpath);
extract_fullpath = NULL;
}
if (NULL != extract_dir) {
free(extract_dir);
extract_dir = NULL;
}
/* If return value was a failure due to encryption, scan the un-extracted archive just in case... */
if ((CL_VIRUS != status) && ((CL_EUNPACK == status) || (nEncryptedFilesFound > 0))) {
status = cli_mem_scandesc(buffer, buffer_len, ctx);
/* If no virus, and user requests enabled the Heuristic for encrypted archives... */
if ((status != CL_VIRUS) && SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) {
if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Encrypted.EGG")) {
status = CL_VIRUS;
}
}
if (status != CL_VIRUS) {
status = CL_CLEAN;
}
}
cli_dbgmsg("EGG: Exit code: %d\n", status);
if (SCAN_ALLMATCHES && viruses_found)
status = CL_VIRUS;
return status;
}
|
959a7b3f |
static int cli_scanarj(cli_ctx *ctx, off_t sfx_offset) |
9d96e4b6 |
{ |
7b1f1aaf |
int ret = CL_CLEAN, rc, file = 0;
arj_metadata_t metadata;
char *dir;
int virus_found = 0; |
9d96e4b6 |
cli_dbgmsg("in cli_scanarj()\n");
|
0183d242 |
memset(&metadata, 0, sizeof(arj_metadata_t));
|
7b1f1aaf |
/* generate the temporary directory */
if (!(dir = cli_gentemp(ctx->engine->tmpdir)))
return CL_EMEM; |
5fc380f1 |
|
288057e9 |
if (mkdir(dir, 0700)) { |
7b1f1aaf |
cli_dbgmsg("ARJ: Can't create temporary directory %s\n", dir);
free(dir);
return CL_ETMPDIR; |
9d96e4b6 |
}
|
3f065bbe |
ret = cli_unarj_open(*ctx->fmap, dir, &metadata, sfx_offset); |
288057e9 |
if (ret != CL_SUCCESS) { |
7b1f1aaf |
if (!ctx->engine->keeptmp)
cli_rmdirs(dir);
free(dir);
cli_dbgmsg("ARJ: Error: %s\n", cl_strerror(ret));
return ret;
}
|
288057e9 |
do { |
fc355be4 |
metadata.filename = NULL; |
288057e9 |
ret = cli_unarj_prepare_file(dir, &metadata);
if (ret != CL_SUCCESS) { |
7b1f1aaf |
cli_dbgmsg("ARJ: cli_unarj_prepare_file Error: %s\n", cl_strerror(ret));
break;
}
file++; |
288057e9 |
if (cli_matchmeta(ctx, metadata.filename, metadata.comp_size, metadata.orig_size, metadata.encrypted, file, 0, NULL) == CL_VIRUS) {
if (!SCAN_ALLMATCHES) { |
7a307529 |
cli_rmdirs(dir);
free(dir);
return CL_VIRUS;
}
virus_found = 1; |
288057e9 |
ret = CL_SUCCESS; |
7a307529 |
} |
570b1d00 |
|
288057e9 |
if ((ret = cli_checklimits("ARJ", ctx, metadata.orig_size, metadata.comp_size, 0)) != CL_CLEAN) { |
7b1f1aaf |
ret = CL_SUCCESS;
if (metadata.filename)
free(metadata.filename);
continue;
}
ret = cli_unarj_extract_file(dir, &metadata); |
288057e9 |
if (ret != CL_SUCCESS) { |
7b1f1aaf |
cli_dbgmsg("ARJ: cli_unarj_extract_file Error: %s\n", cl_strerror(ret));
} |
288057e9 |
if (metadata.ofd >= 0) {
if (lseek(metadata.ofd, 0, SEEK_SET) == -1) { |
7b1f1aaf |
cli_dbgmsg("ARJ: call to lseek() failed\n");
} |
01eebc13 |
rc = cli_magic_scandesc(metadata.ofd, NULL, ctx); |
7b1f1aaf |
close(metadata.ofd); |
288057e9 |
if (rc == CL_VIRUS) { |
7b1f1aaf |
cli_dbgmsg("ARJ: infected with %s\n", cli_get_last_virus(ctx)); |
288057e9 |
if (!SCAN_ALLMATCHES) { |
7a307529 |
ret = CL_VIRUS; |
288057e9 |
if (metadata.filename) { |
7a307529 |
free(metadata.filename);
metadata.filename = NULL;
}
break;
}
virus_found = 1; |
288057e9 |
ret = CL_SUCCESS; |
7b1f1aaf |
}
} |
288057e9 |
if (metadata.filename) { |
7b1f1aaf |
free(metadata.filename);
metadata.filename = NULL;
}
} while (ret == CL_SUCCESS);
if (!ctx->engine->keeptmp)
cli_rmdirs(dir); |
9d96e4b6 |
free(dir); |
288057e9 |
if (metadata.filename) { |
7b1f1aaf |
free(metadata.filename); |
9d96e4b6 |
}
|
7a307529 |
if (virus_found != 0)
ret = CL_VIRUS; |
9d96e4b6 |
cli_dbgmsg("ARJ: Exit code: %d\n", ret); |
9f851a24 |
if (ret == CL_BREAK) |
7b1f1aaf |
ret = CL_CLEAN; |
9d96e4b6 |
return ret;
} |
e3aaff8e |
|
6c03dc5d |
static cl_error_t cli_scangzip_with_zib_from_the_80s(cli_ctx *ctx, unsigned char *buff) |
7b1f1aaf |
{ |
6c03dc5d |
int fd;
cl_error_t ret;
size_t outsize = 0;
int bytes; |
5a72fce6 |
fmap_t *map = *ctx->fmap;
char *tmpname;
gzFile gz;
|
0b3b2924 |
ret = fmap_fd(map); |
7b1f1aaf |
if (ret < 0)
return CL_EDUP; |
0b3b2924 |
fd = dup(ret); |
7b1f1aaf |
if (fd < 0)
return CL_EDUP;
|
288057e9 |
if (!(gz = gzdopen(fd, "rb"))) { |
7b1f1aaf |
close(fd);
return CL_EOPEN;
}
|
288057e9 |
if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) { |
7b1f1aaf |
cli_dbgmsg("GZip: Can't generate temporary file.\n");
gzclose(gz);
close(fd);
return ret;
}
|
288057e9 |
while ((bytes = gzread(gz, buff, FILEBUFF)) > 0) { |
7b1f1aaf |
outsize += bytes;
if (cli_checklimits("GZip", ctx, outsize, 0, 0) != CL_CLEAN)
break; |
6c03dc5d |
if (cli_writen(fd, buff, (size_t)bytes) != (size_t)bytes) { |
7b1f1aaf |
close(fd);
gzclose(gz); |
288057e9 |
if (cli_unlink(tmpname)) { |
7b1f1aaf |
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EWRITE;
} |
5a72fce6 |
}
gzclose(gz);
|
288057e9 |
if ((ret = cli_magic_scandesc(fd, tmpname, ctx)) == CL_VIRUS) { |
7b1f1aaf |
cli_dbgmsg("GZip: Infected with %s\n", cli_get_last_virus(ctx));
close(fd); |
288057e9 |
if (!ctx->engine->keeptmp) {
if (cli_unlink(tmpname)) { |
7b1f1aaf |
free(tmpname);
return CL_EUNLINK;
}
}
free(tmpname);
return CL_VIRUS; |
5a72fce6 |
}
close(fd); |
7b1f1aaf |
if (!ctx->engine->keeptmp)
if (cli_unlink(tmpname))
ret = CL_EUNLINK; |
5a72fce6 |
free(tmpname);
return ret;
}
|
686ed348 |
static int cli_scangzip(cli_ctx *ctx) |
e3aaff8e |
{ |
7b1f1aaf |
int fd, ret = CL_CLEAN;
unsigned char buff[FILEBUFF];
char *tmpname;
z_stream z;
size_t at = 0, outsize = 0;
fmap_t *map = *ctx->fmap;
|
fc56deed |
cli_dbgmsg("in cli_scangzip()\n");
|
686ed348 |
memset(&z, 0, sizeof(z)); |
288057e9 |
if ((ret = inflateInit2(&z, MAX_WBITS + 16)) != Z_OK) { |
7b1f1aaf |
cli_dbgmsg("GZip: InflateInit failed: %d\n", ret);
return cli_scangzip_with_zib_from_the_80s(ctx, buff);
}
|
288057e9 |
if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) { |
7b1f1aaf |
cli_dbgmsg("GZip: Can't generate temporary file.\n");
inflateEnd(&z);
return ret;
}
|
288057e9 |
while (at < map->len) { |
7b1f1aaf |
unsigned int bytes = MIN(map->len - at, map->pgsz); |
288057e9 |
if (!(z.next_in = (void *)fmap_need_off_once(map, at, bytes))) { |
7b1f1aaf |
cli_dbgmsg("GZip: Can't read %u bytes @ %lu.\n", bytes, (long unsigned)at);
inflateEnd(&z);
close(fd); |
288057e9 |
if (cli_unlink(tmpname)) { |
7b1f1aaf |
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EREAD;
}
at += bytes;
z.avail_in = bytes; |
288057e9 |
do { |
7b1f1aaf |
int inf;
z.avail_out = sizeof(buff); |
288057e9 |
z.next_out = buff;
inf = inflate(&z, Z_NO_FLUSH);
if (inf != Z_OK && inf != Z_STREAM_END && inf != Z_BUF_ERROR) {
if (sizeof(buff) == z.avail_out) { |
7b1f1aaf |
cli_dbgmsg("GZip: Bad stream, nothing in output buffer.\n");
at = map->len;
break; |
288057e9 |
} else { |
7b1f1aaf |
cli_dbgmsg("GZip: Bad stream, data in output buffer.\n");
/* no break yet, flush extracted bytes to file */
}
} |
6c03dc5d |
if (cli_writen(fd, buff, sizeof(buff) - z.avail_out) == (size_t)-1) { |
7b1f1aaf |
inflateEnd(&z);
close(fd); |
288057e9 |
if (cli_unlink(tmpname)) { |
7b1f1aaf |
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EWRITE;
}
outsize += sizeof(buff) - z.avail_out; |
288057e9 |
if (cli_checklimits("GZip", ctx, outsize, 0, 0) != CL_CLEAN) { |
7b1f1aaf |
at = map->len;
break;
} |
288057e9 |
if (inf == Z_STREAM_END) { |
7b1f1aaf |
at -= z.avail_in;
inflateReset(&z);
break; |
288057e9 |
} else if (inf != Z_OK && inf != Z_BUF_ERROR) { |
7b1f1aaf |
at = map->len;
break;
}
} while (z.avail_out == 0);
}
inflateEnd(&z);
|
288057e9 |
if ((ret = cli_magic_scandesc(fd, tmpname, ctx)) == CL_VIRUS) { |
7b1f1aaf |
cli_dbgmsg("GZip: Infected with %s\n", cli_get_last_virus(ctx));
close(fd); |
288057e9 |
if (!ctx->engine->keeptmp) {
if (cli_unlink(tmpname)) { |
7b1f1aaf |
free(tmpname);
return CL_EUNLINK;
}
}
free(tmpname);
return CL_VIRUS; |
e3aaff8e |
} |
a7ac5978 |
close(fd); |
7b1f1aaf |
if (!ctx->engine->keeptmp)
if (cli_unlink(tmpname))
ret = CL_EUNLINK; |
686ed348 |
free(tmpname); |
e3aaff8e |
return ret;
}
|
de472237 |
#ifndef HAVE_BZLIB_H |
7b1f1aaf |
static int cli_scanbzip(cli_ctx *ctx)
{ |
de472237 |
cli_warnmsg("cli_scanbzip: bzip2 support not compiled in\n");
return CL_CLEAN;
}
#else |
e3aaff8e |
#ifdef NOBZ2PREFIX |
6b89f8e8 |
#define BZ2_bzDecompressInit bzDecompressInit
#define BZ2_bzDecompress bzDecompress
#define BZ2_bzDecompressEnd bzDecompressEnd |
e3aaff8e |
#endif
|
6b89f8e8 |
static int cli_scanbzip(cli_ctx *ctx) |
e3aaff8e |
{ |
6b89f8e8 |
int ret = CL_CLEAN, fd, rc;
unsigned long int size = 0;
char *tmpname;
bz_stream strm;
size_t off = 0;
size_t avail;
char buf[FILEBUFF];
memset(&strm, 0, sizeof(strm));
strm.next_out = buf;
strm.avail_out = sizeof(buf);
rc = BZ2_bzDecompressInit(&strm, 0, 0); |
288057e9 |
if (BZ_OK != rc) { |
7b1f1aaf |
cli_dbgmsg("Bzip: DecompressInit failed: %d\n", rc);
return CL_EOPEN;
}
|
288057e9 |
if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd))) { |
7b1f1aaf |
cli_dbgmsg("Bzip: Can't generate temporary file.\n");
BZ2_bzDecompressEnd(&strm);
return ret;
}
|
288057e9 |
do {
if (!strm.avail_in) { |
7b1f1aaf |
strm.next_in = (void *)fmap_need_off_once_len(*ctx->fmap, off, FILEBUFF, &avail);
strm.avail_in = avail;
off += avail; |
288057e9 |
if (!strm.avail_in) { |
7b1f1aaf |
cli_dbgmsg("Bzip: premature end of compressed stream\n");
break;
}
}
rc = BZ2_bzDecompress(&strm); |
288057e9 |
if (BZ_OK != rc && BZ_STREAM_END != rc) { |
7b1f1aaf |
cli_dbgmsg("Bzip: decompress error: %d\n", rc);
break;
}
|
288057e9 |
if (!strm.avail_out || BZ_STREAM_END == rc) { |
7b1f1aaf |
size += sizeof(buf) - strm.avail_out;
|
288057e9 |
if (cli_writen(fd, buf, sizeof(buf) - strm.avail_out) != sizeof(buf) - strm.avail_out) { |
7b1f1aaf |
cli_dbgmsg("Bzip: Can't write to file.\n");
BZ2_bzDecompressEnd(&strm);
close(fd); |
288057e9 |
if (!ctx->engine->keeptmp) {
if (cli_unlink(tmpname)) { |
7b1f1aaf |
free(tmpname);
return CL_EUNLINK;
}
}
free(tmpname);
return CL_EWRITE;
}
if (cli_checklimits("Bzip", ctx, size, 0, 0) != CL_CLEAN)
break;
strm.next_out = buf;
strm.avail_out = sizeof(buf);
} |
6b89f8e8 |
} while (BZ_STREAM_END != rc); |
e3aaff8e |
|
6b89f8e8 |
BZ2_bzDecompressEnd(&strm); |
985d9958 |
|
288057e9 |
if ((ret = cli_magic_scandesc(fd, tmpname, ctx)) == CL_VIRUS) { |
7b1f1aaf |
cli_dbgmsg("Bzip: Infected with %s\n", cli_get_last_virus(ctx));
close(fd); |
288057e9 |
if (!ctx->engine->keeptmp) {
if (cli_unlink(tmpname)) { |
7b1f1aaf |
ret = CL_EUNLINK;
free(tmpname);
return ret;
}
}
free(tmpname);
return CL_VIRUS; |
e3aaff8e |
} |
a7ac5978 |
close(fd); |
7b1f1aaf |
if (!ctx->engine->keeptmp)
if (cli_unlink(tmpname))
ret = CL_EUNLINK; |
6b89f8e8 |
free(tmpname); |
e3aaff8e |
return ret;
}
#endif
|
43d7f6f6 |
static int cli_scanxz(cli_ctx *ctx)
{ |
288057e9 |
int ret = CL_CLEAN, fd, rc; |
43d7f6f6 |
unsigned long int size = 0;
char *tmpname; |
8b77f741 |
struct CLI_XZ strm; |
43d7f6f6 |
size_t off = 0;
size_t avail; |
8b77f741 |
unsigned char *buf; |
43d7f6f6 |
|
8b77f741 |
buf = cli_malloc(CLI_XZ_OBUF_SIZE); |
288057e9 |
if (buf == NULL) { |
7b1f1aaf |
cli_errmsg("cli_scanxz: nomemory for decompress buffer.\n"); |
61fded8b |
return CL_EMEM;
} |
8b77f741 |
memset(&strm, 0x00, sizeof(struct CLI_XZ)); |
288057e9 |
strm.next_out = buf; |
61fded8b |
strm.avail_out = CLI_XZ_OBUF_SIZE; |
288057e9 |
rc = cli_XzInit(&strm);
if (rc != XZ_RESULT_OK) { |
7b1f1aaf |
cli_errmsg("cli_scanxz: DecompressInit failed: %i\n", rc); |
61fded8b |
free(buf); |
7b1f1aaf |
return CL_EOPEN; |
43d7f6f6 |
}
|
288057e9 |
if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd))) { |
7b1f1aaf |
cli_errmsg("cli_scanxz: Can't generate temporary file.\n");
cli_XzShutdown(&strm); |
61fded8b |
free(buf); |
7b1f1aaf |
return ret; |
43d7f6f6 |
}
cli_dbgmsg("cli_scanxz: decompressing to file %s\n", tmpname);
|
288057e9 |
do { |
43d7f6f6 |
/* set up input buffer */ |
288057e9 |
if (!strm.avail_in) {
strm.next_in = (void *)fmap_need_off_once_len(*ctx->fmap, off, CLI_XZ_IBUF_SIZE, &avail); |
7b1f1aaf |
strm.avail_in = avail;
off += avail; |
288057e9 |
if (!strm.avail_in) { |
7b1f1aaf |
cli_errmsg("cli_scanxz: premature end of compressed stream\n"); |
43d7f6f6 |
ret = CL_EFORMAT; |
7b1f1aaf |
goto xz_exit;
}
} |
43d7f6f6 |
/* xz decompress a chunk */ |
7b1f1aaf |
rc = cli_XzDecode(&strm); |
288057e9 |
if (XZ_RESULT_OK != rc && XZ_STREAM_END != rc) {
if (rc == XZ_DIC_HEURISTIC) { |
048a88e6 |
ret = cli_append_virus(ctx, "Heuristics.XZ.DicSizeLimit"); |
4ae32e4d |
goto xz_exit;
} |
7b1f1aaf |
cli_errmsg("cli_scanxz: decompress error: %d\n", rc); |
43d7f6f6 |
ret = CL_EFORMAT;
goto xz_exit; |
7b1f1aaf |
} |
43d7f6f6 |
//cli_dbgmsg("cli_scanxz: xz decompressed %li of %li available bytes\n",
// avail - strm.avail_in, avail); |
7b1f1aaf |
|
43d7f6f6 |
/* write decompress buffer */ |
288057e9 |
if (!strm.avail_out || rc == XZ_STREAM_END) { |
7b1f1aaf |
size_t towrite = CLI_XZ_OBUF_SIZE - strm.avail_out;
size += towrite; |
43d7f6f6 |
//cli_dbgmsg("Writing %li bytes to XZ decompress temp file(%li byte total)\n",
// towrite, size);
|
6c03dc5d |
if (cli_writen(fd, buf, towrite) != towrite) { |
7b1f1aaf |
cli_errmsg("cli_scanxz: Can't write to file.\n"); |
43d7f6f6 |
ret = CL_EWRITE;
goto xz_exit; |
7b1f1aaf |
} |
288057e9 |
if (cli_checklimits("cli_scanxz", ctx, size, 0, 0) != CL_CLEAN) { |
43d7f6f6 |
cli_warnmsg("cli_scanxz: decompress file size exceeds limits - " |
7b1f1aaf |
"only scanning %li bytes\n",
size);
break; |
43d7f6f6 |
} |
288057e9 |
strm.next_out = buf; |
7b1f1aaf |
strm.avail_out = CLI_XZ_OBUF_SIZE;
} |
43d7f6f6 |
} while (XZ_STREAM_END != rc);
/* scan decompressed file */ |
288057e9 |
if ((ret = cli_magic_scandesc(fd, tmpname, ctx)) == CL_VIRUS) { |
7b1f1aaf |
cli_dbgmsg("cli_scanxz: Infected with %s\n", cli_get_last_virus(ctx)); |
43d7f6f6 |
}
|
7b1f1aaf |
xz_exit: |
43d7f6f6 |
cli_XzShutdown(&strm);
close(fd); |
7b1f1aaf |
if (!ctx->engine->keeptmp)
if (cli_unlink(tmpname) && ret == CL_CLEAN) |
43d7f6f6 |
ret = CL_EUNLINK;
free(tmpname); |
61fded8b |
free(buf); |
43d7f6f6 |
return ret;
}
|
786a7e91 |
static int cli_scanszdd(cli_ctx *ctx) |
341e5433 |
{ |
7b1f1aaf |
int ofd, ret;
char *tmpname; |
2b259453 |
|
5da612a4 |
cli_dbgmsg("in cli_scanszdd()\n");
|
288057e9 |
if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &ofd))) { |
7b1f1aaf |
