VIRUSNAME_PREFIX("SUBMIT.contains")
VIRUSNAMES("EmbedPE")
/* Target type is 0, all relevant files */
TARGET(0)
/* Declares to run bytecode only for preclassification (affecting only preclass files) */
PRECLASS_HOOK_DECLARE
/* JSON API call will require FUNC_LEVEL_098_5 = 78 */
/* PRECLASS_HOOK_DECLARE will require FUNC_LEVEL_098_7 = 80 */
FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_7)
#define STR_MAXLEN 256
int entrypoint ()
{
int i;
int32_t type, obj, objarr, objit, arrlen, strlen;
char str[STR_MAXLEN];
/* check is json is available, alerts on inactive (optional) */
if (!json_is_active()) {
return -1;
}
/* acquire array of internal contained objects */
objarr = json_get_object("ContainedObjects", 16, 0);
type = json_get_type(objarr);
/* debug print uint (no '\n' or prepended message */
debug_print_uint(type);
if (type != JSON_TYPE_ARRAY) {
return -1;
}
/* check array length for iteration over elements */
arrlen = json_get_array_length(objarr);
for (i = 0; i < arrlen; ++i) {
/* acquire json object @ idx i */
objit = json_get_array_idx(i, objarr);
if (objit <= 0) continue;
/* acquire FileType object of the array element @ idx i */
obj = json_get_object("FileType", 8, objit);
if (obj <= 0) continue;
/* acquire and check type */
type = json_get_type(obj);
if (type == JSON_TYPE_STRING) {
/* acquire string length, note +1 is for the NULL terminator */
strlen = json_get_string_length(obj)+1;
/* prevent buffer overflow */
if (strlen > STR_MAXLEN)
strlen = STR_MAXLEN;
/* acquire string data, note strlen includes NULL terminator */
if (json_get_string(str, strlen, obj)) {
/* debug print str (with '\n' and prepended message */
debug_print_str(str,strlen);
/* check the contained object's type */
if (strlen == 14 && !memcmp(str, "CL_TYPE_MSEXE", 14)) {
//if (!strcmp(str, strlen, "CL_TYPE_MSEXE", strlen)) {
/* alert for submission */
foundVirus("EmbedPE");
return 0;
}
}
}
}
return 0;
}