git-svn: trunk@4577
Török Edvin authored on 2008/12/23 19:53:20... | ... |
@@ -1,3 +1,10 @@ |
1 |
+Tue Dec 23 13:03:42 EET 2008 (edwin) |
|
2 |
+------------------------------------ |
|
3 |
+ * libclamav/pe.c, libclamav/special.c: reset resource type, |
|
4 |
+ otherwise we parse all resources after a string resource as string |
|
5 |
+ (including images), which is wrong, because it feeds wrong |
|
6 |
+ statistics to cli_detect_swizz. |
|
7 |
+ |
|
1 | 8 |
Mon Dec 22 22:32:59 CET 2008 (tk) |
2 | 9 |
--------------------------------- |
3 | 10 |
* shared/optparser.c: extend MATCH_BOOL regex (bb#1324) |
... | ... |
@@ -355,10 +355,11 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct |
355 | 355 |
cli_parseres( base, base + (offs&0x7fffffff), srcfd, exe_sections, nsections, fsize, hdr_size, level+1, type, maxres, stats); |
356 | 356 |
entry+=8; |
357 | 357 |
}*/ |
358 |
- for (i=0; i<unnamed; i++) { |
|
358 |
+ for (i=0; i<unnamed; i++, entry += 8) { |
|
359 | 359 |
uint32_t id, offs; |
360 | 360 |
id = cli_readint32(entry)&0x7fffffff; |
361 | 361 |
if(level==0) { |
362 |
+ type = 0; |
|
362 | 363 |
switch(id) { |
363 | 364 |
case 4: /* menu */ |
364 | 365 |
case 5: /* dialog */ |
... | ... |
@@ -367,6 +368,7 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct |
367 | 367 |
type = id; |
368 | 368 |
break; |
369 | 369 |
case 16: |
370 |
+ type = id; |
|
370 | 371 |
/* 14: version */ |
371 | 372 |
stats->has_version = 1; |
372 | 373 |
break; |
... | ... |
@@ -375,7 +377,8 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct |
375 | 375 |
break; |
376 | 376 |
/* otherwise keep it 0, we don't want it */ |
377 | 377 |
} |
378 |
- } else if (!type) { |
|
378 |
+ } |
|
379 |
+ if (!type) { |
|
379 | 380 |
/* if we are not interested in this type, skip */ |
380 | 381 |
continue; |
381 | 382 |
} |
... | ... |
@@ -383,7 +386,6 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct |
383 | 383 |
if(offs>>31) |
384 | 384 |
cli_parseres_special(base, base + (offs&0x7fffffff), srcfd, exe_sections, nsections, fsize, hdr_size, level+1, type, maxres, stats); |
385 | 385 |
else { |
386 |
- if (type == 4 || type == 5 || type == 6 || type ==11) { |
|
387 | 386 |
offs = cli_readint32(entry+4); |
388 | 387 |
rawaddr = cli_rawaddr(base + offs, exe_sections, nsections, &err, fsize, hdr_size); |
389 | 388 |
if (!err && pread(srcfd, resdir, sizeof(resdir), rawaddr) == sizeof(resdir)) { |
... | ... |
@@ -406,9 +408,7 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct |
406 | 406 |
} |
407 | 407 |
free (str); |
408 | 408 |
} |
409 |
- } |
|
410 | 409 |
} |
411 |
- entry+=8; |
|
412 | 410 |
} |
413 | 411 |
free (oentry); |
414 | 412 |
} |
... | ... |
@@ -431,8 +431,10 @@ void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_s |
431 | 431 |
} |
432 | 432 |
ret = swizz_j48(ngram_cnts) ? CL_VIRUS : CL_CLEAN; |
433 | 433 |
cli_dbgmsg("cli_detect_swizz_str: %s, %u words\n", ret == CL_VIRUS ? "suspicious" : "ok", words); |
434 |
- if (ret == CL_VIRUS) |
|
434 |
+ if (ret == CL_VIRUS) { |
|
435 | 435 |
stats->suspicious += j; |
436 |
+ cli_dbgmsg("cli_detect_swizz_str: %s\n", stri); |
|
437 |
+ } |
|
436 | 438 |
stats->total += j; |
437 | 439 |
} |
438 | 440 |
|