cli_dbgmsg("MSEXPAND: Can't generate temporary file/descriptor\n");
return ret; |
341e5433 |
}
|
786a7e91 |
ret = cli_msexpand(ctx, ofd); |
341e5433 |
|
288057e9 |
if (ret != CL_SUCCESS) { /* CL_VIRUS or some error */ |
7b1f1aaf |
close(ofd);
if (!ctx->engine->keeptmp)
if (cli_unlink(tmpname))
ret = CL_EUNLINK;
free(tmpname);
return ret; |
341e5433 |
}
|
6e47a652 |
cli_dbgmsg("MSEXPAND: Decompressed into %s\n", tmpname); |
01eebc13 |
ret = cli_magic_scandesc(ofd, tmpname, ctx); |
6e47a652 |
close(ofd); |
7b1f1aaf |
if (!ctx->engine->keeptmp)
if (cli_unlink(tmpname))
ret = CL_EUNLINK;
free(tmpname); |
6e47a652 |
|
341e5433 |
return ret;
}
|
6c03dc5d |
static cl_error_t vba_scandata(const unsigned char *data, size_t len, cli_ctx *ctx) |
d020ad3f |
{ |
7b1f1aaf |
struct cli_matcher *groot = ctx->engine->root[0];
struct cli_matcher *troot = ctx->engine->root[2];
struct cli_ac_data gmdata, tmdata;
struct cli_ac_data *mdata[2]; |
6c03dc5d |
cl_error_t ret; |
7b1f1aaf |
unsigned int viruses_found = 0; |
d020ad3f |
|
7b1f1aaf |
if ((ret = cli_ac_initdata(&tmdata, troot->ac_partsigs, troot->ac_lsigs, troot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)))
return ret; |
d020ad3f |
|
288057e9 |
if ((ret = cli_ac_initdata(&gmdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN))) { |
7b1f1aaf |
cli_ac_freedata(&tmdata);
return ret; |
d020ad3f |
}
mdata[0] = &tmdata;
mdata[1] = &gmdata;
ret = cli_scanbuff(data, len, 0, ctx, CL_TYPE_MSOLE2, mdata); |
ec5f4a47 |
if (ret == CL_VIRUS) |
7b1f1aaf |
viruses_found++; |
d020ad3f |
|
288057e9 |
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALLMATCHES)) { |
7b1f1aaf |
fmap_t *map = *ctx->fmap; |
288057e9 |
*ctx->fmap = cl_fmap_open_memory(data, len); |
45b97d65 |
if (*ctx->fmap == NULL)
return CL_EMEM; |
7b1f1aaf |
ret = cli_exp_eval(ctx, troot, &tmdata, NULL, NULL);
if (ret == CL_VIRUS)
viruses_found++; |
ec5f4a47 |
|
048a88e6 |
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALLMATCHES)) |
7b1f1aaf |
ret = cli_exp_eval(ctx, groot, &gmdata, NULL, NULL); |
45b97d65 |
funmap(*ctx->fmap);
*ctx->fmap = map; |
d020ad3f |
}
cli_ac_freedata(&tmdata);
cli_ac_freedata(&gmdata);
|
7b1f1aaf |
return (ret != CL_CLEAN) ? ret : viruses_found ? CL_VIRUS : CL_CLEAN; |
d020ad3f |
}
|
6c03dc5d |
static cl_error_t cli_vba_scandir(const char *dirname, cli_ctx *ctx, struct uniq *U) |
e3aaff8e |
{ |
49df8ea7 |
cl_error_t ret = CL_CLEAN; |
6c03dc5d |
int i, j, fd, hasmacros = 0;
size_t data_len; |
7b1f1aaf |
vba_project_t *vba_project;
DIR *dd;
struct dirent *dent;
STATBUF statbuf;
char *fullname, vbaname[1024];
unsigned char *data;
char *hash; |
49df8ea7 |
uint32_t hashcnt = 0; |
7b1f1aaf |
unsigned int viruses_found = 0; |
2b259453 |
cli_dbgmsg("VBADir: %s\n", dirname); |
49df8ea7 |
if (CL_SUCCESS != (ret = uniq_get(U, "_vba_project", 12, NULL, &hashcnt))) {
cli_dbgmsg("VBADir: uniq_get('_vba_project') failed with ret code (%d)!\n", ret);
return ret;
}
while (hashcnt) {
if (!(vba_project = (vba_project_t *)cli_vba_readdir(dirname, U, hashcnt))) {
hashcnt--; |
7b1f1aaf |
continue; |
49df8ea7 |
} |
7b1f1aaf |
|
288057e9 |
for (i = 0; i < vba_project->count; i++) { |
49df8ea7 |
for (j = 1; (unsigned int)j <= vba_project->colls[i]; j++) { |
7b1f1aaf |
snprintf(vbaname, 1024, "%s" PATHSEP "%s_%u", vba_project->dir, vba_project->name[i], j);
vbaname[sizeof(vbaname) - 1] = '\0'; |
288057e9 |
fd = open(vbaname, O_RDONLY | O_BINARY); |
49df8ea7 |
if (fd == -1) { |
7b1f1aaf |
continue; |
49df8ea7 |
} |
7b1f1aaf |
cli_dbgmsg("VBADir: Decompress VBA project '%s_%u'\n", vba_project->name[i], j);
data = (unsigned char *)cli_vba_inflate(fd, vba_project->offset[i], &data_len);
close(fd);
hasmacros++; |
288057e9 |
if (!data) { |
7b1f1aaf |
cli_dbgmsg("VBADir: WARNING: VBA project '%s_%u' decompressed to NULL\n", vba_project->name[i], j); |
288057e9 |
} else { |
7b1f1aaf |
/* cli_dbgmsg("Project content:\n%s", data); */
if (ctx->scanned)
*ctx->scanned += data_len / CL_COUNT_PRECISION; |
288057e9 |
if (ctx->engine->keeptmp) { |
7b1f1aaf |
char *tempfile;
int of;
|
288057e9 |
if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tempfile, &of)) != CL_SUCCESS) { |
7b1f1aaf |
cli_warnmsg("VBADir: WARNING: VBA project '%s_%u' cannot be dumped to file\n", vba_project->name[i], j);
return ret;
} |
288057e9 |
if (cli_writen(of, data, data_len) != data_len) { |
7b1f1aaf |
cli_warnmsg("VBADir: WARNING: VBA project '%s_%u' failed to write to file\n", vba_project->name[i], j);
close(of);
free(tempfile);
return CL_EWRITE;
}
cli_dbgmsg("VBADir: VBA project '%s_%u' dumped to %s\n", vba_project->name[i], j, tempfile);
free(tempfile);
}
|
288057e9 |
if (vba_scandata(data, data_len, ctx) == CL_VIRUS) { |
048a88e6 |
if (SCAN_ALLMATCHES) |
7b1f1aaf |
viruses_found++; |
288057e9 |
else { |
7b1f1aaf |
free(data);
ret = CL_VIRUS;
break;
}
}
free(data);
}
}
}
|
49df8ea7 |
cli_free_vba_project(vba_project);
vba_project = NULL;
|
048a88e6 |
if (ret == CL_VIRUS && !SCAN_ALLMATCHES) |
7b1f1aaf |
break; |
49df8ea7 |
hashcnt--; |
7b1f1aaf |
}
|
49df8ea7 |
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALLMATCHES)) {
if (CL_SUCCESS != (ret = uniq_get(U, "powerpoint document", 19, &hash, &hashcnt))) {
cli_dbgmsg("VBADir: uniq_get('powerpoint document') failed with ret code (%d)!\n", ret);
return ret;
}
while (hashcnt) { |
7b1f1aaf |
snprintf(vbaname, 1024, "%s" PATHSEP "%s_%u", dirname, hash, hashcnt);
vbaname[sizeof(vbaname) - 1] = '\0'; |
288057e9 |
fd = open(vbaname, O_RDONLY | O_BINARY); |
49df8ea7 |
if (fd == -1) {
hashcnt--; |
7b1f1aaf |
continue; |
49df8ea7 |
} |
288057e9 |
if ((fullname = cli_ppt_vba_read(fd, ctx))) {
if (cli_scandir(fullname, ctx) == CL_VIRUS) { |
7b1f1aaf |
ret = CL_VIRUS;
viruses_found++;
}
if (!ctx->engine->keeptmp)
cli_rmdirs(fullname);
free(fullname);
}
close(fd); |
49df8ea7 |
hashcnt--; |
7b1f1aaf |
}
}
|
49df8ea7 |
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALLMATCHES)) {
if (CL_SUCCESS != (ret = uniq_get(U, "worddocument", 12, &hash, &hashcnt))) {
cli_dbgmsg("VBADir: uniq_get('worddocument') failed with ret code (%d)!\n", ret);
return ret;
}
while (hashcnt) { |
7b1f1aaf |
snprintf(vbaname, sizeof(vbaname), "%s" PATHSEP "%s_%u", dirname, hash, hashcnt);
vbaname[sizeof(vbaname) - 1] = '\0'; |
288057e9 |
fd = open(vbaname, O_RDONLY | O_BINARY); |
49df8ea7 |
if (fd == -1) {
hashcnt--; |
7b1f1aaf |
continue; |
49df8ea7 |
} |
7b1f1aaf |
|
288057e9 |
if (!(vba_project = (vba_project_t *)cli_wm_readdir(fd))) { |
7b1f1aaf |
close(fd); |
49df8ea7 |
hashcnt--; |
7b1f1aaf |
continue;
}
|
288057e9 |
for (i = 0; i < vba_project->count; i++) { |
7b1f1aaf |
cli_dbgmsg("VBADir: Decompress WM project macro:%d key:%d length:%d\n", i, vba_project->key[i], vba_project->length[i]);
data = (unsigned char *)cli_wm_decrypt_macro(fd, vba_project->offset[i], vba_project->length[i], vba_project->key[i]); |
288057e9 |
if (!data) { |
7b1f1aaf |
cli_dbgmsg("VBADir: WARNING: WM project '%s' macro %d decrypted to NULL\n", vba_project->name[i], i); |
288057e9 |
} else { |
7b1f1aaf |
cli_dbgmsg("Project content:\n%s", data);
if (ctx->scanned)
*ctx->scanned += vba_project->length[i] / CL_COUNT_PRECISION; |
288057e9 |
if (vba_scandata(data, vba_project->length[i], ctx) == CL_VIRUS) { |
048a88e6 |
if (SCAN_ALLMATCHES) |
7b1f1aaf |
viruses_found++; |
288057e9 |
else { |
7b1f1aaf |
free(data);
ret = CL_VIRUS;
break;
}
}
free(data);
}
}
close(fd); |
49df8ea7 |
cli_free_vba_project(vba_project);
vba_project = NULL;
|
288057e9 |
if (ret == CL_VIRUS) { |
048a88e6 |
if (SCAN_ALLMATCHES) |
7b1f1aaf |
viruses_found++;
else
break;
} |
49df8ea7 |
hashcnt--; |
7b1f1aaf |
}
}
|
048a88e6 |
if (ret != CL_CLEAN && !(ret == CL_VIRUS && SCAN_ALLMATCHES)) |
7b1f1aaf |
return ret; |
e3aaff8e |
|
35aa42f5 |
#if HAVE_JSON |
09dddc5b |
/* JSON Output Summary Information */ |
288057e9 |
if (SCAN_COLLECT_METADATA && (ctx->wrkproperty != NULL)) { |
49df8ea7 |
if (CL_SUCCESS != (ret = uniq_get(U, "_5_summaryinformation", 21, &hash, &hashcnt))) {
cli_dbgmsg("VBADir: uniq_get('_5_summaryinformation') failed with ret code (%d)!\n", ret);
return ret;
}
while (hashcnt) { |
7b1f1aaf |
snprintf(vbaname, sizeof(vbaname), "%s" PATHSEP "%s_%u", dirname, hash, hashcnt);
vbaname[sizeof(vbaname) - 1] = '\0';
fd = open(vbaname, O_RDONLY | O_BINARY); |
288057e9 |
if (fd >= 0) { |
35aa42f5 |
cli_dbgmsg("VBADir: detected a '_5_summaryinformation' stream\n"); |
a69adec1 |
/* JSONOLE2 - what to do if something breaks? */ |
35aa42f5 |
cli_ole2_summary_json(ctx, fd, 0);
close(fd);
} |
49df8ea7 |
hashcnt--; |
35aa42f5 |
} |
09dddc5b |
|
49df8ea7 |
if (CL_SUCCESS != (ret = uniq_get(U, "_5_documentsummaryinformation", 29, &hash, &hashcnt))) {
cli_dbgmsg("VBADir: uniq_get('_5_documentsummaryinformation') failed with ret code (%d)!\n", ret);
return ret;
}
while (hashcnt) { |
7b1f1aaf |
snprintf(vbaname, sizeof(vbaname), "%s" PATHSEP "%s_%u", dirname, hash, hashcnt);
vbaname[sizeof(vbaname) - 1] = '\0';
fd = open(vbaname, O_RDONLY | O_BINARY); |
288057e9 |
if (fd >= 0) { |
35aa42f5 |
cli_dbgmsg("VBADir: detected a '_5_documentsummaryinformation' stream\n"); |
a69adec1 |
/* JSONOLE2 - what to do if something breaks? */ |
35aa42f5 |
cli_ole2_summary_json(ctx, fd, 1);
close(fd);
} |
49df8ea7 |
hashcnt--; |
09dddc5b |
}
} |
7b1f1aaf |
#endif |
09dddc5b |
|
892d2f56 |
/* Check directory for embedded OLE objects */ |
49df8ea7 |
if (CL_SUCCESS != (ret = uniq_get(U, "_1_ole10native", 14, &hash, &hashcnt))) {
cli_dbgmsg("VBADir: uniq_get('_1_ole10native') failed with ret code (%d)!\n", ret);
return ret;
}
while (hashcnt) { |
7b1f1aaf |
snprintf(vbaname, sizeof(vbaname), "%s" PATHSEP "%s_%u", dirname, hash, hashcnt);
vbaname[sizeof(vbaname) - 1] = '\0';
fd = open(vbaname, O_RDONLY | O_BINARY); |
288057e9 |
if (fd >= 0) { |
7b1f1aaf |
ret = cli_scan_ole10(fd, ctx);
close(fd); |
048a88e6 |
if (ret != CL_CLEAN && !(ret == CL_VIRUS && SCAN_ALLMATCHES)) |
7b1f1aaf |
return ret;
} |
49df8ea7 |
hashcnt--; |
892d2f56 |
}
|
72ce4b70 |
/* ACAB: since we now hash filenames and handle collisions we
* could avoid recursion by removing the block below and by
* flattening the paths in ole2_walk_property_tree (case 1) */
|
288057e9 |
if ((dd = opendir(dirname)) != NULL) {
while ((dent = readdir(dd))) {
if (dent->d_ino) {
if (strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) { |
7b1f1aaf |
/* build the full name */
fullname = cli_malloc(strlen(dirname) + strlen(dent->d_name) + 2); |
288057e9 |
if (!fullname) { |
7b1f1aaf |
cli_dbgmsg("cli_vba_scandir: Unable to allocate memory for fullname\n");
ret = CL_EMEM;
break;
}
sprintf(fullname, "%s" PATHSEP "%s", dirname, dent->d_name);
/* stat the file */ |
288057e9 |
if (LSTAT(fullname, &statbuf) != -1) { |
7b1f1aaf |
if (S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) |
288057e9 |
if (cli_vba_scandir(fullname, ctx, U) == CL_VIRUS) { |
048a88e6 |
if (SCAN_ALLMATCHES) |
7b1f1aaf |
viruses_found++; |
288057e9 |
else { |
7b1f1aaf |
ret = CL_VIRUS;
free(fullname);
break;
}
}
}
free(fullname);
}
}
} |
288057e9 |
} else { |
7b1f1aaf |
cli_dbgmsg("VBADir: Can't open directory %s.\n", dirname);
return CL_EOPEN; |
e3aaff8e |
}
closedir(dd); |
a41009bc |
#if HAVE_JSON |
048a88e6 |
if (hasmacros && SCAN_COLLECT_METADATA && (ctx->wrkproperty != NULL)) |
f5ea03f9 |
cli_jsonbool(ctx->wrkproperty, "HasMacros", 1); |
a41009bc |
#endif |
288057e9 |
if (SCAN_HEURISTIC_MACROS && hasmacros) { |
7b1f1aaf |
ret = cli_append_virus(ctx, "Heuristics.OLE2.ContainsMacros");
if (ret == CL_VIRUS) |
cbf5017a |
viruses_found++; |
6bee45b3 |
} |
048a88e6 |
if (SCAN_ALLMATCHES && viruses_found) |
7b1f1aaf |
return CL_VIRUS; |
467f8b1e |
return ret;
}
|
084d19aa |
static int cli_scanhtml(cli_ctx *ctx) |
a92110df |
{ |
b2726a53 |
char *tempname, fullname[1024]; |
288057e9 |
int ret = CL_CLEAN, fd;
fmap_t *map = *ctx->fmap; |
b2726a53 |
unsigned int viruses_found = 0; |
288057e9 |
uint64_t curr_len = map->len; |
a92110df |
cli_dbgmsg("in cli_scanhtml()\n");
|
b2726a53 |
/* CL_ENGINE_MAX_HTMLNORMALIZE */ |
288057e9 |
if (curr_len > ctx->engine->maxhtmlnormalize) { |
7b1f1aaf |
cli_dbgmsg("cli_scanhtml: exiting (file larger than MaxHTMLNormalize)\n");
return CL_CLEAN; |
572a986c |
}
|
7b1f1aaf |
if (!(tempname = cli_gentemp(ctx->engine->tmpdir)))
return CL_EMEM; |
5fc380f1 |
|
288057e9 |
if (mkdir(tempname, 0700)) { |
572a986c |
cli_errmsg("cli_scanhtml: Can't create temporary directory %s\n", tempname); |
7b1f1aaf |
free(tempname); |
a92110df |
return CL_ETMPDIR;
}
|
5f2fa151 |
cli_dbgmsg("cli_scanhtml: using tempdir %s\n", tempname);
|
084d19aa |
html_normalise_map(map, tempname, NULL, ctx->dconf); |
7b1f1aaf |
snprintf(fullname, 1024, "%s" PATHSEP "nocomment.html", tempname);
fd = open(fullname, O_RDONLY | O_BINARY); |
288057e9 |
if (fd >= 0) { |
7b1f1aaf |
if ((ret = cli_scandesc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR, NULL)) == CL_VIRUS)
viruses_found++;
close(fd); |
a92110df |
}
|
288057e9 |
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALLMATCHES)) { |
b2726a53 |
/* CL_ENGINE_MAX_HTMLNOTAGS */
curr_len = map->len; |
288057e9 |
if (curr_len > ctx->engine->maxhtmlnotags) { |
7b1f1aaf |
/* we're not interested in scanning large files in notags form */ |
b2726a53 |
/* TODO: don't even create notags if file is over limit */
cli_dbgmsg("cli_scanhtml: skipping notags (normalized size over MaxHTMLNoTags)\n"); |
288057e9 |
} else { |
7b1f1aaf |
snprintf(fullname, 1024, "%s" PATHSEP "notags.html", tempname);
fd = open(fullname, O_RDONLY | O_BINARY); |
288057e9 |
if (fd >= 0) { |
7b1f1aaf |
if ((ret = cli_scandesc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR, NULL)) == CL_VIRUS) |
b2726a53 |
viruses_found++;
close(fd);
}
} |
a92110df |
}
|
288057e9 |
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALLMATCHES)) { |
7b1f1aaf |
snprintf(fullname, 1024, "%s" PATHSEP "javascript", tempname);
fd = open(fullname, O_RDONLY | O_BINARY); |
288057e9 |
if (fd >= 0) { |
7b1f1aaf |
if ((ret = cli_scandesc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR, NULL)) == CL_VIRUS)
viruses_found++; |
288057e9 |
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALLMATCHES)) { |
7b1f1aaf |
