@@ -63,6 +63,8 @@

 #include "ishield.h"

 #include "asn1.h"

+#include "json_api.h"

+

 #define DCONF ctx->dconf->pe

 #define PE_IMAGE_DOS_SIGNATURE	    0x5a4d	    /* MZ */

@@ -602,6 +604,110 @@ end:

     return ret;

 }

+#if HAVE_JSON

+static struct json_object *get_pe_property(cli_ctx *ctx)

+{

+    struct json_object *pe;

+

+    if (!(ctx) || !(ctx->wrkproperty))

+        return NULL;

+

+    pe = json_object_object_get(ctx->wrkproperty, "PE");

+    if (!(pe)) {

+        pe = json_object_new_object();

+        if (!(pe))

+            return NULL;

+

+        json_object_object_add(ctx->wrkproperty, "PE", pe);

+    }

+

+    return pe;

+}

+

+static void pe_add_heuristic_property(cli_ctx *ctx, const char *key)

+{

+    struct json_object *heuristics;

+    struct json_object *pe;

+    struct json_object *str;

+

+    pe = get_pe_property(ctx);

+    if (!(pe))

+        return;

+

+    heuristics = json_object_object_get(pe, "Heuristics");

+    if (!(heuristics)) {

+        heuristics = json_object_new_array();

+        if (!(heuristics))

+            return;

+

+        json_object_object_add(pe, "Heuristics", heuristics);

+    }

+

+    str = json_object_new_string(key);

+    if (!(str))

+        return;

+

+    json_object_array_add(heuristics, str);

+}

+

+static struct json_object *get_section_json(cli_ctx *ctx)

+{

+    struct json_object *pe;

+    struct json_object *section;

+

+    pe = get_pe_property(ctx);

+    if (!(pe))

+        return NULL;

+

+    section = json_object_object_get(pe, "Sections");

+    if (!(section)) {

+        section = json_object_new_array();

+        if (!(section))

+            return NULL;

+

+        json_object_object_add(pe, "Sections", section);

+    }

+

+    return section;

+}

+

+static void add_section_info(cli_ctx *ctx, struct cli_exe_section *s)

+{

+    struct json_object *sections, *section, *obj;

+    char address[16];

+

+    sections = get_section_json(ctx);

+    if (!(sections))

+        return;

+

+    section = json_object_new_object();

+    if (!(section))

+        return;

+

+    obj = json_object_new_int((int32_t)(s->rsz));

+    if (!(obj))

+        return;

+

+    json_object_object_add(section, "RawSize", obj);

+

+    obj = json_object_new_int((int32_t)(s->raw));

+    if (!(obj))

+        return;

+

+    json_object_object_add(section, "RawOffset", obj);

+

+    snprintf(address, sizeof(address), "0x%08x", s->rva);

+

+    obj = json_object_new_string(address);

+    if (!(obj))

+        return;

+

+    json_object_object_add(section, "VirtualAddress", obj);

+

+    json_object_array_add(sections, section);

+}

+#endif

+

 int cli_scanpe(cli_ctx *ctx)

 {

 	uint16_t e_magic; /* DOS signature ("MZ") */

@@ -638,12 +744,22 @@ int cli_scanpe(cli_ctx *ctx)

 	int sha_collect = ctx->sha_collect;

 #endif

 	const char * virname = NULL;

+    const char *archtype=NULL, *subsystem=NULL;

 	uint32_t viruses_found = 0;

+#if HAVE_JSON

+    struct json_object *pe_json=NULL;

+    char jsonbuf[128];

+#endif

     if(!ctx) {

 	cli_errmsg("cli_scanpe: ctx == NULL\n");

 	return CL_ENULLARG;

     }

+

+#if HAVE_JSON

+    if (ctx->options & CL_SCAN_FILE_PROPERTIES)

+        pe_json = get_pe_property(ctx);

