... | ... |
@@ -114,233 +114,249 @@ char *cli_virname(char *virname, unsigned int official) |
114 | 114 |
|
115 | 115 |
int cli_parse_add(struct cli_matcher *root, const char *virname, const char *hexsig, uint16_t rtype, uint16_t type, const char *offset, uint8_t target, const uint32_t *lsigid, unsigned int options) |
116 | 116 |
{ |
117 |
- struct cli_bm_patt *bm_new; |
|
118 |
- char *pt, *hexcpy, *start, *n, l, r; |
|
119 |
- const char *wild; |
|
120 |
- int ret, asterisk = 0, range; |
|
121 |
- unsigned int i, j, hexlen, parts = 0; |
|
122 |
- int mindist = 0, maxdist = 0, error = 0; |
|
117 |
+ struct cli_bm_patt *bm_new; |
|
118 |
+ char *pt, *hexcpy, *start, *n, l, r; |
|
119 |
+ const char *wild; |
|
120 |
+ int ret, asterisk = 0, range; |
|
121 |
+ unsigned int i, j, hexlen, parts = 0; |
|
122 |
+ int mindist = 0, maxdist = 0, error = 0; |
|
123 | 123 |
|
124 |
+ cli_errmsg("==== cli_parse add called with hexsig: \"%s\" ====\n", hexsig); |
|
124 | 125 |
|
125 | 126 |
hexlen = strlen(hexsig); |
126 | 127 |
if (hexsig[0] == '$') { |
127 |
- /* macro */ |
|
128 |
- unsigned smin, smax, tid; |
|
129 |
- struct cli_ac_patt *patt; |
|
130 |
- if (hexsig[hexlen-1] != '$') { |
|
131 |
- cli_errmsg("cli_parseadd(): missing terminator $\n"); |
|
132 |
- return CL_EMALFDB; |
|
133 |
- } |
|
134 |
- if (!lsigid) { |
|
135 |
- cli_errmsg("cli_parseadd(): macro signatures only valid inside logical signatures\n"); |
|
136 |
- return CL_EMALFDB; |
|
137 |
- } |
|
138 |
- if (sscanf(hexsig,"${%u-%u}%u$", |
|
139 |
- &smin, &smax, &tid) != 3) { |
|
140 |
- cli_errmsg("cli_parseadd(): invalid macro signature format\n"); |
|
141 |
- return CL_EMALFDB; |
|
142 |
- } |
|
143 |
- if (tid >= 32) { |
|
144 |
- cli_errmsg("cli_parseadd(): only 32 macro groups are supported\n"); |
|
145 |
- return CL_EMALFDB; |
|
146 |
- } |
|
147 |
- patt = mpool_calloc(root->mempool, 1, sizeof(*patt)); |
|
148 |
- if (!patt) |
|
149 |
- return CL_EMEM; |
|
150 |
- /* this is not a pattern that will be matched by AC itself, rather it is a |
|
151 |
- * pattern checked by the lsig code */ |
|
152 |
- patt->ch_mindist[0] = smin; |
|
153 |
- patt->ch_maxdist[0] = smax; |
|
154 |
- patt->sigid = tid; |
|
155 |
- patt->length = root->ac_mindepth; |
|
156 |
- /* dummy */ |
|
157 |
- patt->pattern = mpool_calloc(root->mempool, patt->length, sizeof(*patt->pattern)); |
|
158 |
- if (!patt->pattern) { |
|
159 |
- free(patt); |
|
160 |
- return CL_EMEM; |
|
161 |
- } |
|
162 |
- if ((ret = cli_ac_addpatt(root, patt))) { |
|
163 |
- mpool_free(root->mempool, patt->pattern); |
|
164 |
- free(patt); |
|
165 |
- return ret; |
|
166 |
- } |
|
167 |
- return CL_SUCCESS; |
|
128 |
+ /* macro */ |