if ((ret = cli_scandesc(fd, ctx, CL_TYPE_TEXT_ASCII, 0, NULL, AC_SCAN_VIR, NULL)) == CL_VIRUS)
viruses_found++;
}
close(fd);
} |
8be1d5a4 |
}
|
288057e9 |
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALLMATCHES)) { |
7b1f1aaf |
snprintf(fullname, 1024, "%s" PATHSEP "rfc2397", tempname);
ret = cli_scandir(fullname, ctx); |
a92110df |
}
|
7b1f1aaf |
if (!ctx->engine->keeptmp) |
a92110df |
cli_rmdirs(tempname);
free(tempname); |
048a88e6 |
if (SCAN_ALLMATCHES && viruses_found) |
7b1f1aaf |
return CL_VIRUS; |
a92110df |
return ret;
}
|
ee1b2a6c |
static int cli_scanscript(cli_ctx *ctx) |
015ce4a8 |
{ |
7b1f1aaf |
const unsigned char *buff; |
8650c790 |
unsigned char *normalized = NULL; |
7b1f1aaf |
struct text_norm_state state;
char *tmpname = NULL; |
288057e9 |
int ofd = -1, ret; |
7b1f1aaf |
struct cli_matcher *troot;
uint32_t maxpatlen, offset = 0;
struct cli_matcher *groot;
struct cli_ac_data gmdata, tmdata; |
8650c790 |
int gmdata_initialized = 0;
int tmdata_initialized = 0; |
7b1f1aaf |
struct cli_ac_data *mdata[2];
fmap_t *map; |
288057e9 |
size_t at = 0; |
7b1f1aaf |
unsigned int viruses_found = 0;
uint64_t curr_len;
struct cli_target_info info; |
c4934f41 |
|
7b1f1aaf |
if (!ctx || !ctx->engine->root)
return CL_ENULLARG;
|
288057e9 |
map = *ctx->fmap;
curr_len = map->len;
groot = ctx->engine->root[0];
troot = ctx->engine->root[7]; |
7b1f1aaf |
maxpatlen = troot ? troot->maxpatlen : 0;
|
afe940da |
// Initialize info so it's safe to pass to destroy later
cli_targetinfo_init(&info);
|
7b1f1aaf |
cli_dbgmsg("in cli_scanscript()\n");
/* CL_ENGINE_MAX_SCRIPTNORMALIZE */ |
288057e9 |
if (curr_len > ctx->engine->maxscriptnormalize) { |
7b1f1aaf |
cli_dbgmsg("cli_scanscript: exiting (file larger than MaxScriptSize)\n"); |
8650c790 |
ret = CL_CLEAN;
goto done; |
7b1f1aaf |
}
|
288057e9 |
if (!(normalized = cli_malloc(SCANBUFF + maxpatlen))) { |
7b1f1aaf |
cli_dbgmsg("cli_scanscript: Unable to malloc %u bytes\n", SCANBUFF); |
8650c790 |
ret = CL_EMEM;
goto done; |
7b1f1aaf |
}
text_normalize_init(&state, normalized, SCANBUFF + maxpatlen);
|
288057e9 |
if ((ret = cli_ac_initdata(&tmdata, troot ? troot->ac_partsigs : 0, troot ? troot->ac_lsigs : 0, troot ? troot->ac_reloff_num : 0, CLI_DEFAULT_AC_TRACKLEN))) { |
8650c790 |
goto done; |
7b1f1aaf |
} |
8650c790 |
tmdata_initialized = 1; |
7b1f1aaf |
|
288057e9 |
if ((ret = cli_ac_initdata(&gmdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN))) { |
8650c790 |
goto done; |
7b1f1aaf |
} |
8650c790 |
gmdata_initialized = 1; |
7b1f1aaf |
/* dump to disk only if explicitly asked to
* or if necessary to check relative offsets,
* otherwise we can process just in-memory */ |
288057e9 |
if (ctx->engine->keeptmp || (troot && (troot->ac_reloff_num > 0 || troot->linked_bcs))) {
if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &ofd))) { |
7b1f1aaf |
cli_dbgmsg("cli_scanscript: Can't generate temporary file/descriptor\n");
goto done;
}
if (ctx->engine->keeptmp)
cli_dbgmsg("cli_scanscript: saving normalized file to %s\n", tmpname);
}
mdata[0] = &tmdata;
mdata[1] = &gmdata;
/* If there's a relative offset in troot or triggered bytecodes, normalize to file.*/ |
288057e9 |
if (troot && (troot->ac_reloff_num > 0 || troot->linked_bcs)) { |
7b1f1aaf |
size_t map_off = 0; |
288057e9 |
while (map_off < map->len) { |
7b1f1aaf |
size_t written;
if (!(written = text_normalize_map(&state, map, map_off)))
break;
map_off += written;
|
288057e9 |
if (write(ofd, state.out, state.out_pos) == -1) { |
7b1f1aaf |
cli_errmsg("cli_scanscript: can't write to file %s\n", tmpname);
ret = CL_EWRITE; |
f5bc94cf |
goto done;
} |
7b1f1aaf |
text_normalize_reset(&state); |
f5bc94cf |
}
|
7b1f1aaf |
/* Temporarily store the normalized file map in the context. */
*ctx->fmap = fmap(ofd, 0, 0); |
288057e9 |
if (!(*ctx->fmap)) { |
7b1f1aaf |
cli_dbgmsg("cli_scanscript: could not map file %s\n", tmpname); |
288057e9 |
} else { |
7b1f1aaf |
/* scan map */
ret = cli_fmap_scandesc(ctx, CL_TYPE_TEXT_ASCII, 0, NULL, AC_SCAN_VIR, NULL, NULL); |
288057e9 |
if (ret == CL_VIRUS) { |
7b1f1aaf |
viruses_found++;
}
funmap(*ctx->fmap);
}
*ctx->fmap = map; |
288057e9 |
} else { |
7b1f1aaf |
/* Since the above is moderately costly all in all,
* do the old stuff if there's no relative offsets. */
|
288057e9 |
if (troot) { |
7b1f1aaf |
cli_targetinfo(&info, 7, map);
ret = cli_ac_caloff(troot, &tmdata, &info);
if (ret)
goto done;
} |
dabc8c31 |
|
288057e9 |
while (1) { |
7b1f1aaf |
size_t len = MIN(map->pgsz, map->len - at); |
288057e9 |
buff = fmap_need_off_once(map, at, len); |
7b1f1aaf |
at += len; |
288057e9 |
if (!buff || !len || state.out_pos + len > state.out_len) { |
7b1f1aaf |
/* flush if error/EOF, or too little buffer space left */ |
288057e9 |
if ((ofd != -1) && (write(ofd, state.out, state.out_pos) == -1)) { |
7b1f1aaf |
cli_errmsg("cli_scanscript: can't write to file %s\n", tmpname);
close(ofd);
ofd = -1;
/* we can continue to scan in memory */
}
/* when we flush the buffer also scan */ |
288057e9 |
if (cli_scanbuff(state.out, state.out_pos, offset, ctx, CL_TYPE_TEXT_ASCII, mdata) == CL_VIRUS) { |
048a88e6 |
if (SCAN_ALLMATCHES) |
7b1f1aaf |
viruses_found++; |
288057e9 |
else { |
7b1f1aaf |
ret = CL_VIRUS;
break;
}
}
if (ctx->scanned)
*ctx->scanned += state.out_pos / CL_COUNT_PRECISION;
offset += state.out_pos;
/* carry over maxpatlen from previous buffer */
if (state.out_pos > maxpatlen)
memmove(state.out, state.out + state.out_pos - maxpatlen, maxpatlen);
text_normalize_reset(&state);
state.out_pos = maxpatlen;
}
if (!len)
break; |
288057e9 |
if (!buff || text_normalize_buffer(&state, buff, len) != len) { |
7b1f1aaf |
cli_dbgmsg("cli_scanscript: short read during normalizing\n");
}
}
}
|
288057e9 |
if (ret != CL_VIRUS || SCAN_ALLMATCHES) { |
7b1f1aaf |
if ((ret = cli_exp_eval(ctx, troot, &tmdata, NULL, NULL)) == CL_VIRUS)
viruses_found++; |
048a88e6 |
if (ret != CL_VIRUS || SCAN_ALLMATCHES) |
7b1f1aaf |
if ((ret = cli_exp_eval(ctx, groot, &gmdata, NULL, NULL)) == CL_VIRUS)
viruses_found++;
}
done: |
afe940da |
cli_targetinfo_destroy(&info); |
8650c790 |
if (NULL != normalized) {
free(normalized);
}
if (tmdata_initialized) {
cli_ac_freedata(&tmdata);
}
if (gmdata_initialized) {
cli_ac_freedata(&gmdata);
} |
7b1f1aaf |
if (ofd != -1)
close(ofd); |
288057e9 |
if (tmpname != NULL) { |
7b1f1aaf |
if (!ctx->engine->keeptmp)
cli_unlink(tmpname);
free(tmpname);
}
if (viruses_found)
return CL_VIRUS;
return ret; |
015ce4a8 |
}
|
084d19aa |
static int cli_scanhtml_utf16(cli_ctx *ctx) |
bd988961 |
{ |
7b1f1aaf |
char *tempname, *decoded;
const char *buff; |
288057e9 |
int ret = CL_CLEAN, fd, bytes;
size_t at = 0; |
7b1f1aaf |
fmap_t *map = *ctx->fmap; |
bd988961 |
cli_dbgmsg("in cli_scanhtml_utf16()\n");
|
7b1f1aaf |
if (!(tempname = cli_gentemp(ctx->engine->tmpdir)))
return CL_EMEM; |
5fc380f1 |
|
288057e9 |
if ((fd = open(tempname, O_RDWR | O_CREAT | O_TRUNC | O_BINARY, S_IRWXU)) < 0) { |
7b1f1aaf |
cli_errmsg("cli_scanhtml_utf16: Can't create file %s\n", tempname);
free(tempname);
return CL_EOPEN; |
bd988961 |
}
|
5f2fa151 |
cli_dbgmsg("cli_scanhtml_utf16: using tempfile %s\n", tempname);
|
288057e9 |
while (at < map->len) { |
7b1f1aaf |
bytes = MIN(map->len - at, map->pgsz * 16); |
288057e9 |
if (!(buff = fmap_need_off_once(map, at, bytes))) { |
7b1f1aaf |
close(fd);
cli_unlink(tempname);
free(tempname);
return CL_EREAD;
}
at += bytes;
decoded = cli_utf16toascii(buff, bytes); |
288057e9 |
if (decoded) {
if (write(fd, decoded, bytes / 2) == -1) { |
7b1f1aaf |
cli_errmsg("cli_scanhtml_utf16: Can't write to file %s\n", tempname);
free(decoded);
close(fd);
cli_unlink(tempname);
free(tempname);
return CL_EWRITE;
}
free(decoded);
} |
bd988961 |
}
|
084d19aa |
*ctx->fmap = fmap(fd, 0, 0); |
288057e9 |
if (*ctx->fmap) { |
7b1f1aaf |
ret = cli_scanhtml(ctx);
funmap(*ctx->fmap); |
288057e9 |
} else |
7b1f1aaf |
cli_errmsg("cli_scanhtml_utf16: fmap of %s failed\n", tempname); |
084d19aa |
*ctx->fmap = map; |
bd988961 |
close(fd);
|
288057e9 |
if (!ctx->engine->keeptmp) { |
7b1f1aaf |
if (cli_unlink(tempname))
ret = CL_EUNLINK; |
288057e9 |
} else |
7b1f1aaf |
cli_dbgmsg("cli_scanhtml_utf16: Decoded HTML data saved in %s\n", tempname); |
bd988961 |
free(tempname);
return ret;
}
|
034c02fd |
static int cli_scanole2(cli_ctx *ctx) |
467f8b1e |
{ |
7b1f1aaf |
char *dir; |
288057e9 |
int ret = CL_CLEAN; |
7b1f1aaf |
struct uniq *vba = NULL; |
2b259453 |
|
467f8b1e |
cli_dbgmsg("in cli_scanole2()\n");
|
7b1f1aaf |
if (ctx->engine->maxreclevel && ctx->recursion >= ctx->engine->maxreclevel) |
bbd6ca3f |
return CL_EMAXREC;
|
467f8b1e |
/* generate the temporary directory */ |
7b1f1aaf |
if (!(dir = cli_gentemp(ctx->engine->tmpdir)))
return CL_EMEM; |
5fc380f1 |
|
288057e9 |
if (mkdir(dir, 0700)) { |
7b1f1aaf |
cli_dbgmsg("OLE2: Can't create temporary directory %s\n", dir);
free(dir);
return CL_ETMPDIR; |
467f8b1e |
}
|
034c02fd |
ret = cli_ole2_extract(dir, ctx, &vba); |
288057e9 |
if (ret != CL_CLEAN && ret != CL_VIRUS) { |
7b1f1aaf |
cli_dbgmsg("OLE2: %s\n", cl_strerror(ret));
if (!ctx->engine->keeptmp)
cli_rmdirs(dir);
free(dir);
return ret; |
467f8b1e |
}
|
288057e9 |
if (vba) { |
72ce4b70 |
ctx->recursion++; |
bbd6ca3f |
|
7b1f1aaf |
ret = cli_vba_scandir(dir, ctx, vba);
uniq_free(vba);
if (ret != CL_VIRUS)
if (cli_scandir(dir, ctx) == CL_VIRUS)
ret = CL_VIRUS;
ctx->recursion--; |
467f8b1e |
}
|
7b1f1aaf |
if (!ctx->engine->keeptmp)
cli_rmdirs(dir); |
467f8b1e |
free(dir);
return ret; |
e3aaff8e |
}
|
a91f6d95 |
static int cli_scantar(cli_ctx *ctx, unsigned int posix) |
2b259453 |
{ |
7b1f1aaf |
char *dir;
int ret = CL_CLEAN; |
2b259453 |
cli_dbgmsg("in cli_scantar()\n");
/* generate temporary directory */ |
7b1f1aaf |
if (!(dir = cli_gentemp(ctx->engine->tmpdir)))
return CL_EMEM; |
5fc380f1 |
|
288057e9 |
if (mkdir(dir, 0700)) { |
7b1f1aaf |
cli_errmsg("Tar: Can't create temporary directory %s\n", dir);
free(dir);
return CL_ETMPDIR; |
2b259453 |
}
|
a91f6d95 |
ret = cli_untar(dir, posix, ctx); |
2b259453 |
|
7b1f1aaf |
if (!ctx->engine->keeptmp)
cli_rmdirs(dir); |
2b259453 |
free(dir);
return ret;
}
|
32f7e1d7 |
static int cli_scanscrenc(cli_ctx *ctx) |
e57fa318 |
{ |
7b1f1aaf |
char *tempname;
int ret = CL_CLEAN; |
e57fa318 |
cli_dbgmsg("in cli_scanscrenc()\n");
|
7b1f1aaf |
if (!(tempname = cli_gentemp(ctx->engine->tmpdir)))
return CL_EMEM; |
5fc380f1 |
|
288057e9 |
if (mkdir(tempname, 0700)) { |
7b1f1aaf |
cli_dbgmsg("CHM: Can't create temporary directory %s\n", tempname);
free(tempname);
return CL_ETMPDIR; |
e57fa318 |
}
|
32f7e1d7 |
if (html_screnc_decode(*ctx->fmap, tempname)) |
7b1f1aaf |
ret = cli_scandir(tempname, ctx); |
e57fa318 |
|
7b1f1aaf |
if (!ctx->engine->keeptmp)
cli_rmdirs(tempname); |
e57fa318 |
free(tempname);
return ret;
} |
015e31e1 |
|
bad8bbc7 |
static int cli_scanriff(cli_ctx *ctx) |
eb308794 |
{ |
cbf5017a |
int ret = CL_CLEAN; |
eb308794 |
|
cbf5017a |
if (cli_check_riff_exploit(ctx) == 2) |
7b1f1aaf |
ret = cli_append_virus(ctx, "Heuristics.Exploit.W32.MS05-002"); |
eb308794 |
return ret;
}
|
32d37729 |
static int cli_scanjpeg(cli_ctx *ctx) |
7afdc309 |
{ |
cbf5017a |
int ret = CL_CLEAN; |
7afdc309 |
|
7b1f1aaf |
if (cli_check_jpeg_exploit(ctx, 0) == 1) |
cbf5017a |
ret = cli_append_virus(ctx, "Heuristics.Exploit.W32.MS04-028"); |
7afdc309 |
return ret;
}
|
0c9b8840 |
static int cli_scancryptff(cli_ctx *ctx) |
2c6f9d57 |
{ |
7b1f1aaf |
int ret = CL_CLEAN, ndesc;
unsigned int i;
const unsigned char *src;
unsigned char *dest = NULL;
char *tempfile;
size_t pos;
size_t bread; |
2c6f9d57 |
/* Skip the CryptFF file header */ |
0c9b8840 |
pos = 0x10; |
2c6f9d57 |
|
288057e9 |
if ((dest = (unsigned char *)cli_malloc(FILEBUFF)) == NULL) { |
7b1f1aaf |
cli_dbgmsg("CryptFF: Can't allocate memory\n"); |
2c6f9d57 |
return CL_EMEM;
}
|
288057e9 |
if (!(tempfile = cli_gentemp(ctx->engine->tmpdir))) { |
7b1f1aaf |
free(dest);
return CL_EMEM; |
5fc380f1 |
}
|
288057e9 |
if ((ndesc = open(tempfile, O_RDWR | O_CREAT | O_TRUNC | O_BINARY, S_IRWXU)) < 0) { |
7b1f1aaf |
cli_errmsg("CryptFF: Can't create file %s\n", tempfile);
free(dest);
free(tempfile);
return CL_ECREAT; |
2c6f9d57 |
}
|
288057e9 |
for (; (src = fmap_need_off_once_len(*ctx->fmap, pos, FILEBUFF, &bread)) && bread; pos += bread) { |
7b1f1aaf |
for (i = 0; i < bread; i++)
dest[i] = src[i] ^ (unsigned char)0xff; |
6c03dc5d |
if (cli_writen(ndesc, dest, bread) == (size_t)-1) { |
7b1f1aaf |
cli_dbgmsg("CryptFF: Can't write to descriptor %d\n", ndesc);
free(dest);
close(ndesc);
free(tempfile);
return CL_EWRITE;
} |
2c6f9d57 |
}
free(dest);
cli_dbgmsg("CryptFF: Scanning decrypted data\n");
|
01eebc13 |
if ((ret = cli_magic_scandesc(ndesc, tempfile, ctx)) == CL_VIRUS) |
7b1f1aaf |
cli_dbgmsg("CryptFF: Infected with %s\n", cli_get_last_virus(ctx)); |
2c6f9d57 |
close(ndesc);
|
7b1f1aaf |
if (ctx->engine->keeptmp)
cli_dbgmsg("CryptFF: Decompressed data saved in %s\n", tempfile);
else if (cli_unlink(tempfile))
ret = CL_EUNLINK; |
2c6f9d57 |
free(tempfile);
return ret;
}
|
2d5dbc37 |
static int cli_scanpdf(cli_ctx *ctx, off_t offset) |
798308de |
{ |
7b1f1aaf |
int ret;
char *dir = cli_gentemp(ctx->engine->tmpdir); |
798308de |
|
7b1f1aaf |
if (!dir)
return CL_EMEM; |
798308de |
|
288057e9 |
if (mkdir(dir, 0700)) { |
7b1f1aaf |
cli_dbgmsg("Can't create temporary directory for PDF file %s\n", dir);
free(dir);
return CL_ETMPDIR; |
798308de |
}
|
2d5dbc37 |
ret = cli_pdf(dir, ctx, offset); |
798308de |
|
7b1f1aaf |
if (!ctx->engine->keeptmp)
cli_rmdirs(dir); |
798308de |
free(dir);
return ret;
}
|
3d8c1fc7 |
static int cli_scantnef(cli_ctx *ctx) |
f0bc32bd |
{ |
7b1f1aaf |
int ret;
char *dir = cli_gentemp(ctx->engine->tmpdir); |
f0bc32bd |
|
7b1f1aaf |
if (!dir)
return CL_EMEM; |
f0bc32bd |
|
288057e9 |
if (mkdir(dir, 0700)) { |
7b1f1aaf |
cli_dbgmsg("Can't create temporary directory for tnef file %s\n", dir);
free(dir);
return CL_ETMPDIR; |
f0bc32bd |
}
|
3d8c1fc7 |
ret = cli_tnef(dir, ctx); |
f0bc32bd |
|
7b1f1aaf |
if (ret == CL_CLEAN)
ret = cli_scandir(dir, ctx); |
f0bc32bd |
|
7b1f1aaf |
if (!ctx->engine->keeptmp)
cli_rmdirs(dir); |
f0bc32bd |
free(dir);
return ret;
}
|
ee1b2a6c |
static int cli_scanuuencoded(cli_ctx *ctx) |