+#endif

     map = *ctx->fmap;

     if(fmap_readn(map, &e_magic, 0, sizeof(e_magic)) != sizeof(e_magic)) {

 	cli_dbgmsg("Can't read DOS signature\n");

@@ -684,109 +800,127 @@ int cli_scanpe(cli_ctx *ctx)

     }

     if(EC16(file_hdr.Characteristics) & 0x2000) {

+#if HAVE_JSON

+        if ((pe_json))

+            cli_jsonstr(pe_json, "Type", "DLL");

+#endif

 	cli_dbgmsg("File type: DLL\n");

 	dll = 1;

     } else if(EC16(file_hdr.Characteristics) & 0x01) {

+#if HAVE_JSON

+        if ((pe_json))

+            cli_jsonstr(pe_json, "Type", "EXE");

+#endif

 	cli_dbgmsg("File type: Executable\n");

     }

     switch(EC16(file_hdr.Machine)) {

 	case 0x0:

-	    cli_dbgmsg("Machine type: Unknown\n");

+        archtype = "Unknown";

 	    break;

 	case 0x14c:

-	    cli_dbgmsg("Machine type: 80386\n");

+        archtype = "80386";

 	    break;

 	case 0x14d:

-	    cli_dbgmsg("Machine type: 80486\n");

+        archtype = "80486";

 	    break;

 	case 0x14e:

-	    cli_dbgmsg("Machine type: 80586\n");

+        archtype = "80586";

 	    break;

 	case 0x160:

-	    cli_dbgmsg("Machine type: R30000 (big-endian)\n");

+        archtype = "R30000 (big-endian)";

 	    break;

 	case 0x162:

-	    cli_dbgmsg("Machine type: R3000\n");

+        archtype = "R3000";

 	    break;

 	case 0x166:

-	    cli_dbgmsg("Machine type: R4000\n");

+        archtype = "R4000";

 	    break;

 	case 0x168:

-	    cli_dbgmsg("Machine type: R10000\n");

+        archtype = "R10000";

 	    break;

 	case 0x184:

-	    cli_dbgmsg("Machine type: DEC Alpha AXP\n");

+        archtype = "DEC Alpha AXP";

 	    break;

 	case 0x284:

-	    cli_dbgmsg("Machine type: DEC Alpha AXP 64bit\n");

+        archtype = "DEC Alpha AXP 64bit";

 	    break;

 	case 0x1f0:

-	    cli_dbgmsg("Machine type: PowerPC\n");

+        archtype = "PowerPC";

 	    break;

 	case 0x200:

-	    cli_dbgmsg("Machine type: IA64\n");

+        archtype = "IA64";

 	    break;

 	case 0x268:

-	    cli_dbgmsg("Machine type: M68k\n");

+        archtype = "M68k";

 	    break;

 	case 0x266:

-	    cli_dbgmsg("Machine type: MIPS16\n");

+        archtype = "MIPS16";

 	    break;

 	case 0x366:

-	    cli_dbgmsg("Machine type: MIPS+FPU\n");

+        archtype = "MIPS+FPU";

 	    break;

 	case 0x466:

-	    cli_dbgmsg("Machine type: MIPS16+FPU\n");

+        archtype = "MIPS16+FPU";

 	    break;

 	case 0x1a2:

-	    cli_dbgmsg("Machine type: Hitachi SH3\n");

+        archtype = "Hitachi SH3";

 	    break;

 	case 0x1a3:

-	    cli_dbgmsg("Machine type: Hitachi SH3-DSP\n");

+        archtype = "Hitachi SH3-DSP";

 	    break;

 	case 0x1a4:

-	    cli_dbgmsg("Machine type: Hitachi SH3-E\n");

+        archtype = "Hitachi SH3-E";

 	    break;

 	case 0x1a6:

-	    cli_dbgmsg("Machine type: Hitachi SH4\n");

+        archtype = "Hitachi SH4";

 	    break;

 	case 0x1a8:

-	    cli_dbgmsg("Machine type: Hitachi SH5\n");