|
129 |
+ unsigned smin, smax, tid; |
|
130 |
+ struct cli_ac_patt *patt; |
|
131 |
+ |
|
132 |
+ if (hexsig[hexlen-1] != '$') { |
|
133 |
+ cli_errmsg("cli_parseadd(): missing terminator $\n"); |
|
134 |
+ return CL_EMALFDB; |
|
135 |
+ } |
|
136 |
+ |
|
137 |
+ if (!lsigid) { |
|
138 |
+ cli_errmsg("cli_parseadd(): macro signatures only valid inside logical signatures\n"); |
|
139 |
+ return CL_EMALFDB; |
|
140 |
+ } |
|
141 |
+ |
|
142 |
+ if (sscanf(hexsig,"${%u-%u}%u$", |
|
143 |
+ &smin, &smax, &tid) != 3) { |
|
144 |
+ cli_errmsg("cli_parseadd(): invalid macro signature format\n"); |
|
145 |
+ return CL_EMALFDB; |
|
146 |
+ } |
|
147 |
+ |
|
148 |
+ if (tid >= 32) { |
|
149 |
+ cli_errmsg("cli_parseadd(): only 32 macro groups are supported\n"); |
|
150 |
+ return CL_EMALFDB; |
|
151 |
+ } |
|
152 |
+ |
|
153 |
+ patt = mpool_calloc(root->mempool, 1, sizeof(*patt)); |
|
154 |
+ if (!patt) |
|
155 |
+ return CL_EMEM; |
|
156 |
+ |
|
157 |
+ /* this is not a pattern that will be matched by AC itself, rather it is a |
|
158 |
+ * pattern checked by the lsig code */ |
|
159 |
+ patt->ch_mindist[0] = smin; |
|
160 |
+ patt->ch_maxdist[0] = smax; |
|
161 |
+ patt->sigid = tid; |
|
162 |
+ patt->length = root->ac_mindepth; |
|
163 |
+ |
|
164 |
+ /* dummy */ |
|
165 |
+ patt->pattern = mpool_calloc(root->mempool, patt->length, sizeof(*patt->pattern)); |
|
166 |
+ if (!patt->pattern) { |
|
167 |
+ free(patt); |
|
168 |
+ return CL_EMEM; |
|
169 |
+ } |
|
170 |
+ |
|
171 |
+ if ((ret = cli_ac_addpatt(root, patt))) { |
|
172 |
+ mpool_free(root->mempool, patt->pattern); |
|
173 |
+ free(patt); |
|
174 |
+ return ret; |
|
175 |
+ } |
|
176 |
+ |
|
177 |
+ return CL_SUCCESS; |
|
168 | 178 |
} |
169 | 179 |
if((wild = strchr(hexsig, '{'))) { |
170 |
- if(sscanf(wild, "%c%u%c", &l, &range, &r) == 3 && l == '{' && r == '}' && range > 0 && range < 128) { |
|
171 |
- hexcpy = cli_calloc(hexlen + 2 * range, sizeof(char)); |
|
172 |
- if(!hexcpy) |
|
173 |
- return CL_EMEM; |
|
174 |
- strncpy(hexcpy, hexsig, wild - hexsig); |
|
175 |
- for(i = 0; i < (unsigned int) range; i++) |
|
176 |
- strcat(hexcpy, "??"); |
|
177 |
- if(!(wild = strchr(wild, '}'))) { |
|
178 |
- cli_errmsg("cli_parse_add(): Problem adding signature: missing bracket\n"); |
|
179 |
- free(hexcpy); |
|
180 |
- return CL_EMALFDB; |
|
181 |
- } |
|
182 |
- strcat(hexcpy, ++wild); |
|
183 |
- ret = cli_parse_add(root, virname, hexcpy, rtype, type, offset, target, lsigid, options); |
|
184 |
- free(hexcpy); |
|
185 |
- return ret; |
|
186 |
- } |
|
180 |
+ if(sscanf(wild, "%c%u%c", &l, &range, &r) == 3 && l == '{' && r == '}' && range > 0 && range < 128) { |
|
181 |