3953039b |
{ |
7b1f1aaf |
int ret;
char *dir = cli_gentemp(ctx->engine->tmpdir); |
3953039b |
|
7b1f1aaf |
if (!dir)
return CL_EMEM; |
5fc380f1 |
|
288057e9 |
if (mkdir(dir, 0700)) { |
7b1f1aaf |
cli_dbgmsg("Can't create temporary directory for uuencoded file %s\n", dir);
free(dir);
return CL_ETMPDIR; |
3953039b |
}
|
ee1b2a6c |
ret = cli_uuencode(dir, *ctx->fmap); |
3953039b |
|
7b1f1aaf |
if (ret == CL_CLEAN)
ret = cli_scandir(dir, ctx); |
3953039b |
|
7b1f1aaf |
if (!ctx->engine->keeptmp)
cli_rmdirs(dir); |
3953039b |
free(dir);
return ret;
}
|
2df29bde |
static int cli_scanmail(cli_ctx *ctx) |
e3aaff8e |
{ |
7b1f1aaf |
char *dir;
int ret;
unsigned int viruses_found = 0; |
e3aaff8e |
|
d91ab809 |
cli_dbgmsg("Starting cli_scanmail(), recursion = %u\n", ctx->recursion); |
e3aaff8e |
|
0c7019c5 |
/* generate the temporary directory */ |
7b1f1aaf |
if (!(dir = cli_gentemp(ctx->engine->tmpdir)))
return CL_EMEM; |
5fc380f1 |
|
288057e9 |
if (mkdir(dir, 0700)) { |
7b1f1aaf |
cli_dbgmsg("Mail: Can't create temporary directory %s\n", dir);
free(dir);
return CL_ETMPDIR; |
0c7019c5 |
} |
e3aaff8e |
|
0c7019c5 |
/*
* Extract the attachments into the temporary directory
*/ |
288057e9 |
if ((ret = cli_mbox(dir, ctx))) { |
048a88e6 |
if (ret == CL_VIRUS && SCAN_ALLMATCHES) |
7b1f1aaf |
viruses_found++; |
288057e9 |
else { |
7b1f1aaf |
if (!ctx->engine->keeptmp)
cli_rmdirs(dir);
free(dir);
return ret;
} |
0c7019c5 |
}
|
cb680655 |
ret = cli_scandir(dir, ctx); |
0c7019c5 |
|
7b1f1aaf |
if (!ctx->engine->keeptmp)
cli_rmdirs(dir); |
0c7019c5 |
free(dir); |
7a307529 |
if (viruses_found) |
7b1f1aaf |
return CL_VIRUS; |
0c7019c5 |
return ret; |
e3aaff8e |
}
|
1b4b5675 |
static int cli_scan_structured(cli_ctx *ctx) |
a6e38800 |
{ |
7b1f1aaf |
char buf[8192]; |
6c03dc5d |
size_t result = 0; |
288057e9 |
unsigned int cc_count = 0; |
7b1f1aaf |
unsigned int ssn_count = 0; |
288057e9 |
int done = 0; |
7b1f1aaf |
fmap_t *map;
size_t pos = 0; |
6c03dc5d |
int (*ccfunc)(const unsigned char *buffer, size_t length);
int (*ssnfunc)(const unsigned char *buffer, size_t length); |
7b1f1aaf |
unsigned int viruses_found = 0;
if (ctx == NULL)
return CL_ENULLARG; |
a6e38800 |
|
e664809d |
map = *ctx->fmap; |
b0d2122c |
|
7b1f1aaf |
if (ctx->engine->min_cc_count == 1)
ccfunc = dlp_has_cc; |
a6e38800 |
else |
7b1f1aaf |
ccfunc = dlp_get_cc_count; |
a6e38800 |
|
288057e9 |
switch (SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL | SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED) {
case (CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL | CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED):
if (ctx->engine->min_ssn_count == 1)
ssnfunc = dlp_has_ssn;
else
ssnfunc = dlp_get_ssn_count;
break; |
a6e38800 |
|
288057e9 |
case CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL:
if (ctx->engine->min_ssn_count == 1)
ssnfunc = dlp_has_normal_ssn;
else
ssnfunc = dlp_get_normal_ssn_count;
break; |
a6e38800 |
|
288057e9 |
case CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED:
if (ctx->engine->min_ssn_count == 1)
ssnfunc = dlp_has_stripped_ssn;
else
ssnfunc = dlp_get_stripped_ssn_count;
break; |
26fbf6bd |
|
288057e9 |
default:
ssnfunc = NULL; |
a6e38800 |
}
|
6c03dc5d |
while (!done && ((result = fmap_readn(map, buf, pos, 8191)) > 0) && (result != (size_t)-1)) { |
7b1f1aaf |
pos += result; |
6c03dc5d |
if ((cc_count += ccfunc((const unsigned char *)buf, (int)result)) >= ctx->engine->min_cc_count) { |
7b1f1aaf |
done = 1;
} |
26fbf6bd |
|
288057e9 |
if (ssnfunc && ((ssn_count += ssnfunc((const unsigned char *)buf, result)) >= ctx->engine->min_ssn_count)) { |
7b1f1aaf |
done = 1;
} |
a6e38800 |
}
|
288057e9 |
if (cc_count != 0 && cc_count >= ctx->engine->min_cc_count) { |
7b1f1aaf |
cli_dbgmsg("cli_scan_structured: %u credit card numbers detected\n", cc_count); |
288057e9 |
if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Structured.CreditCardNumber")) {
if (SCAN_ALLMATCHES) { |
cbf5017a |
viruses_found++; |
288057e9 |
} else { |
cbf5017a |
return CL_VIRUS; |
7b1f1aaf |
}
} |
a6e38800 |
}
|
288057e9 |
if (ssn_count != 0 && ssn_count >= ctx->engine->min_ssn_count) { |
7b1f1aaf |
cli_dbgmsg("cli_scan_structured: %u social security numbers detected\n", ssn_count); |
288057e9 |
if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Structured.SSN")) {
if (SCAN_ALLMATCHES) { |
cbf5017a |
viruses_found++; |
288057e9 |
} else { |
cbf5017a |
return CL_VIRUS; |
7b1f1aaf |
}
} |
a6e38800 |
}
|
7a307529 |
if (viruses_found) |
7b1f1aaf |
return CL_VIRUS; |
a6e38800 |
return CL_CLEAN;
}
|
6c03dc5d |
static cl_error_t cli_scanembpe(cli_ctx *ctx, off_t offset) |
ee99255a |
{ |
6c03dc5d |
cl_error_t ret = CL_CLEAN;
int fd;
size_t bytes;
size_t size = 0;
size_t todo; |
7b1f1aaf |
const char *buff;
char *tmpname;
fmap_t *map = *ctx->fmap;
unsigned int corrupted_input; |
ee99255a |
|
33068e09 |
tmpname = cli_gentemp(ctx->engine->tmpdir); |
7b1f1aaf |
if (!tmpname)
return CL_EMEM; |
ee99255a |
|
288057e9 |
if ((fd = open(tmpname, O_RDWR | O_CREAT | O_TRUNC | O_BINARY, S_IRWXU)) < 0) { |
7b1f1aaf |
cli_errmsg("cli_scanembpe: Can't create file %s\n", tmpname);
free(tmpname);
return CL_ECREAT; |
ee99255a |
}
|
822160b5 |
todo = map->len - offset; |
288057e9 |
while (1) { |
7b1f1aaf |
bytes = MIN(todo, map->pgsz);
if (!bytes)
break;
|
288057e9 |
if (!(buff = fmap_need_off_once(map, offset + size, bytes))) { |
7b1f1aaf |
close(fd); |
288057e9 |
if (!ctx->engine->keeptmp) {
if (cli_unlink(tmpname)) { |
7b1f1aaf |
free(tmpname);
return CL_EUNLINK;
}
}
free(tmpname);
return CL_EREAD;
}
size += bytes;
todo -= bytes;
if (cli_checklimits("cli_scanembpe", ctx, size, 0, 0) != CL_CLEAN)
break;
|
288057e9 |
if (cli_writen(fd, buff, bytes) != bytes) { |
7b1f1aaf |
cli_dbgmsg("cli_scanembpe: Can't write to temporary file\n");
close(fd); |
288057e9 |
if (!ctx->engine->keeptmp) {
if (cli_unlink(tmpname)) { |
7b1f1aaf |
free(tmpname);
return CL_EUNLINK;
}
}
free(tmpname);
return CL_EWRITE;
} |
ee99255a |
}
|
f0f7f92f |
ctx->recursion++; |
288057e9 |
corrupted_input = ctx->corrupted_input; |
cfe6b4a2 |
ctx->corrupted_input = 1; |
288057e9 |
ret = cli_magic_scandesc(fd, tmpname, ctx); |
cfe6b4a2 |
ctx->corrupted_input = corrupted_input; |
288057e9 |
if (ret == CL_VIRUS) { |
7b1f1aaf |
cli_dbgmsg("cli_scanembpe: Infected with %s\n", cli_get_last_virus(ctx));
close(fd); |
288057e9 |
if (!ctx->engine->keeptmp) {
if (cli_unlink(tmpname)) { |
7b1f1aaf |
free(tmpname);
return CL_EUNLINK;
}
}
free(tmpname);
return CL_VIRUS; |
ee99255a |
} |
f0f7f92f |
ctx->recursion--; |
ee99255a |
close(fd); |
288057e9 |
if (!ctx->engine->keeptmp) {
if (cli_unlink(tmpname)) { |
7b1f1aaf |
free(tmpname);
return CL_EUNLINK;
} |
997a0e0b |
} |
ee99255a |
free(tmpname);
/* intentionally ignore possible errors from cli_magic_scandesc */
return CL_CLEAN;
}
|
b437b4ea |
#if defined(_WIN32) || defined(C_LINUX) || defined(C_DARWIN) |
63feb6cd |
#define PERF_MEASURE
#endif
#ifdef PERF_MEASURE
|
7b1f1aaf |
static struct
{ |
63feb6cd |
enum perfev id;
const char *name;
enum ev_type type;
} perf_events[] = {
{PERFT_SCAN, "full scan", ev_time},
{PERFT_PRECB, "prescan cb", ev_time},
{PERFT_POSTCB, "postscan cb", ev_time},
{PERFT_CACHE, "cache", ev_time},
{PERFT_FT, "filetype", ev_time},
{PERFT_CONTAINER, "container", ev_time},
{PERFT_SCRIPT, "script", ev_time},
{PERFT_PE, "pe", ev_time},
{PERFT_RAW, "raw", ev_time},
{PERFT_RAWTYPENO, "raw container", ev_time},
{PERFT_MAP, "map", ev_time}, |
7b1f1aaf |
{PERFT_BYTECODE, "bytecode", ev_time},
{PERFT_KTIME, "kernel", ev_int},
{PERFT_UTIME, "user", ev_int}}; |
63feb6cd |
static void get_thread_times(uint64_t *kt, uint64_t *ut)
{
#ifdef _WIN32 |
7b1f1aaf |
FILETIME c, e, k, u;
ULARGE_INTEGER kl, ul; |
288057e9 |
if (!GetThreadTimes(GetCurrentThread(), &c, &e, &k, &u)) { |
7b1f1aaf |
*kt = *ut = 0;
return; |
63feb6cd |
} |
288057e9 |
kl.LowPart = k.dwLowDateTime; |
63feb6cd |
kl.HighPart = k.dwHighDateTime; |
288057e9 |
ul.LowPart = u.dwLowDateTime; |
63feb6cd |
ul.HighPart = u.dwHighDateTime; |
288057e9 |
*kt = kl.QuadPart / 10;
*ut = ul.QuadPart / 10; |
63feb6cd |
#else
struct tms tbuf; |
0efcd558 |
if (times(&tbuf) != ((clock_t)-1)) { |
7b1f1aaf |
clock_t tck = sysconf(_SC_CLK_TCK); |
288057e9 |
*kt = ((uint64_t)1000000) * tbuf.tms_stime / tck;
*ut = ((uint64_t)1000000) * tbuf.tms_utime / tck;
} else { |
7b1f1aaf |
*kt = *ut = 0; |
63feb6cd |
}
#endif
}
static inline void perf_init(cli_ctx *ctx)
{ |
7b1f1aaf |
uint64_t kt, ut; |
63feb6cd |
unsigned i;
|
048a88e6 |
if (!SCAN_DEV_COLLECT_PERF_INFO) |
7b1f1aaf |
return; |
63feb6cd |
ctx->perf = cli_events_new(PERFT_LAST); |
288057e9 |
for (i = 0; i < sizeof(perf_events) / sizeof(perf_events[0]); i++) { |
7b1f1aaf |
if (cli_event_define(ctx->perf, perf_events[i].id, perf_events[i].name,
perf_events[i].type, multiple_sum) == -1)
continue; |
63feb6cd |
}
cli_event_time_start(ctx->perf, PERFT_SCAN);
get_thread_times(&kt, &ut);
cli_event_int(ctx->perf, PERFT_KTIME, -kt);
cli_event_int(ctx->perf, PERFT_UTIME, -ut);
}
|
7b1f1aaf |
static inline void perf_done(cli_ctx *ctx) |
63feb6cd |
{
char timestr[512];
char *p;
unsigned i; |
7b1f1aaf |
uint64_t kt, ut; |
b724f199 |
char *pend; |
63feb6cd |
cli_events_t *perf = ctx->perf;
if (!perf) |
7b1f1aaf |
return; |
63feb6cd |
|
288057e9 |
p = timestr;
pend = timestr + sizeof(timestr) - 1; |
63feb6cd |
*pend = 0;
cli_event_time_stop(perf, PERFT_SCAN);
get_thread_times(&kt, &ut);
cli_event_int(perf, PERFT_KTIME, kt);
cli_event_int(perf, PERFT_UTIME, ut);
|
288057e9 |
for (i = 0; i < sizeof(perf_events) / sizeof(perf_events[0]); i++) { |
7b1f1aaf |
union ev_val val;
unsigned count; |
63feb6cd |
|
7b1f1aaf |
cli_event_get(perf, perf_events[i].id, &val, &count);
if (p < pend)
p += snprintf(p, pend - p, "%s: %d.%03ums, ", perf_events[i].name,
(signed)(val.v_int / 1000),
(unsigned)(val.v_int % 1000)); |
63feb6cd |
}
*p = 0;
cli_infomsg(ctx, "performance: %s\n", timestr);
cli_events_free(perf);
ctx->perf = NULL;
}
|
7b1f1aaf |
static inline void perf_start(cli_ctx *ctx, int id) |
63feb6cd |
{
cli_event_time_start(ctx->perf, id);
}
|
7b1f1aaf |
static inline void perf_stop(cli_ctx *ctx, int id) |
63feb6cd |
{
cli_event_time_stop(ctx->perf, id);
}
|
7b1f1aaf |
static inline void perf_nested_start(cli_ctx *ctx, int id, int nestedid) |
63feb6cd |
{
cli_event_time_nested_start(ctx->perf, id, nestedid);
}
|
7b1f1aaf |
static inline void perf_nested_stop(cli_ctx *ctx, int id, int nestedid) |
63feb6cd |
{
cli_event_time_nested_stop(ctx->perf, id, nestedid);
}
#else |
7b1f1aaf |
static inline void perf_init(cli_ctx *ctx)
{
UNUSEDPARAM(ctx);
}
static inline void perf_start(cli_ctx *ctx, int id)
{
UNUSEDPARAM(ctx);
UNUSEDPARAM(id);
}
static inline void perf_stop(cli_ctx *ctx, int id)
{
UNUSEDPARAM(ctx);
UNUSEDPARAM(id);
}
static inline void perf_nested_start(cli_ctx *ctx, int id, int nestedid)
{
UNUSEDPARAM(ctx);
UNUSEDPARAM(id);
UNUSEDPARAM(nestedid);
}
static inline void perf_nested_stop(cli_ctx *ctx, int id, int nestedid)
{
UNUSEDPARAM(ctx);
UNUSEDPARAM(id);
UNUSEDPARAM(nestedid);
} |
288057e9 |
static inline void perf_done(cli_ctx *ctx)
{
UNUSEDPARAM(ctx);
} |
63feb6cd |
#endif
|
548b55be |
static int cli_scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_file_t *dettype, unsigned char *refhash) |
555c5390 |
{ |
7b1f1aaf |
int ret = CL_CLEAN, nret = CL_CLEAN;
struct cli_matched_type *ftoffset = NULL, *fpt;
struct cli_exe_info peinfo;
unsigned int acmode = AC_SCAN_VIR, break_loop = 0;
fmap_t *map = *ctx->fmap; |
555c5390 |
|
288057e9 |
if (ctx->engine->maxreclevel && ctx->recursion >= ctx->engine->maxreclevel) { |
312b7e53 |
cli_check_blockmax(ctx, CL_EMAXREC); |
8df99a92 |
return CL_EMAXREC; |
312b7e53 |
} |
8df99a92 |
|
63feb6cd |
perf_start(ctx, PERFT_RAW); |
7b1f1aaf |
if (typercg)
acmode |= AC_SCAN_FT; |
555c5390 |
|
ffa9b060 |
ret = cli_fmap_scandesc(ctx, type == CL_TYPE_TEXT_ASCII ? 0 : type, 0, &ftoffset, acmode, NULL, refhash); |
63feb6cd |
perf_stop(ctx, PERFT_RAW); |
555c5390 |
|
1d7f6b27 |
// TODO I think this causes embedded file extraction to stop when a
// signature has matched in cli_fmap_scandesc, which wouldn't be what
// we want if allmatch is specified. |
288057e9 |
if (ret >= CL_TYPENO) { |
7b1f1aaf |
perf_nested_start(ctx, PERFT_RAWTYPENO, PERFT_SCAN);
ctx->recursion++; |
60a1a1a1 |
fpt = ftoffset;
|
288057e9 |
while (fpt) { |
031fe00a |
/* set current level as container AFTER recursing */
cli_set_container(ctx, fpt->type, map->len); |
7b1f1aaf |
if (fpt->offset) |
288057e9 |
switch (fpt->type) {
case CL_TYPE_MHTML:
if (SCAN_PARSE_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX)) {
cli_dbgmsg("MHTML signature found at %u\n", (unsigned int)fpt->offset);
nret = ret = cli_scanmail(ctx);
}
break; |
ef48d7cb |
|
288057e9 |
case CL_TYPE_XDP:
if (SCAN_PARSE_PDF && (DCONF_DOC & DOC_CONF_PDF)) {
cli_dbgmsg("XDP signature found at %u\n", (unsigned int)fpt->offset);
nret = ret = cli_scanxdp(ctx);
}
break;
case CL_TYPE_XML_WORD:
if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_MSXML)) {
cli_dbgmsg("XML-WORD signature found at %u\n", (unsigned int)fpt->offset);
nret = ret = cli_scanmsxml(ctx);
}
break;
case CL_TYPE_XML_XL:
if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_MSXML)) {
cli_dbgmsg("XML-XL signature found at %u\n", (unsigned int)fpt->offset);
nret = ret = cli_scanmsxml(ctx);
}
break;
case CL_TYPE_XML_HWP:
if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_HWP)) {
cli_dbgmsg("XML-HWP signature found at %u\n", (unsigned int)fpt->offset);
nret = ret = cli_scanhwpml(ctx);
}
break;
case CL_TYPE_RARSFX:
if (type != CL_TYPE_RAR && have_rar && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_RAR)) {
const char *filepath = NULL;
int fd = -1; |
01eebc13 |
|
288057e9 |
char *tmpname = NULL;
int tmpfd = -1;
size_t csize = map->len - fpt->offset; /* not precise */ |
01eebc13 |
|
288057e9 |
cli_set_container(ctx, CL_TYPE_RAR, csize);
cli_dbgmsg("RAR/RAR-SFX signature found at %u\n", (unsigned int)fpt->offset); |
01eebc13 |
|
288057e9 |
if ((ctx->sub_filepath == NULL) || (fpt->offset != 0)) {
/* |
01eebc13 |
* If map is not file-backed, or offset is not at the start of the file...
