...
|
...
|
@@ -418,118 +418,126 @@ void cli_targetinfo(struct cli_target_info *info, unsigned int target, fmap_t *m
|
418
|
418
|
|
419
|
419
|
int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx)
|
420
|
420
|
{
|
421
|
|
- char md5[33];
|
422
|
|
- unsigned int i;
|
423
|
|
- const char *virname=NULL;
|
424
|
|
- SHA1Context sha1;
|
425
|
|
- SHA256_CTX sha256;
|
426
|
|
- fmap_t *map;
|
427
|
|
- const char *ptr;
|
428
|
|
- uint8_t shash1[SHA1_HASH_SIZE*2+1];
|
429
|
|
- uint8_t shash256[SHA256_HASH_SIZE*2+1];
|
430
|
|
- int have_sha1, have_sha256, do_dsig_check = 1;
|
|
421
|
+ char md5[33];
|
|
422
|
+ unsigned int i;
|
|
423
|
+ const char *virname=NULL;
|
|
424
|
+ SHA1Context sha1;
|
|
425
|
+ SHA256_CTX sha256;
|
|
426
|
+ fmap_t *map;
|
|
427
|
+ const char *ptr;
|
|
428
|
+ uint8_t shash1[SHA1_HASH_SIZE*2+1];
|
|
429
|
+ uint8_t shash256[SHA256_HASH_SIZE*2+1];
|
|
430
|
+ int have_sha1, have_sha256, do_dsig_check = 1;
|
431
|
431
|
|
432
|
432
|
if(cli_hm_scan(digest, size, &virname, ctx->engine->hm_fp, CLI_HASH_MD5) == CL_VIRUS) {
|
433
|
|
- cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s), size: %d\n", virname, (int)size);
|
434
|
|
- return CL_CLEAN;
|
|
433
|
+ cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s), size: %d\n", virname, (int)size);
|
|
434
|
+ return CL_CLEAN;
|
435
|
435
|
}
|
436
|
436
|
else if(cli_hm_scan_wild(digest, &virname, ctx->engine->hm_fp, CLI_HASH_MD5) == CL_VIRUS) {
|
437
|
|
- cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s), size: *\n", virname);
|
438
|
|
- return CL_CLEAN;
|
|
437
|
+ cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s), size: *\n", virname);
|
|
438
|
+ return CL_CLEAN;
|
439
|
439
|
}
|
440
|
440
|
|
441
|
441
|
if(cli_debug_flag || ctx->engine->cb_hash) {
|
442
|
|
- for(i = 0; i < 16; i++)
|
443
|
|
- sprintf(md5 + i * 2, "%02x", digest[i]);
|
444
|
|
- md5[32] = 0;
|
445
|
|
- cli_dbgmsg("FP SIGNATURE: %s:%u:%s\n", md5, (unsigned int) size,
|
446
|
|
- cli_get_last_virus(ctx) ? cli_get_last_virus(ctx) : "Name");
|
|
442
|
+ for(i = 0; i < 16; i++)
|
|
443
|
+ sprintf(md5 + i * 2, "%02x", digest[i]);
|
|
444
|
+ md5[32] = 0;
|
|
445
|
+ cli_dbgmsg("FP SIGNATURE: %s:%u:%s\n", md5, (unsigned int) size,
|
|
446
|
+ cli_get_last_virus(ctx) ? cli_get_last_virus(ctx) : "Name");
|
447
|
447
|
}
|
448
|
448
|
|
449
|
449
|
if(cli_get_last_virus(ctx))
|
450
|
|
- do_dsig_check = strncmp("W32S.", cli_get_last_virus(ctx), 5);
|
|
450
|
+ do_dsig_check = strncmp("W32S.", cli_get_last_virus(ctx), 5);
|
451
|
451
|
|
452
|
452
|
map = *ctx->fmap;
|
453
|
453
|
have_sha1 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, size)
|
454
|
|
- || cli_hm_have_wild(ctx->engine->hm_fp, CLI_HASH_SHA1)
|
455
|
|
- || (cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, 1) && do_dsig_check);
|
|
454
|
+ || cli_hm_have_wild(ctx->engine->hm_fp, CLI_HASH_SHA1)
|
|
455
|
+ || (cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, 1) && do_dsig_check);
|
456
|
456
|
have_sha256 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA256, size)
|
457
|
|
- || cli_hm_have_wild(ctx->engine->hm_fp, CLI_HASH_SHA256);
|
|
457
|
+ || cli_hm_have_wild(ctx->engine->hm_fp, CLI_HASH_SHA256);