+ hexcpy = cli_calloc(hexlen + 2 * range, sizeof(char)); |
|
182 |
+ if(!hexcpy) |
|
183 |
+ return CL_EMEM; |
|
187 | 184 |
|
188 |
- root->ac_partsigs++; |
|
185 |
+ strncpy(hexcpy, hexsig, wild - hexsig); |
|
186 |
+ for(i = 0; i < (unsigned int) range; i++) |
|
187 |
+ strcat(hexcpy, "??"); |
|
189 | 188 |
|
190 |
- if(!(hexcpy = cli_strdup(hexsig))) |
|
191 |
- return CL_EMEM; |
|
189 |
+ if(!(wild = strchr(wild, '}'))) { |
|
190 |
+ cli_errmsg("cli_parse_add(): Problem adding signature: missing bracket\n"); |
|
191 |
+ free(hexcpy); |
|
192 |
+ return CL_EMALFDB; |
|
193 |
+ } |
|
192 | 194 |
|
193 |
- for(i = 0; i < hexlen; i++) |
|
194 |
- if(hexsig[i] == '{' || hexsig[i] == '*') |
|
195 |
- parts++; |
|
195 |
+ strcat(hexcpy, ++wild); |
|
196 |
+ ret = cli_parse_add(root, virname, hexcpy, rtype, type, offset, target, lsigid, options); |
|
197 |
+ free(hexcpy); |
|
196 | 198 |
|
197 |
- if(parts) |
|
198 |
- parts++; |
|
199 |
+ return ret; |
|
200 |
+ } |
|
199 | 201 |
|
200 |
- start = pt = hexcpy; |
|
201 |
- for(i = 1; i <= parts; i++) { |
|
202 |
+ root->ac_partsigs++; |
|
202 | 203 |
|
203 |
- if(i != parts) { |
|
204 |
- for(j = 0; j < strlen(start); j++) { |
|
205 |
- if(start[j] == '{') { |
|
206 |
- asterisk = 0; |
|
207 |
- pt = start + j; |
|
208 |
- break; |
|
209 |
- } |
|
210 |
- if(start[j] == '*') { |
|
211 |
- asterisk = 1; |
|
212 |
- pt = start + j; |
|
213 |
- break; |
|
214 |
- } |
|
215 |
- } |
|
216 |
- *pt++ = 0; |
|
217 |
- } |
|
204 |
+ if(!(hexcpy = cli_strdup(hexsig))) |
|
205 |
+ return CL_EMEM; |
|
218 | 206 |
|
219 |
- if((ret = cli_ac_addsig(root, virname, start, root->ac_partsigs, parts, i, rtype, type, mindist, maxdist, offset, lsigid, options))) { |
|
220 |
- cli_errmsg("cli_parse_add(): Problem adding signature (1).\n"); |
|
221 |
- error = 1; |
|
222 |
- break; |
|
223 |
- } |
|
207 |
+ for(i = 0; i < hexlen; i++) |
|
208 |
+ if(hexsig[i] == '{' || hexsig[i] == '*') |
|
209 |
+ parts++; |
|
210 |
+ |
|
211 |
+ if(parts) |
|
212 |
+ parts++; |
|
213 |
+ |
|
214 |
+ start = pt = hexcpy; |
|
215 |
+ for(i = 1; i <= parts; i++) { |
|
216 |
+ if(i != parts) { |
|
217 |
+ for(j = 0; j < strlen(start); j++) { |
|
218 |
+ if(start[j] == '{') { |
|
219 |
+ asterisk = 0; |
|
220 |
+ pt = start + j; |
|
221 |
+ break; |
|
222 |
+ } |
|
223 |
+ |
|
224 |
+ if(start[j] == '*') { |
|
225 |
+ asterisk = 1; |
|
226 |
+ pt = start + j; |
|
227 |
+ break; |
|
228 |
+ } |
|
229 |
+ } |
|
224 | 230 |
|
225 |
- if(i == parts) |
|
226 |
- break; |
|
231 |
+ *pt++ = 0; |
|
232 |
+ } |
|
227 | 233 |
|
228 |
- mindist = maxdist = 0; |
|
234 |
+ if((ret = cli_ac_addsig(root, virname, start, root->ac_partsigs, parts, i, rtype, type, mindist, maxdist, offset, lsigid, options))) { |