* ...have to dump to file for scanrar.
*/ |
288057e9 |
nret = fmap_dump_to_file(map, ctx->sub_filepath, ctx->engine->tmpdir, &tmpname, &tmpfd, fpt->offset, fpt->offset + csize);
if (nret != CL_SUCCESS) {
cli_dbgmsg("cli_scanraw: failed to generate temporary file.\n");
ret = nret;
break_loop = 1;
break;
}
filepath = tmpname;
fd = tmpfd;
} else {
/* Use the original file and file descriptor. */
filepath = ctx->sub_filepath;
fd = fmap_fd(map); |
32ba85d5 |
} |
01eebc13 |
|
288057e9 |
/* scan file */
nret = cli_scanrar(filepath, fd, ctx); |
01eebc13 |
|
288057e9 |
if (tmpfd != -1) {
/* If dumped tempfile, need to cleanup */
close(tmpfd);
if (!ctx->engine->keeptmp) {
if (cli_unlink(tmpname)) {
ret = nret = CL_EUNLINK;
break_loop = 1;
} |
32ba85d5 |
}
} |
01eebc13 |
|
288057e9 |
if (tmpname != NULL) {
free(tmpname);
} |
32ba85d5 |
} |
288057e9 |
break; |
60a1a1a1 |
|
b03b2712 |
case CL_TYPE_EGGSFX:
if (type != CL_TYPE_EGG && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_EGG)) {
size_t csize = map->len - fpt->offset; /* not precise */
cli_set_container(ctx, CL_TYPE_EGG, csize);
cli_dbgmsg("EGG/EGG-SFX signature found at %u\n", (unsigned int)fpt->offset);
nret = cli_scanegg(ctx, fpt->offset);
}
break;
|
288057e9 |
case CL_TYPE_ZIPSFX:
if (type != CL_TYPE_ZIP && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP)) {
size_t csize = map->len - fpt->offset; /* not precise */
cli_set_container(ctx, CL_TYPE_ZIP, csize);
cli_dbgmsg("ZIP/ZIP-SFX signature found at %u\n", (unsigned int)fpt->offset);
nret = cli_unzip_single(ctx, fpt->offset);
}
break; |
60a1a1a1 |
|
288057e9 |
case CL_TYPE_CABSFX:
if (type != CL_TYPE_MSCAB && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CAB)) {
size_t csize = map->len - fpt->offset; /* not precise */
cli_set_container(ctx, CL_TYPE_MSCAB, csize);
cli_dbgmsg("CAB/CAB-SFX signature found at %u\n", (unsigned int)fpt->offset);
nret = cli_scanmscab(ctx, fpt->offset);
}
break; |
60a1a1a1 |
|
288057e9 |
case CL_TYPE_ARJSFX:
if (type != CL_TYPE_ARJ && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ARJ)) {
size_t csize = map->len - fpt->offset; /* not precise */
cli_set_container(ctx, CL_TYPE_ARJ, csize);
cli_dbgmsg("ARJ-SFX signature found at %u\n", (unsigned int)fpt->offset);
nret = cli_scanarj(ctx, fpt->offset);
}
break; |
60a1a1a1 |
|
288057e9 |
case CL_TYPE_7ZSFX:
if (type != CL_TYPE_7Z && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_7Z)) {
size_t csize = map->len - fpt->offset; /* not precise */
cli_set_container(ctx, CL_TYPE_7Z, csize);
cli_dbgmsg("7Zip-SFX signature found at %u\n", (unsigned int)fpt->offset);
nret = cli_7unz(ctx, fpt->offset);
}
break; |
60a1a1a1 |
|
288057e9 |
case CL_TYPE_ISO9660:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ISO9660)) {
size_t csize = map->len - fpt->offset; /* not precise */
cli_set_container(ctx, CL_TYPE_ISO9660, csize);
cli_dbgmsg("ISO9660 signature found at %u\n", (unsigned int)fpt->offset);
nret = cli_scaniso(ctx, fpt->offset);
}
break; |
60a1a1a1 |
|
288057e9 |
case CL_TYPE_NULSFT:
if (SCAN_PARSE_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_NSIS) &&
fpt->offset > 4) {
size_t csize = map->len - fpt->offset; /* not precise */
cli_set_container(ctx, CL_TYPE_NULSFT, csize);
cli_dbgmsg("NSIS signature found at %u\n", (unsigned int)fpt->offset - 4);
nret = cli_scannulsft(ctx, fpt->offset - 4);
}
break; |
60a1a1a1 |
|
288057e9 |
case CL_TYPE_AUTOIT:
if (SCAN_PARSE_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_AUTOIT)) {
size_t csize = map->len - fpt->offset; /* not precise */
cli_set_container(ctx, CL_TYPE_AUTOIT, csize);
cli_dbgmsg("AUTOIT signature found at %u\n", (unsigned int)fpt->offset);
nret = cli_scanautoit(ctx, fpt->offset + 23);
}
break; |
60a1a1a1 |
|
288057e9 |
case CL_TYPE_ISHIELD_MSI:
if (SCAN_PARSE_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_ISHIELD)) {
size_t csize = map->len - fpt->offset; /* not precise */
cli_set_container(ctx, CL_TYPE_AUTOIT, csize);
cli_dbgmsg("ISHIELD-MSI signature found at %u\n", (unsigned int)fpt->offset);
nret = cli_scanishield_msi(ctx, fpt->offset + 14); |
e5d13808 |
} |
288057e9 |
break;
case CL_TYPE_DMG:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_DMG)) {
cli_dbgmsg("DMG signature found at %u\n", (unsigned int)fpt->offset);
nret = cli_scandmg(ctx); |
e5d13808 |
} |
288057e9 |
break; |
e5d13808 |
|
288057e9 |
case CL_TYPE_MBR:
if (SCAN_PARSE_ARCHIVE) {
int iret = cli_mbr_check2(ctx, 0);
if ((iret == CL_TYPE_GPT) && (DCONF_ARCH & ARCH_CONF_GPT)) {
cli_dbgmsg("Recognized GUID Partition Table file\n");
cli_set_container(ctx, CL_TYPE_GPT, map->len);
cli_dbgmsg("GPT signature found at %u\n", (unsigned int)fpt->offset);
nret = cli_scangpt(ctx, 0);
} else if ((iret == CL_CLEAN) && (DCONF_ARCH & ARCH_CONF_MBR)) {
cli_dbgmsg("MBR signature found at %u\n", (unsigned int)fpt->offset);
nret = cli_scanmbr(ctx, 0);
}
}
break; |
60a1a1a1 |
|
288057e9 |
case CL_TYPE_PDF:
if (type != CL_TYPE_PDF && SCAN_PARSE_PDF && (DCONF_DOC & DOC_CONF_PDF)) {
size_t csize = map->len - fpt->offset; /* not precise */
cli_set_container(ctx, CL_TYPE_PDF, csize);
cli_dbgmsg("PDF signature found at %u\n", (unsigned int)fpt->offset);
nret = cli_scanpdf(ctx, fpt->offset); |
60a1a1a1 |
} |
288057e9 |
break;
case CL_TYPE_MSEXE:
if (SCAN_PARSE_PE && (type == CL_TYPE_MSEXE || type == CL_TYPE_ZIP || type == CL_TYPE_MSOLE2) && ctx->dconf->pe) {
uint64_t curr_len = map->len;
size_t csize = map->len - fpt->offset; /* not precise */
/* CL_ENGINE_MAX_EMBEDDED_PE */
if (curr_len > ctx->engine->maxembeddedpe) {
cli_dbgmsg("cli_scanraw: MaxEmbeddedPE exceeded\n");
break;
}
cli_set_container(ctx, CL_TYPE_MSEXE, csize); |
afe940da |
cli_exe_info_init(&peinfo, fpt->offset);
// TODO We could probably substitute in a quicker
// method of determining whether a PE file exists
// at this offset. |
aa097185 |
if (cli_peheader(map, &peinfo, CLI_PEHEADER_OPT_NONE, NULL) != 0) {
/* Despite failing, peinfo memory may have been allocated and must be freed. */
cli_exe_info_destroy(&peinfo);
} else { |
288057e9 |
cli_dbgmsg("*** Detected embedded PE file at %u ***\n",
(unsigned int)fpt->offset); |
aa097185 |
/* Immediately free up peinfo allocated memory, prior to any recursion */ |
afe940da |
cli_exe_info_destroy(&peinfo); |
288057e9 |
nret = cli_scanembpe(ctx, fpt->offset);
break_loop = 1; /* we can stop here and other |
aa097185 |
* embedded executables will
* be found recursively
* through the above call
*/ |
1d7f6b27 |
// TODO This method of embedded PE extraction
// is kinda gross in that:
// - if you have an executable that contains
// 20 other exes, the bytes associated with
// the last exe will have been included in
// hash computations and things 20 times
// (as overlay data to the previously
// extracted exes).
// - if you have a signed embedded exe, it
// will fail to validate after extraction
// bc it has overlay data, which is a
// violation of the Authenticode spec.