|
458
|
458
|
if(have_sha1 || have_sha256) {
|
459
|
|
- if((ptr = fmap_need_off_once(map, 0, size))) {
|
460
|
|
- if(have_sha1) {
|
461
|
|
- SHA1Init(&sha1);
|
462
|
|
- SHA1Update(&sha1, ptr, size);
|
463
|
|
- SHA1Final(&sha1, &shash1[SHA1_HASH_SIZE]);
|
464
|
|
- if(cli_hm_scan(&shash1[SHA1_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
|
465
|
|
- cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname);
|
466
|
|
- return CL_CLEAN;
|
467
|
|
- }
|
468
|
|
- if(cli_hm_scan_wild(&shash1[SHA1_HASH_SIZE], &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
|
469
|
|
- cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname);
|
470
|
|
- return CL_CLEAN;
|
471
|
|
- }
|
472
|
|
- if(do_dsig_check && cli_hm_scan(&shash1[SHA1_HASH_SIZE], 1, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
|
473
|
|
- cli_dbgmsg("cli_checkfp(sha1): Found false positive detection via catalog file\n");
|
474
|
|
- return CL_CLEAN;
|
475
|
|
- }
|
476
|
|
- }
|
477
|
|
- if(have_sha256) {
|
478
|
|
- sha256_init(&sha256);
|
479
|
|
- sha256_update(&sha256, ptr, size);
|
480
|
|
- sha256_final(&sha256, &shash256[SHA256_HASH_SIZE]);
|
481
|
|
- if(cli_hm_scan(&shash256[SHA256_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS) {
|
482
|
|
- cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname);
|
483
|
|
- return CL_CLEAN;
|
484
|
|
- }
|
485
|
|
- if(cli_hm_scan_wild(&shash256[SHA256_HASH_SIZE], &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS) {
|
486
|
|
- cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname);
|
487
|
|
- return CL_CLEAN;
|
488
|
|
- }
|
489
|
|
- }
|
490
|
|
- }
|
|
459
|
+ if((ptr = fmap_need_off_once(map, 0, size))) {
|
|
460
|
+ if(have_sha1) {
|
|
461
|
+ SHA1Init(&sha1);
|
|
462
|
+ SHA1Update(&sha1, ptr, size);
|
|
463
|
+ SHA1Final(&sha1, &shash1[SHA1_HASH_SIZE]);
|
|
464
|
+
|
|
465
|
+ if(cli_hm_scan(&shash1[SHA1_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
|
|
466
|
+ cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname);
|
|
467
|
+ return CL_CLEAN;
|
|
468
|
+ }
|
|
469
|
+ if(cli_hm_scan_wild(&shash1[SHA1_HASH_SIZE], &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
|
|
470
|
+ cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname);
|
|
471
|
+ return CL_CLEAN;
|
|
472
|
+ }
|
|
473
|
+ if(do_dsig_check && cli_hm_scan(&shash1[SHA1_HASH_SIZE], 1, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
|
|
474
|
+ cli_dbgmsg("cli_checkfp(sha1): Found false positive detection via catalog file\n");
|
|
475
|
+ return CL_CLEAN;
|
|
476
|
+ }
|
|
477
|
+ }
|
|
478
|
+
|
|
479
|
+ if(have_sha256) {
|
|
480
|
+ sha256_init(&sha256);
|
|
481
|
+ sha256_update(&sha256, ptr, size);
|
|
482
|
+ sha256_final(&sha256, &shash256[SHA256_HASH_SIZE]);
|
|
483
|
+
|
|
484
|
+ if(cli_hm_scan(&shash256[SHA256_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS) {
|
|
485
|
+ cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname);
|
|
486
|
+ return CL_CLEAN;
|
|
487
|
+ }
|
|
488
|
+ if(cli_hm_scan_wild(&shash256[SHA256_HASH_SIZE], &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS) {
|
|
489
|
+ cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname);