|
235 |
+ cli_errmsg("cli_parse_add(): Problem adding signature (1).\n"); |
|
236 |
+ error = 1; |
|
237 |
+ break; |
|
238 |
+ } |
|
229 | 239 |
|
230 |
- if(asterisk) { |
|
231 |
- start = pt; |
|
232 |
- continue; |
|
233 |
- } |
|
240 |
+ if(i == parts) |
|
241 |
+ break; |
|
234 | 242 |
|
235 |
- if(!(start = strchr(pt, '}'))) { |
|
236 |
- error = 1; |
|
237 |
- break; |
|
238 |
- } |
|
239 |
- *start++ = 0; |
|
243 |
+ mindist = maxdist = 0; |
|
240 | 244 |
|
241 |
- if(!pt) { |
|
242 |
- error = 1; |
|
243 |
- break; |
|
244 |
- } |
|
245 |
+ if(asterisk) { |
|
246 |
+ start = pt; |
|
247 |
+ continue; |
|
248 |
+ } |
|
245 | 249 |
|
246 |
- if(!strchr(pt, '-')) { |
|
247 |
- if(!cli_isnumber(pt) || (mindist = maxdist = atoi(pt)) < 0) { |
|
248 |
- error = 1; |
|
249 |
- break; |
|
250 |
- } |
|
251 |
- } else { |
|
252 |
- if((n = cli_strtok(pt, 0, "-"))) { |
|
253 |
- if(!cli_isnumber(n) || (mindist = atoi(n)) < 0) { |
|
254 |
- error = 1; |
|
255 |
- free(n); |
|
256 |
- break; |
|
257 |
- } |
|
258 |
- free(n); |
|
259 |
- } |
|
250 |
+ if(!(start = strchr(pt, '}'))) { |
|
251 |
+ error = 1; |
|
252 |
+ break; |
|
253 |
+ } |
|
260 | 254 |
|
261 |
- if((n = cli_strtok(pt, 1, "-"))) { |
|
262 |
- if(!cli_isnumber(n) || (maxdist = atoi(n)) < 0) { |
|
263 |
- error = 1; |
|
264 |
- free(n); |
|
265 |
- break; |
|
266 |
- } |
|
267 |
- free(n); |
|
268 |
- } |
|
255 |
+ *start++ = 0; |
|
269 | 256 |
|
270 |
- if((n = cli_strtok(pt, 2, "-"))) { /* strict check */ |
|
271 |
- error = 1; |
|
272 |
- free(n); |
|
273 |
- break; |
|
274 |
- } |
|
275 |
- } |
|
276 |
- } |
|
257 |
+ if(!pt) { |
|
258 |
+ error = 1; |
|
259 |
+ break; |
|
260 |
+ } |
|
277 | 261 |
|
278 |
- free(hexcpy); |
|
279 |
- if(error) { |
|
280 |
- cli_errmsg("cli_parseadd(): Problem adding signature (1b).\n"); |
|
281 |
- return CL_EMALFDB; |
|
282 |
- } |
|
262 |
+ if(!strchr(pt, '-')) { |
|
263 |
+ if(!cli_isnumber(pt) || (mindist = maxdist = atoi(pt)) < 0) { |
|
264 |
+ error = 1; |
|
265 |
+ break; |
|
266 |
+ } |
|
267 |
+ } else { |
|
268 |
+ if((n = cli_strtok(pt, 0, "-"))) { |
|
269 |
+ if(!cli_isnumber(n) || (mindist = atoi(n)) < 0) { |
|
270 |
+ error = 1; |
|
271 |
+ free(n); |
|
272 |
+ break; |
|
273 |
+ } |
|
274 |
+ |
|
275 |
+ free(n); |
|
276 |
+ } |
|
283 | 277 |
|
284 |
- } else if(strchr(hexsig, '*')) { |
|
285 |
- root->ac_partsigs++; |
|
278 |
+ if((n = cli_strtok(pt, 1, "-"))) { |
|
279 |
+ if(!cli_isnumber(n) || (maxdist = atoi(n)) < 0) { |
|
280 |
+ error = 1; |
|
281 |
+ free(n); |
|
282 |
+ break; |
|
283 |
+ } |
|
286 | 284 |
|
287 |
- for(i = 0; i < hexlen; i++) |
|
288 |
- if(hexsig[i] == '*') |
|
289 |
- parts++; |