// - this method of extraction is subject to
// the recursion limit, which is fairly
// low by default (I think 16)
//
// It'd be awesome if we could compute the PE
// size from the PE header and just extract
// that. |
288057e9 |
} |
60a1a1a1 |
} |
288057e9 |
break; |
60a1a1a1 |
|
288057e9 |
default:
cli_warnmsg("cli_scanraw: Type %u not handled in fpt loop\n", fpt->type); |
7b1f1aaf |
} |
d68a73d1 |
|
7b1f1aaf |
if (nret == CL_VIRUS || break_loop) |
60a1a1a1 |
break; |
d68a73d1 |
|
60a1a1a1 |
fpt = fpt->next;
} |
7b1f1aaf |
if (nret != CL_VIRUS) |
288057e9 |
switch (ret) {
case CL_TYPE_HTML:
/* bb#11196 - autoit script file misclassified as HTML */
if (cli_get_container_intermediate(ctx, -2) == CL_TYPE_AUTOIT) {
ret = CL_TYPE_TEXT_ASCII;
} else if (SCAN_PARSE_HTML && (type == CL_TYPE_TEXT_ASCII || type == CL_TYPE_GRAPHICS) &&
(DCONF_DOC & DOC_CONF_HTML)) {
*dettype = CL_TYPE_HTML;
nret = cli_scanhtml(ctx);
}
break; |
7b1f1aaf |
|
288057e9 |
case CL_TYPE_MAIL:
cli_set_container(ctx, CL_TYPE_MAIL, map->len);
if (SCAN_PARSE_MAIL && type == CL_TYPE_TEXT_ASCII && (DCONF_MAIL & MAIL_CONF_MBOX)) {
*dettype = CL_TYPE_MAIL;
nret = cli_scanmail(ctx);
}
break; |
7b1f1aaf |
|
288057e9 |
default:
break; |
7b1f1aaf |
}
perf_nested_stop(ctx, PERFT_RAWTYPENO, PERFT_SCAN);
ctx->recursion--;
ret = nret;
}
|
288057e9 |
while (ftoffset) {
fpt = ftoffset; |
7b1f1aaf |
ftoffset = ftoffset->next;
free(fpt);
}
if (ret == CL_VIRUS)
cli_dbgmsg("%s found\n", cli_get_last_virus(ctx)); |
c8b0d9a2 |
|
555c5390 |
return ret;
}
|
7b1f1aaf |
static void emax_reached(cli_ctx *ctx)
{ |
742b3a0e |
fmap_t **ctx_fmap = ctx->fmap; |
b6c03fb9 |
if (!ctx_fmap) |
7b1f1aaf |
return; |
288057e9 |
while (*ctx_fmap) {
fmap_t *map = *ctx_fmap; |
7b1f1aaf |
map->dont_cache_flag = 1;
ctx_fmap--; |
742b3a0e |
}
cli_dbgmsg("emax_reached: marked parents as non cacheable\n");
}
|
aef8d4ac |
#define LINESTR(x) #x
#define LINESTR2(x) LINESTR(x) |
7b1f1aaf |
#define __AT__ " at line " LINESTR2(__LINE__) |
60af015e |
|
7b1f1aaf |
#define early_ret_from_magicscan(retcode) \ |
288057e9 |
do { \ |
7b1f1aaf |
cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", retcode, __AT__); \
return retcode; \
} while (0) |
60af015e |
|
ff2d5e61 |
static int magic_scandesc_cleanup(cli_ctx *ctx, cli_file_t type, unsigned char *hash, size_t hashed_size, int cache_clean, int retcode, void *parent_property)
{ |
d4742bb1 |
int cb_retcode; |
2a3d247b |
#if HAVE_JSON |
ff2d5e61 |
ctx->wrkproperty = (struct json_object *)(parent_property); |
8b77f741 |
#else
UNUSEDPARAM(parent_property); |
2a3d247b |
#endif |
8b77f741 |
UNUSEDPARAM(type);
|
288057e9 |
if (retcode == CL_CLEAN && ctx->found_possibly_unwanted) { |
cbf5017a |
cli_virus_found_cb(ctx); |
f7106b36 |
cb_retcode = CL_VIRUS; |
288057e9 |
} else { |
cbf5017a |
if (retcode == CL_CLEAN && ctx->num_viruses != 0)
cb_retcode = CL_VIRUS;
else
cb_retcode = retcode;
} |
f7106b36 |
|
ff2d5e61 |
cli_dbgmsg("cli_magic_scandesc: returning %d %s\n", retcode, __AT__); |
288057e9 |
if (ctx->engine->cb_post_scan) { |
7b1f1aaf |
const char *virusname = NULL; |
ff2d5e61 |
perf_start(ctx, PERFT_POSTCB); |
f7106b36 |
if (cb_retcode == CL_VIRUS)
virusname = cli_get_last_virus(ctx); |
288057e9 |
switch (ctx->engine->cb_post_scan(fmap_fd(*ctx->fmap), cb_retcode, virusname, ctx->cb_ctx)) {
case CL_BREAK:
cli_dbgmsg("cli_magic_scandesc: file whitelisted by post_scan callback\n");
perf_stop(ctx, PERFT_POSTCB);
return CL_CLEAN;
case CL_VIRUS:
cli_dbgmsg("cli_magic_scandesc: file blacklisted by post_scan callback\n");
cli_append_virus(ctx, "Detected.By.Callback");
perf_stop(ctx, PERFT_POSTCB);
if (retcode != CL_VIRUS)
return cli_checkfp(hash, hashed_size, ctx);
return CL_VIRUS;
case CL_CLEAN:
break;
default:
cli_warnmsg("cli_magic_scandesc: ignoring bad return code from post_scan callback\n"); |
ff2d5e61 |
}
perf_stop(ctx, PERFT_POSTCB); |
c27d4056 |
} |
288057e9 |
if (cb_retcode == CL_CLEAN && cache_clean) { |
ff2d5e61 |
perf_start(ctx, PERFT_CACHE); |
048a88e6 |
if (!(SCAN_COLLECT_METADATA)) |
7d4213a7 |
cache_add(hash, hashed_size, ctx); |
ff2d5e61 |
perf_stop(ctx, PERFT_CACHE);
} |
048a88e6 |
if (retcode == CL_VIRUS && SCAN_ALLMATCHES) |
7a307529 |
return CL_CLEAN; |
ff2d5e61 |
return retcode;
} |
c27d4056 |
|
ff2d5e61 |
static int dispatch_prescan(clcb_pre_scan cb, cli_ctx *ctx, const char *filetype, bitset_t *old_hook_lsig_matches, void *parent_property, unsigned char *hash, size_t hashed_size, int *run_cleanup)
{ |
7b1f1aaf |
int res = CL_CLEAN; |
ff2d5e61 |
|
8b77f741 |
UNUSEDPARAM(parent_property);
UNUSEDPARAM(hash);
UNUSEDPARAM(hashed_size);
|
ff2d5e61 |
*run_cleanup = 0;
|
288057e9 |
if (cb) { |
ff2d5e61 |
perf_start(ctx, PERFT_PRECB); |
288057e9 |
switch (cb(fmap_fd(*ctx->fmap), filetype, ctx->cb_ctx)) {
case CL_BREAK:
cli_dbgmsg("cli_magic_scandesc: file whitelisted by callback\n");
perf_stop(ctx, PERFT_PRECB);
ctx->hook_lsig_matches = old_hook_lsig_matches;
/* returns CL_CLEAN */
*run_cleanup = 1;
break;
case CL_VIRUS:
cli_dbgmsg("cli_magic_scandesc: file blacklisted by callback\n");
cli_append_virus(ctx, "Detected.By.Callback");
perf_stop(ctx, PERFT_PRECB);
ctx->hook_lsig_matches = old_hook_lsig_matches;
*run_cleanup = 1;
res = CL_VIRUS;
break;
case CL_CLEAN:
break;
default:
cli_warnmsg("cli_magic_scandesc: ignoring bad return code from callback\n"); |
ff2d5e61 |
} |
c27d4056 |
|
ff2d5e61 |
perf_stop(ctx, PERFT_PRECB);
}
return res;
} |
c27d4056 |
|
b7ae31f1 |
static int magic_scandesc(cli_ctx *ctx, cli_file_t type) |
e3aaff8e |
{ |
288057e9 |
int ret = CL_CLEAN; |
7b1f1aaf |
cli_file_t dettype = 0; |
288057e9 |
uint8_t typercg = 1; |
7b1f1aaf |
size_t hashed_size;
unsigned char hash[16] = {'\0'};
bitset_t *old_hook_lsig_matches;
const char *filetype;
int cache_clean = 0, res;
int run_cleanup = 0; |
2a3d247b |
#if HAVE_JSON |
7b1f1aaf |
struct json_object *parent_property = NULL; |
ff2d5e61 |
#else |
7b1f1aaf |
void *parent_property = NULL; |
4e683628 |
#endif |
a7f5fd00 |
|
288057e9 |
if (!ctx->engine) { |
7b1f1aaf |
cli_errmsg("CRITICAL: engine == NULL\n");
early_ret_from_magicscan(CL_ENULLARG); |
b3df93db |
}
|
288057e9 |
if (!(ctx->engine->dboptions & CL_DB_COMPILED)) { |
7b1f1aaf |
cli_errmsg("CRITICAL: engine not compiled\n");
early_ret_from_magicscan(CL_EMALFDB); |
e3aaff8e |
}
|
288057e9 |
if (ctx->engine->maxreclevel && ctx->recursion > ctx->engine->maxreclevel) { |
b2726a53 |
cli_dbgmsg("cli_magic_scandesc: Archive recursion limit exceeded (%u, max: %u)\n", ctx->recursion, ctx->engine->maxreclevel); |
7b1f1aaf |
emax_reached(ctx); |
312b7e53 |
cli_check_blockmax(ctx, CL_EMAXREC); |
7b1f1aaf |
early_ret_from_magicscan(CL_CLEAN); |
b2726a53 |
}
|
288057e9 |
if (cli_updatelimits(ctx, (*ctx->fmap)->len) != CL_CLEAN) { |
7b1f1aaf |
emax_reached(ctx); |
60af015e |
early_ret_from_magicscan(CL_CLEAN); |
998bcfa7 |
} |
dd64326e |
old_hook_lsig_matches = ctx->hook_lsig_matches; |
288057e9 |
if (type == CL_TYPE_PART_ANY) { |
7b1f1aaf |
typercg = 0; |
1d1c4b15 |
} |
998bcfa7 |
|
a217d9a7 |
perf_start(ctx, PERFT_FT); |
288057e9 |
if ((type == CL_TYPE_ANY) || type == CL_TYPE_PART_ANY) { |
7b1f1aaf |
type = cli_filetype2(*ctx->fmap, ctx->engine, type); |
2612de29 |
} |
a217d9a7 |
perf_stop(ctx, PERFT_FT); |
288057e9 |
if (type == CL_TYPE_ERROR) { |
7b1f1aaf |
cli_dbgmsg("cli_magic_scandesc: cli_filetype2 returned CL_TYPE_ERROR\n");
early_ret_from_magicscan(CL_EREAD); |
a0eb7910 |
} |
a217d9a7 |
filetype = cli_ftname(type); |
e56f0949 |
|
2a3d247b |
#if HAVE_JSON |
288057e9 |
if (SCAN_COLLECT_METADATA) { |
8b77f741 |
json_object *arrobj; |
4e683628 |
|
288057e9 |
if (NULL == ctx->properties) { |
7b1f1aaf |
if (type == CL_TYPE_PDF || /* file types we collect properties about */ |
585717e1 |
type == CL_TYPE_MSOLE2 ||
type == CL_TYPE_MSEXE || |
7360fe6a |
//type == CL_TYPE_ZIP || |
585717e1 |
type == CL_TYPE_OOXML_WORD ||
type == CL_TYPE_OOXML_PPT || |
56895e25 |
type == CL_TYPE_OOXML_XL ||
type == CL_TYPE_XML_WORD || |
9103b7e9 |
type == CL_TYPE_XML_XL || |
d2eea44a |
type == CL_TYPE_HWP3 || |
6cd5a9dc |
type == CL_TYPE_XML_HWP || |
c6f7be55 |
type == CL_TYPE_HWPOLE2 || |
05f58cfa |
type == CL_TYPE_OOXML_HWP || |
288057e9 |
type == CL_TYPE_MHTML) { |
585717e1 |
ctx->properties = json_object_new_object(); |
288057e9 |
if (NULL == ctx->properties) { |
585717e1 |
cli_errmsg("magic_scandesc: no memory for json properties object\n"); |
7b1f1aaf |
early_ret_from_magicscan(CL_EMEM); |
585717e1 |
}
ctx->wrkproperty = ctx->properties; |
288057e9 |
ret = cli_jsonstr(ctx->properties, "Magic", "CLAMJSONv0");
if (ret != CL_SUCCESS) { |
de46d3e3 |
early_ret_from_magicscan(ret);
} |
5ee5fad2 |
ret = cli_jsonstr(ctx->properties, "RootFileType", filetype); |
288057e9 |
if (ret != CL_SUCCESS) { |
90f830e7 |
early_ret_from_magicscan(ret);
} |
288057e9 |
} else { /* turn off property collection flag for file types we don't care about */ |
048a88e6 |
ctx->options->general &= ~CL_SCAN_GENERAL_COLLECT_METADATA; |
4e683628 |
} |
288057e9 |
} else { |
4e683628 |
parent_property = ctx->wrkproperty; |
288057e9 |
if (!json_object_object_get_ex(parent_property, "ContainedObjects", &arrobj)) { |
4e683628 |
arrobj = json_object_new_array(); |
288057e9 |
if (NULL == arrobj) { |
4e683628 |
cli_errmsg("magic_scandesc: no memory for json properties object\n");
early_ret_from_magicscan(CL_EMEM);
} |
fd151ff6 |
json_object_object_add(parent_property, "ContainedObjects", arrobj); |
4e683628 |
}
ctx->wrkproperty = json_object_new_object(); |
288057e9 |
if (NULL == ctx->wrkproperty) { |
4e683628 |
cli_errmsg("magic_scandesc: no memory for json properties object\n");
early_ret_from_magicscan(CL_EMEM);
}
json_object_array_add(arrobj, ctx->wrkproperty);
} |
9ecf6c2b |
} |
4e683628 |
|
288057e9 |
if (SCAN_COLLECT_METADATA) { /* separated for cases json is not tracked */ |
ff2d5e61 |
ret = cli_jsonstr(ctx->wrkproperty, "FileType", filetype); |
288057e9 |
if (ret != CL_SUCCESS) { |
a69adec1 |
early_ret_from_magicscan(ret); |
e56f0949 |
} |
ff2d5e61 |
ret = cli_jsonint(ctx->wrkproperty, "FileSize", (*ctx->fmap)->len); |
288057e9 |
if (ret != CL_SUCCESS) { |
a69adec1 |
early_ret_from_magicscan(ret); |
e56f0949 |
}
}
#endif
|
c86a1d4b |
hashed_size = 0; |
288057e9 |
ret = dispatch_prescan(ctx->engine->cb_pre_cache, ctx, filetype, old_hook_lsig_matches, parent_property, hash, hashed_size, &run_cleanup);
if (run_cleanup) { |
ff2d5e61 |
if (ret == CL_VIRUS)
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, cli_checkfp(hash, hashed_size, ctx), parent_property);
else
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, CL_CLEAN, parent_property);
} |
a0eb7910 |
|
63feb6cd |
perf_start(ctx, PERFT_CACHE); |
048a88e6 |
if (!(SCAN_COLLECT_METADATA)) |
7d4213a7 |
res = cache_check(hash, ctx); |
ac2bd61e |
else
res = CL_VIRUS; |
a69adec1 |
#if HAVE_JSON |
288057e9 |
if (SCAN_COLLECT_METADATA /* ctx.options->general & CL_SCAN_GENERAL_COLLECT_METADATA && ctx->wrkproperty != NULL */) { |
a69adec1 |
char hashstr[33]; |
7d4213a7 |
ret = cache_get_MD5(hash, ctx); |
288057e9 |
if (ret != CL_SUCCESS) { |
7d4213a7 |
early_ret_from_magicscan(ret);
}
snprintf(hashstr, 33, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6], hash[7],
hash[8], hash[9], hash[10], hash[11], hash[12], hash[13], hash[14], hash[15]); |
a69adec1 |
|
ff2d5e61 |
ret = cli_jsonstr(ctx->wrkproperty, "FileMD5", hashstr); |
7d4213a7 |
if (ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_CACHE)
memset(hash, 0, sizeof(hash)); |
288057e9 |
if (ret != CL_SUCCESS) { |
a69adec1 |
early_ret_from_magicscan(ret);
}
}
#endif
|
288057e9 |
if (res != CL_VIRUS) { |
7b1f1aaf |
perf_stop(ctx, PERFT_CACHE); |
2a3d247b |
#if HAVE_JSON |
4e683628 |
ctx->wrkproperty = parent_property; |
2a3d247b |
#endif |
7b1f1aaf |
early_ret_from_magicscan(res); |
60b21251 |
} |
ed98fae7 |
|
63feb6cd |
perf_stop(ctx, PERFT_CACHE); |
52f52931 |
hashed_size = (*ctx->fmap)->len; |
cbf5017a |
memcpy((*ctx->fmap)->maphash, hash, 16); |
f4e34215 |
ctx->hook_lsig_matches = NULL; |
52f52931 |
|
288057e9 |
if (!((ctx->options->general & ~CL_SCAN_GENERAL_ALLMATCHES) || (ctx->options->parse) || (ctx->options->heuristic) || (ctx->options->mail) || (ctx->options->dev)) || (ctx->recursion == ctx->engine->maxreclevel)) { /* raw mode (stdin, etc.) or last level of recursion */
if (ctx->recursion == ctx->engine->maxreclevel) { |
312b7e53 |
cli_check_blockmax(ctx, CL_EMAXREC); |
7b1f1aaf |
cli_dbgmsg("cli_magic_scandesc: Hit recursion limit, only scanning raw file\n"); |
288057e9 |
} else |
7b1f1aaf |
cli_dbgmsg("Raw mode: No support for special files\n"); |
aef8d4ac |
|
7b1f1aaf |
ret = dispatch_prescan(ctx->engine->cb_pre_scan, ctx, filetype, old_hook_lsig_matches, parent_property, hash, hashed_size, &run_cleanup); |
288057e9 |
if (run_cleanup) { |
7b1f1aaf |
if (ret == CL_VIRUS)
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, cli_checkfp(hash, hashed_size, ctx), parent_property);
else
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property);
}
/* ret_from_magicscan can be used below here*/
if ((ret = cli_fmap_scandesc(ctx, 0, 0, NULL, AC_SCAN_VIR, NULL, hash)) == CL_VIRUS)
cli_dbgmsg("%s found in descriptor %d\n", cli_get_last_virus(ctx), fmap_fd(*ctx->fmap)); |
288057e9 |
else if (ret == CL_CLEAN) { |
7b1f1aaf |
if (ctx->recursion != ctx->engine->maxreclevel)
cache_clean = 1; /* Only cache if limits are not reached */
else
emax_reached(ctx);
}
ctx->hook_lsig_matches = old_hook_lsig_matches;
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property); |
d91ab809 |
} |
e3aaff8e |
|
ff2d5e61 |
ret = dispatch_prescan(ctx->engine->cb_pre_scan, ctx, filetype, old_hook_lsig_matches, parent_property, hash, hashed_size, &run_cleanup); |
288057e9 |
if (run_cleanup) { |
ff2d5e61 |
if (ret == CL_VIRUS)
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, cli_checkfp(hash, hashed_size, ctx), parent_property);
else
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property);
} |
288057e9 |
/* ret_from_magicscan can be used below here*/ |
c27d4056 |
|
16b28d07 |
#ifdef HAVE__INTERNAL__SHA_COLLECT |
7b1f1aaf |
if (!ctx->sha_collect && type == CL_TYPE_MSEXE)
ctx->sha_collect = 1; |
16b28d07 |
#endif |
6d6e8271 |
|
f4e34215 |
ctx->hook_lsig_matches = cli_bitset_init(); |
288057e9 |
if (!ctx->hook_lsig_matches) { |
7b1f1aaf |
ctx->hook_lsig_matches = old_hook_lsig_matches;
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, CL_EMEM, parent_property); |
17c20e12 |
} |
f4e34215 |
|
288057e9 |
if (type != CL_TYPE_IGNORED && ctx->engine->sdb) {
if ((ret = cli_scanraw(ctx, type, 0, &dettype, (ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_CACHE) ? NULL : hash)) == CL_VIRUS) { |
7b1f1aaf |
ret = cli_checkfp(hash, hashed_size, ctx);
cli_bitset_free(ctx->hook_lsig_matches);
ctx->hook_lsig_matches = old_hook_lsig_matches;
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property);
} |
555c5390 |
}
|
d91ab809 |
ctx->recursion++; |
63feb6cd |
perf_nested_start(ctx, PERFT_CONTAINER, PERFT_SCAN); |
031fe00a |
/* set current level as container AFTER recursing */
cli_set_container(ctx, type, (*ctx->fmap)->len); |
288057e9 |
switch (type) {
case CL_TYPE_IGNORED:
break;
case CL_TYPE_HWP3:
if (SCAN_PARSE_HWP3 && (DCONF_DOC & DOC_CONF_HWP))
ret = cli_scanhwp3(ctx);
break;
case CL_TYPE_HWPOLE2:
if (SCAN_PARSE_OLE2 && (DCONF_ARCH & ARCH_CONF_OLE2))
ret = cli_scanhwpole2(ctx);
break;
case CL_TYPE_XML_WORD:
if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_MSXML))
ret = cli_scanmsxml(ctx);
break;
case CL_TYPE_XML_XL:
if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_MSXML))
ret = cli_scanmsxml(ctx);
break;
case CL_TYPE_XML_HWP:
if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_HWP))
ret = cli_scanhwpml(ctx);
break;
case CL_TYPE_XDP:
if (SCAN_PARSE_PDF && (DCONF_DOC & DOC_CONF_PDF))
ret = cli_scanxdp(ctx);
break;
case CL_TYPE_RAR:
if (have_rar && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_RAR)) {
const char *filepath = NULL;
int fd = -1;
char *tmpname = NULL;
int tmpfd = -1;
if (ctx->sub_filepath == NULL) {
/* If map is not file-backed have to dump to file for scanrar. */
ret = fmap_dump_to_file(*ctx->fmap, ctx->sub_filepath, ctx->engine->tmpdir, &tmpname, &tmpfd, 0, SIZE_MAX);
if (ret != CL_SUCCESS) {
cli_dbgmsg("magic_scandesc: failed to generate temporary file.\n");
break;
}
filepath = tmpname;
fd = tmpfd;
} else {
/* Use the original file and file descriptor. */
filepath = ctx->sub_filepath;
fd = fmap_fd(*ctx->fmap); |
7b1f1aaf |
} |
01eebc13 |
|
288057e9 |
/* scan file */
ret = cli_scanrar(filepath, fd, ctx); |
01eebc13 |
|
288057e9 |
if (tmpfd != -1) {
/* If dumped tempfile, need to cleanup */
close(tmpfd);
if (!ctx->engine->keeptmp) {
if (cli_unlink(tmpname)) {
ret = CL_EUNLINK;
} |
01eebc13 |
}
}
|
288057e9 |
if (tmpname != NULL) {
free(tmpname);
} |
7b1f1aaf |
} |
288057e9 |
break; |
7b1f1aaf |
|
b03b2712 |
case CL_TYPE_EGG:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_EGG))
ret = cli_scanegg(ctx, 0);
break;
|
288057e9 |
case CL_TYPE_OOXML_WORD:
case CL_TYPE_OOXML_PPT:
case CL_TYPE_OOXML_XL:
case CL_TYPE_OOXML_HWP: |
a69adec1 |
#if HAVE_JSON |
288057e9 |
if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_OOXML)) {
if (SCAN_COLLECT_METADATA && (ctx->wrkproperty != NULL)) {
ret = cli_process_ooxml(ctx, type);
if (ret == CL_EMEM || ret == CL_ENULLARG) {
/* critical error */
break;
} else if (ret != CL_SUCCESS) {
/* |
7b1f1aaf |
* non-critical return => allow for the CL_TYPE_ZIP scan to occur
* cli_process_ooxml other possible returns:
* CL_ETIMEOUT, CL_EMAXSIZE, CL_EMAXFILES, CL_EPARSE,
* CL_EFORMAT, CL_BREAK, CL_ESTAT
*/ |
288057e9 |
ret = CL_SUCCESS;
} |
7b1f1aaf |
}
} |
a69adec1 |
#endif |
288057e9 |
case CL_TYPE_ZIP:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP))
ret = cli_unzip(ctx);
break;
case CL_TYPE_GZ:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_GZ))
ret = cli_scangzip(ctx);
break;
case CL_TYPE_BZ:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_BZ))
ret = cli_scanbzip(ctx);
break;
case CL_TYPE_XZ:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_XZ))
ret = cli_scanxz(ctx);
break;