+        archtype = "Hitachi SH5";

 	    break;

 	case 0x1c0:

-	    cli_dbgmsg("Machine type: ARM\n");

+        archtype = "ARM";

 	    break;

 	case 0x1c2:

-	    cli_dbgmsg("Machine type: THUMB\n");

+        archtype = "THUMB";

 	    break;

 	case 0x1d3:

-	    cli_dbgmsg("Machine type: AM33\n");

+        archtype = "AM33";

 	    break;

 	case 0x520:

-	    cli_dbgmsg("Machine type: Infineon TriCore\n");

+        archtype = "Infineon TriCore";

 	    break;

 	case 0xcef:

-	    cli_dbgmsg("Machine type: CEF\n");

+        archtype = "CEF";

 	    break;

 	case 0xebc:

-	    cli_dbgmsg("Machine type: EFI Byte Code\n");

+        archtype = "EFI Byte Code";

 	    break;

 	case 0x9041:

-	    cli_dbgmsg("Machine type: M32R\n");

+        archtype = "M32R";

 	    break;

 	case 0xc0ee:

-	    cli_dbgmsg("Machine type: CEE\n");

+        archtype = "CEEE";

 	    break;

 	case 0x8664:

-	    cli_dbgmsg("Machine type: AMD64\n");

+        archtype = "AMD64";

 	    break;

 	default:

-	    cli_dbgmsg("Machine type: ** UNKNOWN ** (0x%x)\n", EC16(file_hdr.Machine));

+        archtype = "Unknown";

+    }

+

+    if ((archtype)) {

+        cli_dbgmsg("Machine type: %s\n", archtype);

+#if HAVE_JSON

+        cli_jsonstr(pe_json, "ArchType", archtype);

+#endif

     }

     nsections = EC16(file_hdr.NumberOfSections);

     if(nsections < 1 || nsections > 96) {

+#if HAVE_JSON

+        pe_add_heuristic_property(ctx, "BadNumberOfSections");

+#endif

 	if(DETECT_BROKEN_PE) {

 	    cli_append_virus(ctx,"Heuristics.Broken.Executable");

 	    return CL_VIRUS;

@@ -807,6 +941,9 @@ int cli_scanpe(cli_ctx *ctx)

     cli_dbgmsg("SizeOfOptionalHeader: %x\n", EC16(file_hdr.SizeOfOptionalHeader));

     if (EC16(file_hdr.SizeOfOptionalHeader) < sizeof(struct pe_image_optional_hdr32)) {

+#if HAVE_JSON

+        pe_add_heuristic_property(ctx, "BadOptionalHeaderSize");

+#endif

         cli_dbgmsg("SizeOfOptionalHeader too small\n");

 	if(DETECT_BROKEN_PE) {

 	    cli_append_virus(ctx,"Heuristics.Broken.Executable");

@@ -828,6 +965,9 @@ int cli_scanpe(cli_ctx *ctx)

     /* This will be a chicken and egg problem until we drop 9x */

     if(EC16(optional_hdr64.Magic)==PE32P_SIGNATURE) {

+#if HAVE_JSON

+        pe_add_heuristic_property(ctx, "BadOptionalHeaderSizePE32Plus");

+#endif

         if(EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr64)) {

 	    /* FIXME: need to play around a bit more with xp64 */

 	    cli_dbgmsg("Incorrect SizeOfOptionalHeader for PE32+\n");

@@ -901,55 +1041,68 @@ int cli_scanpe(cli_ctx *ctx)

 	dirs = optional_hdr64.DataDirectory;

     }

+#if HAVE_JSON

+    if (ctx->options & CL_SCAN_FILE_PROPERTIES) {

+        snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", vep);

+        cli_jsonstr(pe_json, "EntryPoint", jsonbuf);

+    }

+#endif

+

     switch(pe_plus ? EC16(optional_hdr64.Subsystem) : EC16(optional_hdr32.Subsystem)) {

 	case 0:

-	    cli_dbgmsg("Subsystem: Unknown\n");

