Browse code
reset resource type, otherwise we parse all resources after a string resource as string (including images), which is wrong, because it feeds wrong statistics to cli_detect_swizz.
| ... | ... |
@@ -1,3 +1,10 @@ |
| 1 |
+Tue Dec 23 13:03:42 EET 2008 (edwin) |
|
| 2 |
+------------------------------------ |
|
| 3 |
+ * libclamav/pe.c, libclamav/special.c: reset resource type, |
|
| 4 |
+ otherwise we parse all resources after a string resource as string |
|
| 5 |
+ (including images), which is wrong, because it feeds wrong |
|
| 6 |
+ statistics to cli_detect_swizz. |
|
| 7 |
+ |
|
| 1 | 8 |
Mon Dec 22 22:32:59 CET 2008 (tk) |
| 2 | 9 |
--------------------------------- |
| 3 | 10 |
* shared/optparser.c: extend MATCH_BOOL regex (bb#1324) |
| ... | ... |
@@ -355,10 +355,11 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct |
| 355 | 355 |
cli_parseres( base, base + (offs&0x7fffffff), srcfd, exe_sections, nsections, fsize, hdr_size, level+1, type, maxres, stats); |
| 356 | 356 |
entry+=8; |
| 357 | 357 |
}*/ |
| 358 |
- for (i=0; i<unnamed; i++) {
|
|
| 358 |
+ for (i=0; i<unnamed; i++, entry += 8) {
|
|
| 359 | 359 |
uint32_t id, offs; |
| 360 | 360 |
id = cli_readint32(entry)&0x7fffffff; |
| 361 | 361 |
if(level==0) {
|
| 362 |
+ type = 0; |
|
| 362 | 363 |
switch(id) {
|
| 363 | 364 |
case 4: /* menu */ |
| 364 | 365 |
case 5: /* dialog */ |
| ... | ... |
@@ -367,6 +368,7 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct |
| 367 | 367 |
type = id; |
| 368 | 368 |
break; |
| 369 | 369 |
case 16: |
| 370 |
+ type = id; |
|
| 370 | 371 |
/* 14: version */ |
| 371 | 372 |
stats->has_version = 1; |
| 372 | 373 |
break; |
| ... | ... |
@@ -375,7 +377,8 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct |
| 375 | 375 |
break; |
| 376 | 376 |
/* otherwise keep it 0, we don't want it */ |
| 377 | 377 |
} |
| 378 |
- } else if (!type) {
|
|
| 378 |
+ } |
|
| 379 |
+ if (!type) {
|
|
| 379 | 380 |
/* if we are not interested in this type, skip */ |
| 380 | 381 |
continue; |
| 381 | 382 |
} |
| ... | ... |
@@ -383,7 +386,6 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct |
| 383 | 383 |
if(offs>>31) |
| 384 | 384 |
cli_parseres_special(base, base + (offs&0x7fffffff), srcfd, exe_sections, nsections, fsize, hdr_size, level+1, type, maxres, stats); |
| 385 | 385 |
else {
|
| 386 |
- if (type == 4 || type == 5 || type == 6 || type ==11) {
|
|
| 387 | 386 |
offs = cli_readint32(entry+4); |
| 388 | 387 |
rawaddr = cli_rawaddr(base + offs, exe_sections, nsections, &err, fsize, hdr_size); |
| 389 | 388 |
if (!err && pread(srcfd, resdir, sizeof(resdir), rawaddr) == sizeof(resdir)) {
|
| ... | ... |
@@ -406,9 +408,7 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct |
| 406 | 406 |
} |
| 407 | 407 |
free (str); |
| 408 | 408 |
} |
| 409 |
- } |
|
| 410 | 409 |
} |
| 411 |
- entry+=8; |
|
| 412 | 410 |
} |
| 413 | 411 |
free (oentry); |
| 414 | 412 |
} |
| ... | ... |
@@ -431,8 +431,10 @@ void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_s |
| 431 | 431 |
} |
| 432 | 432 |
ret = swizz_j48(ngram_cnts) ? CL_VIRUS : CL_CLEAN; |
| 433 | 433 |
cli_dbgmsg("cli_detect_swizz_str: %s, %u words\n", ret == CL_VIRUS ? "suspicious" : "ok", words);
|
| 434 |
- if (ret == CL_VIRUS) |
|
| 434 |
+ if (ret == CL_VIRUS) {
|
|
| 435 | 435 |
stats->suspicious += j; |
| 436 |
+ cli_dbgmsg("cli_detect_swizz_str: %s\n", stri);
|
|
| 437 |
+ } |
|
| 436 | 438 |
stats->total += j; |
| 437 | 439 |
} |
| 438 | 440 |
|