case CL_TYPE_GPT:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_GPT))
ret = cli_scangpt(ctx, 0);
break;
case CL_TYPE_APM:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_APM))
ret = cli_scanapm(ctx);
break;
case CL_TYPE_ARJ:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ARJ))
ret = cli_scanarj(ctx, 0);
break;
case CL_TYPE_NULSFT:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_NSIS))
ret = cli_scannulsft(ctx, 0);
break;
case CL_TYPE_AUTOIT:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_AUTOIT))
ret = cli_scanautoit(ctx, 23);
break;
case CL_TYPE_MSSZDD:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_SZDD))
ret = cli_scanszdd(ctx);
break;
case CL_TYPE_MSCAB:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CAB))
ret = cli_scanmscab(ctx, 0);
break;
case CL_TYPE_HTML:
if (SCAN_PARSE_HTML && (DCONF_DOC & DOC_CONF_HTML))
ret = cli_scanhtml(ctx);
break;
case CL_TYPE_HTML_UTF16:
if (SCAN_PARSE_HTML && (DCONF_DOC & DOC_CONF_HTML))
ret = cli_scanhtml_utf16(ctx);
break;
case CL_TYPE_SCRIPT:
if ((DCONF_DOC & DOC_CONF_SCRIPT) && dettype != CL_TYPE_HTML)
ret = cli_scanscript(ctx);
break;
case CL_TYPE_SWF:
if (SCAN_PARSE_SWF && (DCONF_DOC & DOC_CONF_SWF))
ret = cli_scanswf(ctx);
break;
case CL_TYPE_RTF:
if (SCAN_PARSE_ARCHIVE && (DCONF_DOC & DOC_CONF_RTF))
ret = cli_scanrtf(ctx);
break;
case CL_TYPE_MAIL:
if (SCAN_PARSE_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX))
ret = cli_scanmail(ctx);
break;
case CL_TYPE_MHTML:
if (SCAN_PARSE_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX))
ret = cli_scanmail(ctx);
break;
case CL_TYPE_TNEF:
if (SCAN_PARSE_MAIL && (DCONF_MAIL & MAIL_CONF_TNEF))
ret = cli_scantnef(ctx);
break;
case CL_TYPE_UUENCODED:
if (DCONF_OTHER & OTHER_CONF_UUENC)
ret = cli_scanuuencoded(ctx);
break;
case CL_TYPE_MSCHM:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CHM))
ret = cli_scanmschm(ctx);
break;
case CL_TYPE_MSOLE2:
if (SCAN_PARSE_OLE2 && (DCONF_ARCH & ARCH_CONF_OLE2))
ret = cli_scanole2(ctx);
break;
case CL_TYPE_7Z:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_7Z))
ret = cli_7unz(ctx, 0);
break;
case CL_TYPE_POSIX_TAR:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_TAR))
ret = cli_scantar(ctx, 1);
break;
case CL_TYPE_OLD_TAR:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_TAR))
ret = cli_scantar(ctx, 0);
break;
case CL_TYPE_CPIO_OLD:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))
ret = cli_scancpio_old(ctx);
break;
case CL_TYPE_CPIO_ODC:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))
ret = cli_scancpio_odc(ctx);
break;
case CL_TYPE_CPIO_NEWC:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))
ret = cli_scancpio_newc(ctx, 0);
break;
case CL_TYPE_CPIO_CRC:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))
ret = cli_scancpio_newc(ctx, 1);
break;
case CL_TYPE_BINHEX:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_BINHEX))
ret = cli_binhex(ctx);
break;
case CL_TYPE_SCRENC:
if (DCONF_OTHER & OTHER_CONF_SCRENC)
ret = cli_scanscrenc(ctx);
break;
case CL_TYPE_RIFF:
if (SCAN_HEURISTICS && (DCONF_OTHER & OTHER_CONF_RIFF))
ret = cli_scanriff(ctx);
break;
case CL_TYPE_GRAPHICS:
if (SCAN_HEURISTICS && (DCONF_OTHER & OTHER_CONF_JPEG))
ret = cli_scanjpeg(ctx);
if (ctx->img_validate && SCAN_HEURISTICS && ret != CL_VIRUS)
ret = cli_parsejpeg(ctx);
if (ctx->img_validate && SCAN_HEURISTICS && ret != CL_VIRUS && ret != CL_EPARSE)
ret = cli_parsepng(ctx);
if (ctx->img_validate && SCAN_HEURISTICS && ret != CL_VIRUS && ret != CL_EPARSE)
ret = cli_parsegif(ctx);
if (ctx->img_validate && SCAN_HEURISTICS && ret != CL_VIRUS && ret != CL_EPARSE)
ret = cli_parsetiff(ctx);
break;
case CL_TYPE_PDF: /* FIXMELIMITS: pdf should be an archive! */
if (SCAN_PARSE_PDF && (DCONF_DOC & DOC_CONF_PDF))
ret = cli_scanpdf(ctx, 0);
break;
case CL_TYPE_CRYPTFF:
if (DCONF_OTHER & OTHER_CONF_CRYPTFF)
ret = cli_scancryptff(ctx);
break;
case CL_TYPE_ELF:
if (SCAN_PARSE_ELF && ctx->dconf->elf)
ret = cli_scanelf(ctx);
break;
case CL_TYPE_MACHO:
if (ctx->dconf->macho)
ret = cli_scanmacho(ctx, NULL);
break;
case CL_TYPE_MACHO_UNIBIN:
if (ctx->dconf->macho)
ret = cli_scanmacho_unibin(ctx);
break;
case CL_TYPE_SIS:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_SIS))
ret = cli_scansis(ctx);
break;
case CL_TYPE_XAR:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_XAR))
ret = cli_scanxar(ctx);
break;
case CL_TYPE_PART_HFSPLUS:
if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_HFSPLUS))
ret = cli_scanhfsplus(ctx);
break;
case CL_TYPE_BINARY_DATA:
case CL_TYPE_TEXT_UTF16BE:
if (SCAN_HEURISTICS && (DCONF_OTHER & OTHER_CONF_MYDOOMLOG))
ret = cli_check_mydoom_log(ctx);
break;
case CL_TYPE_TEXT_ASCII:
if (SCAN_HEURISTIC_STRUCTURED && (DCONF_OTHER & OTHER_CONF_DLP))
/* TODO: consider calling this from cli_scanscript() for |
7b1f1aaf |
* a normalised text
*/
|
288057e9 |
ret = cli_scan_structured(ctx);
break; |
7b1f1aaf |
|
288057e9 |
default:
break; |
e3aaff8e |
} |
63feb6cd |
perf_nested_stop(ctx, PERFT_CONTAINER, PERFT_SCAN); |
d91ab809 |
ctx->recursion--; |
467f8b1e |
|
288057e9 |
if (ret == CL_VIRUS && !SCAN_ALLMATCHES) { |
7b1f1aaf |
cli_bitset_free(ctx->hook_lsig_matches);
ctx->hook_lsig_matches = old_hook_lsig_matches;
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property); |
998bcfa7 |
} |
a6e38800 |
|
288057e9 |
if (type == CL_TYPE_ZIP && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP)) { |
7b1f1aaf |
/* CL_ENGINE_MAX_ZIPTYPERCG */
uint64_t curr_len = (*ctx->fmap)->len; |
288057e9 |
if (curr_len > ctx->engine->maxziptypercg) { |
7b1f1aaf |
cli_dbgmsg("cli_magic_scandesc: Not checking for embedded PEs (zip file > MaxZipTypeRcg)\n");
typercg = 0;
} |
ded60d81 |
}
|
08f0150f |
/* CL_TYPE_HTML: raw HTML files are not scanned, unless safety measure activated via DCONF */ |
288057e9 |
if (type != CL_TYPE_IGNORED && (type != CL_TYPE_HTML || !(SCAN_PARSE_HTML) || !(DCONF_DOC & DOC_CONF_HTML_SKIPRAW)) && !ctx->engine->sdb) { |
7b1f1aaf |
res = cli_scanraw(ctx, type, typercg, &dettype, (ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_CACHE) ? NULL : hash); |
288057e9 |
if (res != CL_CLEAN) {
switch (res) {
/* List of scan halts, runtime errors only! */
case CL_EUNLINK:
case CL_ESTAT:
case CL_ESEEK:
case CL_EWRITE:
case CL_EDUP:
case CL_ETMPFILE:
case CL_ETMPDIR:
case CL_EMEM:
case CL_ETIMEOUT:
cli_dbgmsg("Descriptor[%d]: cli_scanraw error %s\n", fmap_fd(*ctx->fmap), cl_strerror(res));
cli_bitset_free(ctx->hook_lsig_matches);
ctx->hook_lsig_matches = old_hook_lsig_matches;
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, res, parent_property); |
1d7f6b27 |
/* CL_VIRUS = malware found, check FP and report.
* Likewise, if the file was determined to be trusted, then we
* can also finish with the scan. (Ex: EXE with a valid
* Authenticode sig.) */
case CL_VERIFIED:
// For now just conver CL_VERIFIED to CL_CLEAN, since
// CL_VERIFIED isn't used elsewhere
res = CL_CLEAN;
// Fall through |
288057e9 |
case CL_VIRUS:
ret = res;
if (SCAN_ALLMATCHES)
break;
cli_bitset_free(ctx->hook_lsig_matches);
ctx->hook_lsig_matches = old_hook_lsig_matches;
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property);
/* "MAX" conditions should still fully scan the current file */
case CL_EMAXREC:
case CL_EMAXSIZE:
case CL_EMAXFILES:
ret = res;
cli_dbgmsg("Descriptor[%d]: Continuing after cli_scanraw reached %s\n",
fmap_fd(*ctx->fmap), cl_strerror(res)); |
7b1f1aaf |
break; |
288057e9 |
/* Other errors must not block further scans below |
7b1f1aaf |
* This specifically includes CL_EFORMAT & CL_EREAD & CL_EUNPACK
* Malformed/truncated files could report as any of these three.
*/ |
288057e9 |
default:
ret = res;
cli_dbgmsg("Descriptor[%d]: Continuing after cli_scanraw error %s\n",
fmap_fd(*ctx->fmap), cl_strerror(res)); |
7b1f1aaf |
}
} |
46c2e927 |
} |
e3aaff8e |
|
d91ab809 |
ctx->recursion++; |
288057e9 |
switch (type) {
/* bytecode hooks triggered by a lsig must be a hook |
7b1f1aaf |
* called from one of the functions here */ |
288057e9 |
case CL_TYPE_TEXT_ASCII:
case CL_TYPE_TEXT_UTF16BE:
case CL_TYPE_TEXT_UTF16LE:
case CL_TYPE_TEXT_UTF8:
perf_nested_start(ctx, PERFT_SCRIPT, PERFT_SCAN);
if ((DCONF_DOC & DOC_CONF_SCRIPT) && dettype != CL_TYPE_HTML && (ret != CL_VIRUS || SCAN_ALLMATCHES) && SCAN_PARSE_HTML)
ret = cli_scanscript(ctx);
if (SCAN_PARSE_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX) && ret != CL_VIRUS && (cli_get_container(ctx, -1) == CL_TYPE_MAIL || dettype == CL_TYPE_MAIL)) {
ret = cli_fmap_scandesc(ctx, CL_TYPE_MAIL, 0, NULL, AC_SCAN_VIR, NULL, NULL);
}
perf_nested_stop(ctx, PERFT_SCRIPT, PERFT_SCAN);
break;
/* Due to performance reasons all executables were first scanned |
7b1f1aaf |
* in raw mode. Now we will try to unpack them
*/ |
288057e9 |
case CL_TYPE_MSEXE:
perf_nested_start(ctx, PERFT_PE, PERFT_SCAN);
if (SCAN_PARSE_PE && ctx->dconf->pe) {
unsigned int corrupted_input = ctx->corrupted_input;
ret = cli_scanpe(ctx);
ctx->corrupted_input = corrupted_input;
}
perf_nested_stop(ctx, PERFT_PE, PERFT_SCAN);
break; |
abe33926 |
case CL_TYPE_ELF:
perf_nested_start(ctx, PERFT_ELF, PERFT_SCAN);
ret = cli_unpackelf(ctx);
perf_nested_stop(ctx, PERFT_ELF, PERFT_SCAN);
break; |
1a75f6a5 |
case CL_TYPE_MACHO:
case CL_TYPE_MACHO_UNIBIN:
perf_nested_start(ctx, PERFT_MACHO, PERFT_SCAN);
ret = cli_unpackmacho(ctx);
perf_nested_stop(ctx, PERFT_MACHO, PERFT_SCAN);
break; |
288057e9 |
case CL_TYPE_BINARY_DATA:
ret = cli_fmap_scandesc(ctx, CL_TYPE_OTHER, 0, NULL, AC_SCAN_VIR, NULL, NULL);
break;
default:
break; |
77e4bb11 |
} |
2587dbab |
|
d91ab809 |
ctx->recursion--; |
f4e34215 |
cli_bitset_free(ctx->hook_lsig_matches);
ctx->hook_lsig_matches = old_hook_lsig_matches; |
77e4bb11 |
|
288057e9 |
switch (ret) {
/* Malformed file cases */
case CL_EFORMAT:
case CL_EREAD:
case CL_EUNPACK:
/* Limits exceeded */
case CL_EMAXREC:
case CL_EMAXSIZE:
case CL_EMAXFILES:
cli_dbgmsg("Descriptor[%d]: %s\n", fmap_fd(*ctx->fmap), cl_strerror(ret)); |
ff2d5e61 |
#if HAVE_JSON |
288057e9 |
ctx->wrkproperty = parent_property; |
ff2d5e61 |
#endif |
288057e9 |
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, CL_CLEAN, parent_property);
case CL_CLEAN:
cache_clean = 1; |
ff2d5e61 |
#if HAVE_JSON |
288057e9 |
ctx->wrkproperty = parent_property; |
ff2d5e61 |
#endif |
288057e9 |
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, CL_CLEAN, parent_property);
default:
return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property); |
322bfd03 |
} |
e3aaff8e |
}
|
168f6e52 |
static cl_error_t cli_base_scandesc(int desc, const char *filepath, cli_ctx *ctx, cli_file_t type) |
7770d314 |
{ |
a2a004df |
STATBUF sb; |
168f6e52 |
cl_error_t status = CL_CLEAN;
if (!ctx) {
return CL_EARG;
} |
b7ae31f1 |
|
01eebc13 |
const char *parent_filepath = ctx->sub_filepath; |
288057e9 |
ctx->sub_filepath = filepath; |
01eebc13 |
|
b7ae31f1 |
#ifdef HAVE__INTERNAL__SHA_COLLECT |
7b1f1aaf |
if (ctx->sha_collect > 0)
ctx->sha_collect = 0; |
b7ae31f1 |
#endif
cli_dbgmsg("in cli_magic_scandesc (reclevel: %u/%u)\n", ctx->recursion, ctx->engine->maxreclevel); |
288057e9 |
if (FSTAT(desc, &sb) == -1) { |
7b1f1aaf |
cli_errmsg("magic_scandesc: Can't fstat descriptor %d\n", desc); |
168f6e52 |
status = CL_ESTAT;
cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__); |
c31a98d5 |
goto done; |
b7ae31f1 |
} |
288057e9 |
if (sb.st_size <= 5) { |
7b1f1aaf |
cli_dbgmsg("Small data (%u bytes)\n", (unsigned int)sb.st_size); |
168f6e52 |
status = CL_CLEAN;
cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__); |
c31a98d5 |
goto done; |
b7ae31f1 |
}
ctx->fmap++;
perf_start(ctx, PERFT_MAP); |
288057e9 |
if (!(*ctx->fmap = fmap(desc, 0, sb.st_size))) { |
7b1f1aaf |
cli_errmsg("CRITICAL: fmap() failed\n");
ctx->fmap--;
perf_stop(ctx, PERFT_MAP); |
168f6e52 |
status = CL_EMEM;
cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__); |
c31a98d5 |
goto done; |
b7ae31f1 |
}
perf_stop(ctx, PERFT_MAP);
|
168f6e52 |
status = magic_scandesc(ctx, type); |
b7ae31f1 |
funmap(*ctx->fmap);
ctx->fmap--; |
01eebc13 |
|
168f6e52 |
done: |
01eebc13 |
ctx->sub_filepath = parent_filepath;
|
168f6e52 |
return status; |
7770d314 |
}
|
01eebc13 |
int cli_magic_scandesc(int desc, const char *filepath, cli_ctx *ctx) |
1d1c4b15 |
{ |
01eebc13 |
return cli_base_scandesc(desc, filepath, ctx, CL_TYPE_ANY); |
1d1c4b15 |
}
/* Have to keep partition typing separate */ |
01eebc13 |
int cli_partition_scandesc(int desc, const char *filepath, cli_ctx *ctx) |
1d1c4b15 |
{ |
01eebc13 |
return cli_base_scandesc(desc, filepath, ctx, CL_TYPE_PART_ANY); |
1d1c4b15 |
}
|
b7ae31f1 |
int cli_magic_scandesc_type(cli_ctx *ctx, cli_file_t type) |
7770d314 |
{ |
b7ae31f1 |
return magic_scandesc(ctx, type); |
7770d314 |
}
|
288057e9 |
int cl_scandesc(int desc, const char *filename, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, struct cl_scan_options *scanoptions) |
edbba730 |
{ |
01eebc13 |
return cl_scandesc_callback(desc, filename, virname, scanned, engine, scanoptions, NULL); |
edbba730 |
}
|
3cab931d |
/* For map scans that may be forced to disk */ |
328a3325 |
int cli_map_scan(cl_fmap_t *map, off_t offset, size_t length, cli_ctx *ctx, cli_file_t type) |
3cab931d |
{ |
288057e9 |
off_t old_off = map->nested_offset; |
3cab931d |
size_t old_len = map->len; |
288057e9 |
int ret = CL_CLEAN; |
3cab931d |
cli_dbgmsg("cli_map_scan: [%ld, +%lu)\n", |
7b1f1aaf |
(long)offset, (unsigned long)length); |
288057e9 |
if (offset < 0 || (size_t)offset >= old_len) { |
7b1f1aaf |
cli_dbgmsg("Invalid offset: %ld\n", (long)offset);
return CL_CLEAN; |
3cab931d |
}
|
288057e9 |
if (ctx->engine->engine_options & ENGINE_OPTIONS_FORCE_TO_DISK) { |
3cab931d |
/* if this is forced to disk, then need to write the nested map and scan it */
const uint8_t *mapdata = NULL; |
288057e9 |
char *tempfile = NULL;
int fd = -1;
size_t nread = 0; |
3cab931d |
|
a4ce85ce |
/* Then check length */ |
7b1f1aaf |
if (!length)
length = old_len - offset; |
288057e9 |
if (length > old_len - offset) { |
a4ce85ce |
cli_dbgmsg("cli_map_scan: Data truncated: %lu -> %lu\n",
(unsigned long)length, (unsigned long)(old_len - offset));
length = old_len - offset;
} |
288057e9 |
if (length <= 5) { |
7b1f1aaf |
cli_dbgmsg("cli_map_scan: Small data (%u bytes)\n", (unsigned int)length); |
a4ce85ce |
return CL_CLEAN;
} |
288057e9 |
if (!CLI_ISCONTAINED(old_off, old_len, old_off + offset, length)) { |
4cd97da4 |
cli_dbgmsg("cli_map_scan: map error occurred [%ld, %zu]\n",
(long)old_off, old_len); |
a4ce85ce |
return CL_CLEAN;
}
/* Length checked, now get map */ |
3cab931d |
mapdata = fmap_need_off_once_len(map, offset, length, &nread); |
288057e9 |
if (!mapdata || (nread != length)) { |
3cab931d |
cli_errmsg("cli_map_scan: could not map sub-file\n");
return CL_EMAP;
}
ret = cli_gentempfd(ctx->engine->tmpdir, &tempfile, &fd); |
288057e9 |
if (ret != CL_SUCCESS) { |
3cab931d |
return ret;
}
cli_dbgmsg("cli_map_scan: writing nested map content to temp file %s\n", tempfile); |
6c03dc5d |
if (cli_writen(fd, mapdata, length) == (size_t)-1) { |
3cab931d |
cli_errmsg("cli_map_scan: cli_writen error writing subdoc temporary file.\n");
ret = CL_EWRITE;
}
/* scan the temp file */ |
01eebc13 |
ret = cli_base_scandesc(fd, tempfile, ctx, type); |
3cab931d |
/* remove the temp file, if needed */ |
288057e9 |
if (fd >= 0) { |
3cab931d |
close(fd);
} |
288057e9 |
if (!ctx->engine->keeptmp) {
if (cli_unlink(tempfile)) { |
3cab931d |
cli_errmsg("cli_map_scan: error unlinking tempfile %s\n", tempfile);
ret = CL_EUNLINK;
}
}
free(tempfile); |
288057e9 |
} else { |
3cab931d |
/* Not forced to disk, use nested map */ |
328a3325 |
ret = cli_map_scandesc(map, offset, length, ctx, type); |
3cab931d |
}
return ret;
}
/* For map scans that are not forced to disk */ |
328a3325 |
int cli_map_scandesc(cl_fmap_t *map, off_t offset, size_t length, cli_ctx *ctx, cli_file_t type) |
c06374fe |
{ |
288057e9 |
off_t old_off = map->nested_offset;
size_t old_len = map->len; |
c647912b |
size_t old_real_len = map->real_len; |
288057e9 |
int ret = CL_CLEAN; |
c06374fe |
|
0b3b2924 |
cli_dbgmsg("cli_map_scandesc: [%ld, +%lu), [%ld, +%lu)\n", |
7b1f1aaf |
(long)old_off, (unsigned long)old_len,
(long)offset, (unsigned long)length); |
288057e9 |
if (offset < 0 || (size_t)offset >= old_len) { |
7b1f1aaf |
cli_dbgmsg("Invalid offset: %ld\n", (long)offset);
return CL_CLEAN; |
87f76399 |
}
|
7b1f1aaf |
if (!length)
length = old_len - offset; |
288057e9 |
if (length > old_len - offset) { |
7b1f1aaf |
cli_dbgmsg("Data truncated: %zu -> %zu\n", |
288057e9 |
length, old_len - (size_t)offset); |
7b1f1aaf |
length = old_len - (size_t)offset; |
87f76399 |
}
|
288057e9 |
if (length <= 5) { |
7b1f1aaf |
cli_dbgmsg("Small data (%u bytes)\n", (unsigned int)length);
return CL_CLEAN; |
c06374fe |
}
ctx->fmap++;
*ctx->fmap = map; |
87f76399 |
/* can't change offset because then we'd have to discard/move cached
* data, instead use another offset to reuse the already cached data */
map->nested_offset += offset; |
288057e9 |
map->len = length; |
87f76399 |
map->real_len = map->nested_offset + length; |
288057e9 |
if (CLI_ISCONTAINED(old_off, old_len, map->nested_offset, map->len)) { |
7b1f1aaf |
ret = magic_scandesc(ctx, type); |
288057e9 |
} else { |
7b1f1aaf |
long long len1, len2;
len1 = old_off + old_len; |
0b3b2924 |
len2 = map->nested_offset + map->len; |
7b1f1aaf |
cli_warnmsg("internal map error: %lu, %llu; %lu, %llu\n", (long unsigned)old_off,
(long long unsigned)len1, (long unsigned)map->offset, (long long unsigned)len2); |
87f76399 |
} |
c06374fe |
|
81e57728 |
ctx->fmap--; |
87f76399 |
map->nested_offset = old_off; |
288057e9 |
map->len = old_len;
map->real_len = old_real_len; |
c06374fe |
return ret;
}
|
b3a8f998 |
int cli_mem_scandesc(const void *buffer, size_t length, cli_ctx *ctx)
{
int ret;
fmap_t *map = cl_fmap_open_memory(buffer, length); |
288057e9 |
if (!map) { |
7b1f1aaf |
return CL_EMAP; |
b3a8f998 |
} |
328a3325 |
ret = cli_map_scan(map, 0, length, ctx, CL_TYPE_ANY); |
b3a8f998 |
cl_fmap_close(map);
return ret;
}
|
01eebc13 |
/** |
49df8ea7 |
* @brief The main function to initiate a scan, that may be invoked with a file descriptor or a file map.