+        subsystem = "Unknown";

 	    break;

 	case 1:

-	    cli_dbgmsg("Subsystem: Native (svc)\n");

+        subsystem = "Native (svc)";

 	    native = 1;

 	    break;

 	case 2:

-	    cli_dbgmsg("Subsystem: Win32 GUI\n");

+        subsystem = "Win32 GUI";

 	    break;

 	case 3:

-	    cli_dbgmsg("Subsystem: Win32 console\n");

+        subsystem = "Win32 console";

 	    break;

 	case 5:

-	    cli_dbgmsg("Subsystem: OS/2 console\n");

+        subsystem = "OS/2 console";

 	    break;

 	case 7:

-	    cli_dbgmsg("Subsystem: POSIX console\n");

+        subsystem = "POSIX console";

 	    break;

 	case 8:

-	    cli_dbgmsg("Subsystem: Native Win9x driver\n");

+        subsystem = "Native Win9x driver";

 	    break;

 	case 9:

-	    cli_dbgmsg("Subsystem: WinCE GUI\n");

+        subsystem = "WinCE GUI";

 	    break;

 	case 10:

-	    cli_dbgmsg("Subsystem: EFI application\n");

+        subsystem = "EFI application";

 	    break;

 	case 11:

-	    cli_dbgmsg("Subsystem: EFI driver\n");

+        subsystem = "EFI driver";

 	    break;

 	case 12:

-	    cli_dbgmsg("Subsystem: EFI runtime driver\n");

+        subsystem = "EFI runtime driver";

 	    break;

 	case 13:

-	    cli_dbgmsg("Subsystem: EFI ROM image\n");

+        subsystem = "EFI ROM image";

 	    break;

 	case 14:

-	    cli_dbgmsg("Subsystem: Xbox\n");

+        subsystem = "Xbox";

 	    break;

 	case 16:

-	    cli_dbgmsg("Subsystem: Boot application\n");

+        subsystem = "Boot application";

 	    break;

 	default:

-	    cli_dbgmsg("Subsystem: ** UNKNOWN ** (0x%x)\n", pe_plus ? EC16(optional_hdr64.Subsystem) : EC16(optional_hdr32.Subsystem));

+        subsystem = "Unknown";

     }

+    cli_dbgmsg("Subsystem: %s\n", subsystem);

+

+#if HAVE_JSON

+    cli_jsonstr(pe_json, "Subsystem", subsystem);

+#endif

+

     cli_dbgmsg("------------------------------------\n");

     if (DETECT_BROKEN_PE && !native && (!(pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment)) || (pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment))%0x1000)) {

@@ -1007,6 +1160,10 @@ int cli_scanpe(cli_ctx *ctx)

     hdr_size = PESALIGN(hdr_size, valign); /* Aligned headers virtual size */

+#if HAVE_JSON

+    cli_jsonint(pe_json, "NumberOfSections", nsections);

+#endif

+

     for(i = 0; i < nsections; i++) {

 	strncpy(sname, (char *) section_hdr[i].Name, 8);

 	sname[8] = 0;

@@ -1020,6 +1177,10 @@ int cli_scanpe(cli_ctx *ctx)

 	exe_sections[i].uraw = EC32(section_hdr[i].PointerToRawData);

 	exe_sections[i].ursz = EC32(section_hdr[i].SizeOfRawData);

+#if HAVE_JSON

+    add_section_info(ctx, &exe_sections[i]);

+#endif

+

 	if (!exe_sections[i].vsz && exe_sections[i].rsz)

 	    exe_sections[i].vsz=PESALIGN(exe_sections[i].ursz, valign);

@@ -1143,6 +1304,10 @@ int cli_scanpe(cli_ctx *ctx)

 	return CL_CLEAN;

     }

+#if HAVE_JSON

+    cli_jsonint(pe_json, "EntryPointOffset", ep);