|
|
490
|
+ return CL_CLEAN;
|
|
491
|
+ }
|
|
492
|
+ }
|
|
493
|
+ }
|
491
|
494
|
}
|
492
|
495
|
|
493
|
496
|
#ifdef HAVE__INTERNAL__SHA_COLLECT
|
494
|
497
|
if((ctx->options & CL_SCAN_INTERNAL_COLLECT_SHA) && ctx->sha_collect>0) {
|
495
|
498
|
if((ptr = fmap_need_off_once(map, 0, size))) {
|
496
|
|
- if(!have_sha256) {
|
497
|
|
- sha256_init(&sha256);
|
498
|
|
- sha256_update(&sha256, ptr, size);
|
499
|
|
- sha256_final(&sha256, &shash256[SHA256_HASH_SIZE]);
|
500
|
|
- }
|
|
499
|
+ if(!have_sha256) {
|
|
500
|
+ sha256_init(&sha256);
|
|
501
|
+ sha256_update(&sha256, ptr, size);
|
|
502
|
+ sha256_final(&sha256, &shash256[SHA256_HASH_SIZE]);
|
|
503
|
+ }
|
|
504
|
+
|
501
|
505
|
for(i=0; i<SHA256_HASH_SIZE; i++)
|
502
|
506
|
sprintf((char *)shash256+i*2, "%02x", shash256[SHA256_HASH_SIZE+i]);
|
503
|
507
|
|
504
|
|
- if(!have_sha1) {
|
505
|
|
- SHA1Init(&sha1);
|
506
|
|
- SHA1Update(&sha1, ptr, size);
|
507
|
|
- SHA1Final(&sha1, &shash1[SHA1_HASH_SIZE]);
|
508
|
|
- }
|
|
508
|
+ if(!have_sha1) {
|
|
509
|
+ SHA1Init(&sha1);
|
|
510
|
+ SHA1Update(&sha1, ptr, size);
|
|
511
|
+ SHA1Final(&sha1, &shash1[SHA1_HASH_SIZE]);
|
|
512
|
+ }
|
|
513
|
+
|
509
|
514
|
for(i=0; i<SHA1_HASH_SIZE; i++)
|
510
|
515
|
sprintf((char *)shash1+i*2, "%02x", shash1[SHA1_HASH_SIZE+i]);
|
511
|
516
|
|
512
|
|
- cli_errmsg("COLLECT:%s:%s:%u:%s:%s\n", shash256, shash1, size, cli_get_last_virus(ctx), ctx->entry_filename);
|
|
517
|
+ cli_errmsg("COLLECT:%s:%s:%u:%s:%s\n", shash256, shash1, size, cli_get_last_virus(ctx), ctx->entry_filename);
|
513
|
518
|
} else
|
514
|
519
|
cli_errmsg("can't compute sha\n!");
|
|
520
|
+
|
515
|
521
|
ctx->sha_collect = -1;
|
516
|
522
|
}
|
517
|
523
|
#endif
|
518
|
524
|
|
519
|
525
|
if(do_dsig_check) {
|
520
|
|
- switch(cli_checkfp_pe(ctx, shash1)) {
|
521
|
|
- case CL_CLEAN:
|
522
|
|
- cli_dbgmsg("cli_checkfp(pe): PE file whitelisted due to valid embedded digital signature\n");
|
523
|
|
- return CL_CLEAN;
|
524
|
|
- case CL_VIRUS:
|
525
|
|
- if(cli_hm_scan(shash1, 2, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
|
526
|
|
- cli_dbgmsg("cli_checkfp(pe): PE file whitelisted by catalog file\n");
|
527
|
|
- return CL_CLEAN;
|
528
|
|
- }
|
529
|
|
- }
|
|
526
|
+ switch(cli_checkfp_pe(ctx, shash1)) {
|
|
527
|
+ case CL_CLEAN:
|
|
528
|
+ cli_dbgmsg("cli_checkfp(pe): PE file whitelisted due to valid embedded digital signature\n");
|
|
529
|
+ return CL_CLEAN;
|
|
530
|
+ case CL_VIRUS:
|
|
531
|
+ if(cli_hm_scan(shash1, 2, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
|
|
532
|
+ cli_dbgmsg("cli_checkfp(pe): PE file whitelisted by catalog file\n");
|
|
533
|
+
|
|
534
|
+ return CL_CLEAN;
|
|
535
|
+ }
|
|
536
|
+ }
|
530
|
537
|
}
|
|
538
|
+
|
531
|
539
|
if (ctx->engine->cb_hash)
|
532
|
|
- ctx->engine->cb_hash(fmap_fd(*ctx->fmap), size, md5, cli_get_last_virus(ctx), ctx->cb_ctx);
|
|
540
|
+ ctx->engine->cb_hash(fmap_fd(*ctx->fmap), size, md5, cli_get_last_virus(ctx), ctx->cb_ctx);
|
533
|
541
|
|
534
|
542
|
if (ctx->engine->cb_stats_add_sample)
|
535
|
543
|
ctx->engine->cb_stats_add_sample(cli_get_last_virus(ctx), digest, size, WHOLEFILE, ctx->engine->stats_data);
|