* |
01eebc13 |
* @param desc File descriptor of an open file. The caller must provide this or the map.
* @param map File map. The caller must provide this or the desc.
* @param filepath (optional, recommended) filepath of the open file descriptor or file map.
* @param[out] virname Will be set to a statically allocated (i.e. needs not be freed) signature name if the scan matches against a signature.
* @param[out] scanned The number of bytes scanned.
* @param engine The scanning engine.
* @param scanoptions Scanning options.
* @param[in/out] context An opaque context structure allowing the caller to record details about the sample being scanned.
* @return int CL_CLEAN, CL_VIRUS, or an error code if an error occured during the scan.
*/ |
288057e9 |
static cl_error_t scan_common(int desc, cl_fmap_t *map, const char *filepath, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, struct cl_scan_options *scanoptions, void *context) |
aa7380df |
{
cli_ctx ctx;
int rc; |
c6f5ef98 |
STATBUF sb;
|
99ee2138 |
/* We have a limit of around 2.17GB (INT_MAX - 2). Enforce it here. */ |
288057e9 |
if (map != NULL) { |
99ee2138 |
if ((size_t)(map->real_len) > (size_t)(INT_MAX - 2))
return CL_CLEAN; |
288057e9 |
} else { |
c6f5ef98 |
if (FSTAT(desc, &sb))
return CL_ESTAT;
|
1dd0e335 |
if ((unsigned long long)(sb.st_size) > (unsigned long long)(INT_MAX - 2)) |
c6f5ef98 |
return CL_CLEAN;
} |
aa7380df |
memset(&ctx, '\0', sizeof(cli_ctx)); |
288057e9 |
ctx.engine = engine; |
aa7380df |
ctx.virname = virname;
ctx.scanned = scanned; |
048a88e6 |
ctx.options = malloc(sizeof(struct cl_scan_options));
memcpy(ctx.options, scanoptions, sizeof(struct cl_scan_options)); |
aa7380df |
ctx.found_possibly_unwanted = 0; |
288057e9 |
ctx.containers = cli_calloc(sizeof(cli_ctx_container), ctx.engine->maxreclevel + 2); |
7b1f1aaf |
if (!ctx.containers)
return CL_EMEM; |
031fe00a |
cli_set_container(&ctx, CL_TYPE_ANY, 0); |
288057e9 |
ctx.dconf = (struct cli_dconf *)engine->dconf; |
aa7380df |
ctx.cb_ctx = context; |
288057e9 |
ctx.fmap = cli_calloc(sizeof(fmap_t *), ctx.engine->maxreclevel + 2); |
7b1f1aaf |
if (!ctx.fmap)
return CL_EMEM; |
288057e9 |
if (!(ctx.hook_lsig_matches = cli_bitset_init())) { |
7b1f1aaf |
free(ctx.fmap);
return CL_EMEM; |
aa7380df |
} |
63feb6cd |
perf_init(&ctx); |
aa7380df |
|
288057e9 |
if (ctx.options->general & CL_SCAN_GENERAL_COLLECT_METADATA && ctx.engine->time_limit != 0) {
if (gettimeofday(&ctx.time_limit, NULL) == 0) {
uint32_t secs = ctx.engine->time_limit / 1000; |
49b33289 |
uint32_t usecs = (ctx.engine->time_limit % 1000) * 1000;
ctx.time_limit.tv_sec += secs;
ctx.time_limit.tv_usec += usecs; |
288057e9 |
if (ctx.time_limit.tv_usec >= 1000000) { |
49b33289 |
ctx.time_limit.tv_usec -= 1000000;
ctx.time_limit.tv_sec++;
} |
288057e9 |
} else { |
49b33289 |
char buf[64];
cli_dbgmsg("scan_common; gettimeofday error: %s\n", cli_strerror(errno, buf, 64));
}
}
|
49df8ea7 |
/* Best effort to determine the filename if not provided. |
01eebc13 |
* May still be NULL if filename could not be determined. */ |
288057e9 |
if (filepath == NULL) { |
01eebc13 |
char *fpath = NULL; |
7b1f1aaf |
|
01eebc13 |
if (desc >= 0) { |
288057e9 |
(void)cli_get_filepath_from_filedesc(desc, &fpath); |
7b1f1aaf |
} |
01eebc13 |
ctx.target_filepath = fpath;
} else {
ctx.target_filepath = strdup(filepath); |
7b1f1aaf |
} |
aa7380df |
|
769f37a6 |
cli_logg_setup(&ctx); |
288057e9 |
rc = map ? cli_map_scandesc(map, 0, map->len, &ctx, CL_TYPE_ANY) |
01eebc13 |
: cli_magic_scandesc(desc, ctx.target_filepath, &ctx); |
aa7380df |
|
2a3d247b |
#if HAVE_JSON |
288057e9 |
if (ctx.options->general & CL_SCAN_GENERAL_COLLECT_METADATA && (ctx.properties != NULL)) { |
90f830e7 |
json_object *jobj;
const char *jstring;
/* set value of unique root object tag */ |
288057e9 |
if (json_object_object_get_ex(ctx.properties, "FileType", &jobj)) { |
90f830e7 |
enum json_type type;
const char *jstr;
type = json_object_get_type(jobj); |
288057e9 |
if (type == json_type_string) { |
90f830e7 |
jstr = json_object_get_string(jobj);
cli_jsonstr(ctx.properties, "RootFileType", jstr);
}
}
|
6606d050 |
/* serialize json properties to string */ |
90f830e7 |
jstring = json_object_to_json_string(ctx.properties); |
288057e9 |
if (NULL == jstring) { |
e56f0949 |
cli_errmsg("scan_common: no memory for json serialization.\n"); |
5043b1f3 |
rc = CL_EMEM; |
288057e9 |
} else {
int ret = CL_SUCCESS; |
09b1357a |
struct cli_matcher *iroot = ctx.engine->root[13]; |
6606d050 |
cli_dbgmsg("%s\n", jstring); |
f66533de |
|
288057e9 |
if (rc != CL_VIRUS) { |
514dfa1e |
/* run bytecode preclass hook; generate fmap if needed for running hook */ |
47c2d618 |
struct cli_bc_ctx *bc_ctx = cli_bytecode_context_alloc(); |
288057e9 |
if (!bc_ctx) { |
47c2d618 |
cli_errmsg("scan_common: can't allocate memory for bc_ctx\n");
rc = CL_EMEM; |
288057e9 |
} else { |
11616983 |
fmap_t *pc_map = map;
|
288057e9 |
if (!pc_map) { |
11616983 |
perf_start(&ctx, PERFT_MAP); |
288057e9 |
if (!(pc_map = fmap(desc, 0, sb.st_size))) { |
11616983 |
perf_stop(&ctx, PERFT_MAP);
rc = CL_EMEM;
}
perf_stop(&ctx, PERFT_MAP);
}
|
288057e9 |
if (pc_map) { |
11616983 |
cli_bytecode_context_setctx(bc_ctx, &ctx);
rc = cli_bytecode_runhook(&ctx, ctx.engine, bc_ctx, BC_PRECLASS, pc_map);
} |
50876732 |
cli_bytecode_context_destroy(bc_ctx); |
47c2d618 |
} |
514dfa1e |
/* backwards compatibility: scan the json string unless a virus was detected */ |
288057e9 |
if (rc != CL_VIRUS && (iroot->ac_lsigs || iroot->ac_patterns |
72691885 |
#ifdef HAVE_PCRE |
288057e9 |
|| iroot->pcre_metas |
72691885 |
#endif |
288057e9 |
)) { |
5f1ada67 |
cli_dbgmsg("scan_common: running deprecated preclass bytecodes for target type 13\n"); |
048a88e6 |
ctx.options->general &= ~CL_SCAN_GENERAL_COLLECT_METADATA; |
514dfa1e |
rc = cli_mem_scandesc(jstring, strlen(jstring), &ctx);
} |
6606d050 |
} |
5043b1f3 |
|
6606d050 |
/* Invoke file props callback */ |
288057e9 |
if (ctx.engine->cb_file_props != NULL) { |
20a3b53b |
ret = ctx.engine->cb_file_props(jstring, rc, ctx.cb_ctx); |
6606d050 |
if (ret != CL_SUCCESS)
rc = ret;
}
/* keeptmp file processing for file properties json string */ |
288057e9 |
if (ctx.engine->keeptmp) {
int fd = -1; |
7b1f1aaf |
char *tmpname = NULL; |
288057e9 |
if ((ret = cli_gentempfd(ctx.engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) { |
6606d050 |
cli_dbgmsg("scan_common: Can't create json properties file, ret = %i.\n", ret); |
288057e9 |
} else { |
6c03dc5d |
if (cli_writen(fd, jstring, strlen(jstring)) == (size_t)-1) |
6606d050 |
cli_dbgmsg("scan_common: cli_writen error writing json properties file.\n");
else |
c2ff4bf4 |
cli_dbgmsg("json written to: %s\n", tmpname); |
5043b1f3 |
} |
6606d050 |
if (fd != -1)
close(fd);
if (NULL != tmpname)
free(tmpname); |
5043b1f3 |
}
} |
8e586053 |
cli_json_delobj(ctx.properties); /* frees all json memory */ |
49b33289 |
#if 0
// test code - to be deleted
if (cli_checktimelimit(&ctx) != CL_SUCCESS) {
cli_errmsg("scan_common: timeout!\n");
rc = CL_ETIMEOUT;
}
#endif |
e56f0949 |
}
#endif
|
288057e9 |
if (rc == CL_CLEAN) { |
048a88e6 |
if ((ctx.found_possibly_unwanted) || |
288057e9 |
((ctx.num_viruses != 0) &&
((ctx.options->general & CL_SCAN_GENERAL_ALLMATCHES) ||
(ctx.options->heuristic & CL_SCAN_HEURISTIC_EXCEEDS_MAX)))) |
7b1f1aaf |
rc = CL_VIRUS; |
1f1bf36b |
} |
048a88e6 |
|
01eebc13 |
if (NULL != ctx.target_filepath) {
free(ctx.target_filepath);
} |
048a88e6 |
free(ctx.containers);
cli_bitset_free(ctx.hook_lsig_matches);
free(ctx.fmap);
free(ctx.options); |
4aa7baf1 |
cli_logg_unsetup(); |
63feb6cd |
perf_done(&ctx); |
aa7380df |
return rc;
}
|
01eebc13 |
int cl_scandesc_callback(int desc, const char *filename, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, struct cl_scan_options *scanoptions, void *context) |
c06374fe |
{ |
01eebc13 |
return scan_common(desc, NULL, filename, virname, scanned, engine, scanoptions, context); |
c06374fe |
}
|
01eebc13 |
int cl_scanmap_callback(cl_fmap_t *map, const char *filename, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, struct cl_scan_options *scanoptions, void *context) |
c06374fe |
{ |
01eebc13 |
return scan_common(-1, map, filename, virname, scanned, engine, scanoptions, context); |
c06374fe |
}
|
7b1f1aaf |
int cli_found_possibly_unwanted(cli_ctx *ctx) |
7f0d1148 |
{ |
288057e9 |
if (cli_get_last_virus(ctx)) { |
7b1f1aaf |
cli_dbgmsg("found Possibly Unwanted: %s\n", cli_get_last_virus(ctx)); |
288057e9 |
if (SCAN_HEURISTIC_PRECEDENCE) { |
7b1f1aaf |
/* we found a heuristic match, don't scan further,
* but consider it a virus. */
cli_dbgmsg("cli_found_possibly_unwanted: CL_VIRUS\n");
return CL_VIRUS;
}
/* heuristic scan isn't taking precedence, keep scanning. |
49df8ea7 |
* If this is part of an archive, and
* we find a real malware we report that instead of the |
7b1f1aaf |
* heuristic match */
ctx->found_possibly_unwanted = 1; |
288057e9 |
} else { |
7b1f1aaf |
cli_warnmsg("cli_found_possibly_unwanted called, but virname is not set\n"); |
6ad45a29 |
}
emax_reached(ctx);
return CL_CLEAN; |
7f0d1148 |
}
|
3c91998b |
static int cli_scanfile(const char *filename, cli_ctx *ctx) |
21cf4aeb |
{ |
7b1f1aaf |
int fd, ret; |
21cf4aeb |
|
22275b15 |
/* internal version of cl_scanfile with arec/mrec preserved */ |
7b1f1aaf |
if ((fd = safe_open(filename, O_RDONLY | O_BINARY)) == -1)
return CL_EOPEN; |
21cf4aeb |
|
01eebc13 |
ret = cli_magic_scandesc(fd, filename, ctx); |
21cf4aeb |
close(fd);
return ret;
}
|
288057e9 |
int cl_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, struct cl_scan_options *scanoptions) |
e3aaff8e |
{ |
769f37a6 |
return cl_scanfile_callback(filename, virname, scanned, engine, scanoptions, NULL); |
e3aaff8e |
} |
72ce4b70 |
|
288057e9 |
int cl_scanfile_callback(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, struct cl_scan_options *scanoptions, void *context) |
edbba730 |
{ |
7b1f1aaf |
int fd, ret;
const char *fname = cli_to_utf8_maybe_alloc(filename); |
edbba730 |
|
7b1f1aaf |
if (!fname)
return CL_EARG; |
8ab47ebe |
|
7b1f1aaf |
if ((fd = safe_open(fname, O_RDONLY | O_BINARY)) == -1)
return CL_EOPEN; |
edbba730 |
|
7b1f1aaf |
if (fname != filename) |
01eebc13 |
free((char *)fname); |
8ab47ebe |
|
01eebc13 |
ret = cl_scandesc_callback(fd, filename, virname, scanned, engine, scanoptions, context); |
edbba730 |
close(fd);
return ret;
}
|
72ce4b70 |
/*
Local Variables:
c-basic-offset: 4
End:
*/ |