+#endif

+

     cli_dbgmsg("EntryPoint offset: 0x%x (%d)\n", ep, ep);

     if(pe_plus) { /* Do not continue for PE32+ files */

@@ -1454,6 +1619,9 @@ int cli_scanpe(cli_ctx *ctx)

 	    if(!exe_sections[i].rsz && exe_sections[i].vsz && exe_sections[i + 1].rsz && exe_sections[i + 1].vsz) {

 		found = 1;

 		cli_dbgmsg("UPX/FSG/MEW: empty section found - assuming compression\n");

+#if HAVE_JSON

+        cli_jsonbool(pe_json, "HasEmptySection", 1);

+#endif

 		break;

 	    }

 	}

@@ -1526,6 +1694,10 @@ int cli_scanpe(cli_ctx *ctx)

 	        uselzma = 0;

 	    }

+#if HAVE_JSON

+        cli_jsonstr(pe_json, "Packer", "MEW");

+#endif

+

 	    CLI_UNPTEMP("MEW",(src,exe_sections,0));

 	    CLI_UNPRESULTS("MEW",(unmew11(src, offdiff, ssize, dsize, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, uselzma, ndesc)),1,(src,0));

 	    break;

@@ -1632,6 +1804,10 @@ int cli_scanpe(cli_ctx *ctx)

 		break;

 	    }

+#if HAVE_JSON

+        cli_jsonstr(pe_json, "Packer", "Upack");

+#endif

+

 	    CLI_UNPTEMP("Upack",(dest,exe_sections,0));

 	    CLI_UNPRESULTS("Upack",(unupack(upack, dest, dsize, epbuff, vma, ep, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, ndesc)),1,(dest,0));

 	    break;

@@ -1715,6 +1891,10 @@ int cli_scanpe(cli_ctx *ctx)

 	    return CL_EMEM;

 	}

+#if HAVE_JSON

+    cli_jsonstr(pe_json, "Packer", "FSG");

+#endif

+

 	CLI_UNPTEMP("FSG",(dest,exe_sections,0));

 	CLI_UNPRESULTSFSG2("FSG",(unfsg_200(newesi - exe_sections[i + 1].rva + src, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, newedi, EC32(optional_hdr32.ImageBase), newedx, ndesc)),1,(dest,0));

 	break;

@@ -1818,6 +1998,10 @@ int cli_scanpe(cli_ctx *ctx)

 	oldep = vep + 161 + 6 + cli_readint32(epbuff+163);

 	cli_dbgmsg("FSG: found old EP @%x\n", oldep);

+#if HAVE_JSON

+    cli_jsonstr(pe_json, "Packer", "FSG");

+#endif

+

 	CLI_UNPTEMP("FSG",(dest,sections,exe_sections,0));

 	CLI_UNPRESULTSFSG1("FSG",(unfsg_133(src + newesi - exe_sections[i + 1].rva, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, sections, sectcnt, EC32(optional_hdr32.ImageBase), oldep, ndesc)),1,(dest,sections,0));

 	break; /* were done with 1.33 */

@@ -1920,6 +2104,10 @@ int cli_scanpe(cli_ctx *ctx)

 	oldep = vep + gp + 6 + cli_readint32(src+gp+2+oldep);

 	cli_dbgmsg("FSG: found old EP @%x\n", oldep);

+#if HAVE_JSON

+    cli_jsonstr(pe_json, "Packer", "FSG");

+#endif

+

 	CLI_UNPTEMP("FSG",(dest,sections,exe_sections,0));

 	CLI_UNPRESULTSFSG1("FSG",(unfsg_133(src + newesi - exe_sections[i + 1].rva, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, sections, sectcnt, EC32(optional_hdr32.ImageBase), oldep, ndesc)),1,(dest,sections,0));

 	break; /* were done with 1.31 */

@@ -2051,6 +2239,9 @@ int cli_scanpe(cli_ctx *ctx)

 	free(exe_sections);

 	CLI_UNPTEMP("UPX/FSG",(dest,0));