|
285 |
+ free(n); |
|
286 |
+ } |
|
290 | 287 |
|
291 |
- if(parts) |
|
292 |
- parts++; |
|
288 |
+ if((n = cli_strtok(pt, 2, "-"))) { /* strict check */ |
|
289 |
+ error = 1; |
|
290 |
+ free(n); |
|
291 |
+ break; |
|
292 |
+ } |
|
293 |
+ } |
|
294 |
+ } |
|
293 | 295 |
|
294 |
- for(i = 1; i <= parts; i++) { |
|
295 |
- if((pt = cli_strtok(hexsig, i - 1, "*")) == NULL) { |
|
296 |
- cli_errmsg("Can't extract part %d of partial signature.\n", i); |
|
297 |
- return CL_EMALFDB; |
|
298 |
- } |
|
296 |
+ free(hexcpy); |
|
297 |
+ if(error) { |
|
298 |
+ cli_errmsg("cli_parseadd(): Problem adding signature (1b).\n"); |
|
299 |
+ return CL_EMALFDB; |
|
300 |
+ } |
|
301 |
+ } else if(strchr(hexsig, '*')) { |
|
302 |
+ root->ac_partsigs++; |
|
299 | 303 |
|
300 |
- if((ret = cli_ac_addsig(root, virname, pt, root->ac_partsigs, parts, i, rtype, type, 0, 0, offset, lsigid, options))) { |
|
301 |
- cli_errmsg("cli_parse_add(): Problem adding signature (2).\n"); |
|
302 |
- free(pt); |
|
303 |
- return ret; |
|
304 |
- } |
|
304 |
+ for(i = 0; i < hexlen; i++) |
|
305 |
+ if(hexsig[i] == '*') |
|
306 |
+ parts++; |
|
305 | 307 |
|
306 |
- free(pt); |
|
307 |
- } |
|
308 |
+ if(parts) |
|
309 |
+ parts++; |
|
308 | 310 |
|
309 |
- } else if(root->ac_only || type || lsigid || strpbrk(hexsig, "?([") || (root->bm_offmode && (!strcmp(offset, "*") || strchr(offset, ','))) || strstr(offset, "VI") || strchr(offset, '$')) { |
|
310 |
- if((ret = cli_ac_addsig(root, virname, hexsig, 0, 0, 0, rtype, type, 0, 0, offset, lsigid, options))) { |
|
311 |
- cli_errmsg("cli_parse_add(): Problem adding signature (3).\n"); |
|
312 |
- return ret; |
|
313 |
- } |
|
311 |
+ for(i = 1; i <= parts; i++) { |
|
312 |
+ if((pt = cli_strtok(hexsig, i - 1, "*")) == NULL) { |
|
313 |
+ cli_errmsg("Can't extract part %d of partial signature.\n", i); |
|
314 |
+ return CL_EMALFDB; |
|
315 |
+ } |
|
314 | 316 |
|
317 |
+ if((ret = cli_ac_addsig(root, virname, pt, root->ac_partsigs, parts, i, rtype, type, 0, 0, offset, lsigid, options))) { |
|
318 |
+ cli_errmsg("cli_parse_add(): Problem adding signature (2).\n"); |
|
319 |
+ free(pt); |
|
320 |
+ return ret; |
|
321 |
+ } |
|
322 |
+ |
|
323 |
+ free(pt); |
|
324 |
+ } |
|
325 |
+ } else if(root->ac_only || type || lsigid || strpbrk(hexsig, "?([") || (root->bm_offmode && (!strcmp(offset, "*") || strchr(offset, ','))) || strstr(offset, "VI") || strchr(offset, '$')) { |
|
326 |
+ if((ret = cli_ac_addsig(root, virname, hexsig, 0, 0, 0, rtype, type, 0, 0, offset, lsigid, options))) { |
|
327 |
+ cli_errmsg("cli_parse_add(): Problem adding signature (3).\n"); |
|
328 |
+ return ret; |
|
329 |
+ } |
|
315 | 330 |
} else { |
316 |