+#if HAVE_JSON

+    cli_jsonstr(pe_json, "Packer", "UPX");

+#endif

 	if((unsigned int) write(ndesc, dest, dsize) != dsize) {

 	    cli_dbgmsg("UPX/FSG: Can't write %d bytes\n", dsize);

@@ -2133,6 +2324,10 @@ int cli_scanpe(cli_ctx *ctx)

 		}

 	    }

+#if HAVE_JSON

+        cli_jsonstr(pe_json, "Packer", "Petite");

+#endif

+

 	    CLI_UNPTEMP("Petite",(dest,exe_sections,0));

 	    CLI_UNPRESULTS("Petite",(petite_inflate2x_1to9(dest, min, max - min, exe_sections, nsections - (found == 1 ? 1 : 0), EC32(optional_hdr32.ImageBase),vep, ndesc, found, EC32(optional_hdr32.DataDirectory[2].VirtualAddress),EC32(optional_hdr32.DataDirectory[2].Size))),0,(dest,0));

 	}

@@ -2162,6 +2357,10 @@ int cli_scanpe(cli_ctx *ctx)

 	    return CL_EREAD;

 	}

+#if HAVE_JSON

+    cli_jsonstr(pe_json, "Packer", "PEspin");

+#endif

+

 	CLI_UNPTEMP("PESpin",(spinned,exe_sections,0));

 	CLI_UNPRESULTS_("PEspin",SPINCASE(),(unspin(spinned, fsize, exe_sections, nsections - 1, vep, ndesc, ctx)),0,(spinned,0));

     }

@@ -2226,6 +2425,10 @@ int cli_scanpe(cli_ctx *ctx)

 	      return CL_EREAD;

 	    }

+#if HAVE_JSON

+        cli_jsonstr(pe_json, "Packer", "yC");

+#endif

+

 	    cli_dbgmsg("%d,%d,%d,%d\n", nsections-1, e_lfanew, ecx, offset);

 	    CLI_UNPTEMP("yC",(spinned,exe_sections,0));

 	    CLI_UNPRESULTS("yC",(yc_decrypt(spinned, fsize, exe_sections, nsections-1, e_lfanew, ndesc, ecx, offset)),0,(spinned,0));

@@ -2287,6 +2490,10 @@ int cli_scanpe(cli_ctx *ctx)

 	    return CL_EREAD;

 	}

+#if HAVE_JSON

+    cli_jsonstr(pe_json, "Packer", "WWPack");

+#endif

+

 	CLI_UNPTEMP("WWPack",(src,packer,exe_sections,0));

 	CLI_UNPRESULTS("WWPack",(wwunpack((uint8_t *)src, ssize, packer, exe_sections, nsections-1, e_lfanew, ndesc)),0,(src,packer,0));

 	break;

@@ -2321,6 +2528,10 @@ int cli_scanpe(cli_ctx *ctx)

             break;

         }

+#if HAVE_JSON

+        cli_jsonstr(pe_json, "Packer", "Aspack");

+#endif

+

 	CLI_UNPTEMP("Aspack",(src,exe_sections,0));

 	CLI_UNPRESULTS("Aspack",(unaspack212((uint8_t *)src, ssize, exe_sections, nsections, vep-1, EC32(optional_hdr32.ImageBase), ndesc)),1,(src,0));

 	break;

@@ -2387,6 +2598,10 @@ int cli_scanpe(cli_ctx *ctx)

 	eprva=eprva+5+cli_readint32(nbuff+1);

 	cli_dbgmsg("NsPack: OEP = %08x\n", eprva);

+#if HAVE_JSON

+    cli_jsonstr(pe_json, "Packer", "NsPack");

+#endif

+

 	CLI_UNPTEMP("NsPack",(dest,exe_sections,0));

 	CLI_UNPRESULTS("NsPack",(unspack(src, dest, ctx, exe_sections[0].rva, EC32(optional_hdr32.ImageBase), eprva, ndesc)),0,(dest,0));

 	break;