- bm_new = (struct cli_bm_patt *) mpool_calloc(root->mempool, 1, sizeof(struct cli_bm_patt)); |
|
317 |
- if(!bm_new) |
|
318 |
- return CL_EMEM; |
|
331 |
+ bm_new = (struct cli_bm_patt *) mpool_calloc(root->mempool, 1, sizeof(struct cli_bm_patt)); |
|
332 |
+ if(!bm_new) |
|
333 |
+ return CL_EMEM; |
|
334 |
+ |
|
319 | 335 |
bm_new->pattern = (unsigned char *) cli_mpool_hex2str(root->mempool, hexsig); |
320 |
- if(!bm_new->pattern) { |
|
321 |
- mpool_free(root->mempool, bm_new); |
|
322 |
- return CL_EMALFDB; |
|
323 |
- } |
|
324 |
- bm_new->length = hexlen / 2; |
|
336 |
+ if(!bm_new->pattern) { |
|
337 |
+ mpool_free(root->mempool, bm_new); |
|
338 |
+ return CL_EMALFDB; |
|
339 |
+ } |
|
325 | 340 |
|
326 |
- bm_new->virname = cli_mpool_virname(root->mempool, virname, options & CL_DB_OFFICIAL); |
|
327 |
- if(!bm_new->virname) { |
|
328 |
- mpool_free(root->mempool, bm_new->pattern); |
|
329 |
- mpool_free(root->mempool, bm_new); |
|
330 |
- return CL_EMEM; |
|
331 |
- } |
|
341 |
+ bm_new->length = hexlen / 2; |
|
332 | 342 |
|
333 |
- if(bm_new->length > root->maxpatlen) { |
|
334 |
- root->maxpatlen = bm_new->length; |
|
335 |
- } |
|
343 |
+ bm_new->virname = cli_mpool_virname(root->mempool, virname, options & CL_DB_OFFICIAL); |
|
344 |
+ if(!bm_new->virname) { |
|
345 |
+ mpool_free(root->mempool, bm_new->pattern); |
|
346 |
+ mpool_free(root->mempool, bm_new); |
|
347 |
+ return CL_EMEM; |
|
348 |
+ } |
|
336 | 349 |
|
337 |
- if((ret = cli_bm_addpatt(root, bm_new, offset))) { |
|
338 |
- cli_errmsg("cli_parse_add(): Problem adding signature (4).\n"); |
|
339 |
- mpool_free(root->mempool, bm_new->pattern); |
|
340 |
- mpool_free(root->mempool, bm_new->virname); |
|
341 |
- mpool_free(root->mempool, bm_new); |
|
342 |
- return ret; |
|
343 |
- } |
|
350 |
+ if(bm_new->length > root->maxpatlen) |
|
351 |
+ root->maxpatlen = bm_new->length; |
|
352 |
+ |
|
353 |
+ if((ret = cli_bm_addpatt(root, bm_new, offset))) { |
|
354 |
+ cli_errmsg("cli_parse_add(): Problem adding signature (4).\n"); |
|
355 |
+ mpool_free(root->mempool, bm_new->pattern); |
|
356 |
+ mpool_free(root->mempool, bm_new->virname); |
|
357 |
+ mpool_free(root->mempool, bm_new); |
|
358 |
+ return ret; |
|
359 |
+ } |
|
344 | 360 |
} |
345 | 361 |
|
346 | 362 |
return CL_SUCCESS; |
... | ... |
@@ -2758,7 +2774,6 @@ static int cli_loadyara(FILE *fs, const char *dbname, struct cl_engine *engine, |
2758 | 2758 |
nstrings++; |
2759 | 2759 |
if (STRING_IS_HEX(string)) { |
2760 | 2760 |
size_t len = strlen(string->string); |
2761 |
- parse_yara_hex_string(string); |
|
2762 | 2761 |
for (i=0; i < len; i++) { |
2763 | 2762 |
int ch = string->string[i]; |
2764 | 2763 |
if (isalnum(ch)) |