git-svn: trunk@1756
Tomasz Kojm authored on 2005/11/15 06:02:26... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Mon Nov 14 21:59:56 CET 2005 (tk) |
|
2 |
+--------------------------------- |
|
3 |
+ * libclamav: add support for CryptFF, thanks to Arnaud Jacques |
|
4 |
+ |
|
1 | 5 |
Mon Nov 14 00:32:27 CET 2005 (tk) |
2 | 6 |
--------------------------------- |
3 | 7 |
* libclamav: add support for CL_DB_NOPHISHING (disables phishing signatures) |
... | ... |
@@ -52,6 +52,7 @@ static const struct cli_magic_s cli_magic[] = { |
52 | 52 |
|
53 | 53 |
{0, "MZ", 2, "DOS/W32 executable/library/driver", CL_TYPE_MSEXE}, |
54 | 54 |
{0, "\177ELF", 4, "ELF", CL_TYPE_ELF}, |
55 |
+ |
|
55 | 56 |
/* Archives */ |
56 | 57 |
|
57 | 58 |
{0, "Rar!", 4, "RAR", CL_TYPE_RAR}, |
... | ... |
@@ -111,6 +112,7 @@ static const struct cli_magic_s cli_magic[] = { |
111 | 111 |
|
112 | 112 |
{0, "\320\317\021\340\241\261\032\341", 8, "OLE2 container", CL_TYPE_MSOLE2}, |
113 | 113 |
{0, "\%PDF-", 5, "PDF document", CL_TYPE_PDF}, |
114 |
+ {0, "\266\271\254\256\376\377\377\377", 8, "CryptFF", CL_TYPE_CRYPTFF}, |
|
114 | 115 |
|
115 | 116 |
/* Ignored types */ |
116 | 117 |
|
... | ... |
@@ -1302,6 +1302,94 @@ static int cli_scanjpeg(int desc, const char **virname) |
1302 | 1302 |
return ret; |
1303 | 1303 |
} |
1304 | 1304 |
|
1305 |
+static int cli_scancryptff(int desc, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
|
1306 |
+{ |
|
1307 |
+ int ret = CL_CLEAN, i, ndesc; |
|
1308 |
+ unsigned int length; |
|
1309 |
+ unsigned char *src = NULL, *dest = NULL; |
|
1310 |
+ char *tempfile; |
|
1311 |
+ struct stat sb; |
|
1312 |
+ |
|
1313 |
+ |
|
1314 |
+ if(fstat(desc, &sb) == -1) { |
|
1315 |
+ cli_errmsg("CryptFF: Can's fstat descriptor %d\n", desc); |
|
1316 |
+ return CL_EIO; |
|
1317 |
+ } |
|
1318 |
+ |
|
1319 |
+ /* Skip the CryptFF file header */ |
|
1320 |
+ if(lseek(desc, 0x10, SEEK_SET) < 0) { |
|
1321 |
+ cli_errmsg("CryptFF: Can's fstat descriptor %d\n", desc); |
|
1322 |
+ return ret; |
|
1323 |
+ } |
|
1324 |
+ |
|
1325 |
+ length = sb.st_size - 0x10; |
|
1326 |
+ |
|
1327 |
+ if((dest = (char *) cli_malloc(length)) == NULL) { |
|
1328 |
+ cli_dbgmsg("CryptFF: Can't allocate memory\n"); |
|
1329 |
+ return CL_EMEM; |
|
1330 |
+ } |
|
1331 |
+ |
|
1332 |
+ if((src = (char *) cli_malloc(length)) == NULL) { |
|
1333 |
+ cli_dbgmsg("CryptFF: Can't allocate memory\n"); |
|
1334 |
+ free(dest); |
|
1335 |
+ return CL_EMEM; |
|
1336 |
+ } |
|
1337 |
+ |
|
1338 |
+ if((unsigned int) read(desc, src, length) != length) { |
|
1339 |
+ cli_dbgmsg("CryptFF: Can't read from descriptor %d\n", desc); |
|
1340 |
+ free(dest); |
|
1341 |
+ free(src); |
|
1342 |
+ return CL_EIO; |
|
1343 |
+ } |
|
1344 |
+ |
|
1345 |
+ for(i = 0; i < length; i++) |
|
1346 |
+ dest[i] = src[i] ^ (unsigned char) 0xff; |
|
1347 |
+ |
|
1348 |
+ free(src); |
|
1349 |
+ |
|
1350 |
+ tempfile = cli_gentemp(NULL); |
|
1351 |
+ if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) { |
|
1352 |
+ cli_errmsg("CryptFF: Can't create file %s\n", tempfile); |
|
1353 |
+ free(dest); |
|
1354 |
+ free(tempfile); |
|
1355 |
+ return CL_EIO; |
|
1356 |
+ } |
|
1357 |
+ |
|
1358 |
+ if(write(ndesc, dest, length) == -1) { |
|
1359 |
+ cli_dbgmsg("CryptFF: Can't write to descriptor %d\n", ndesc); |
|
1360 |
+ free(dest); |
|
1361 |
+ close(ndesc); |
|
1362 |
+ free(tempfile); |
|
1363 |
+ return CL_EIO; |
|
1364 |
+ } |
|
1365 |
+ |
|
1366 |
+ free(dest); |
|
1367 |
+ |
|
1368 |
+ if(fsync(ndesc) == -1) { |
|
1369 |
+ cli_errmsg("CryptFF: Can't fsync descriptor %d\n", ndesc); |
|
1370 |
+ close(ndesc); |
|
1371 |
+ free(tempfile); |
|
1372 |
+ return CL_EIO; |
|
1373 |
+ } |
|
1374 |
+ |
|
1375 |
+ lseek(ndesc, 0, SEEK_SET); |
|
1376 |
+ |
|
1377 |
+ cli_dbgmsg("CryptFF: Scanning decrypted data\n"); |
|
1378 |
+ |
|
1379 |
+ if((ret = cli_magic_scandesc(ndesc, virname, scanned, engine, limits, options, arec, mrec)) == CL_VIRUS) |
|
1380 |
+ cli_dbgmsg("CryptFF: Infected with %s\n", *virname); |
|
1381 |
+ |
|
1382 |
+ close(ndesc); |
|
1383 |
+ |
|
1384 |
+ if(cli_leavetemps_flag) |
|
1385 |
+ cli_dbgmsg("CryptFF: Decompressed data saved in %s\n", tempfile); |
|
1386 |
+ else |
|
1387 |
+ unlink(tempfile); |
|
1388 |
+ |
|
1389 |
+ free(tempfile); |
|
1390 |
+ return ret; |
|
1391 |
+} |
|
1392 |
+ |
|
1305 | 1393 |
static int cli_scanpdf(int desc, const char **virname, long int *scanned, const struct cl_engine *engine, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
1306 | 1394 |
{ |
1307 | 1395 |
int ret; |
... | ... |
@@ -1523,6 +1611,10 @@ int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const |
1523 | 1523 |
ret = cli_scanpdf(desc, virname, scanned, engine, limits, options, arec, mrec); |
1524 | 1524 |
break; |
1525 | 1525 |
|
1526 |
+ case CL_TYPE_CRYPTFF: |
|
1527 |
+ ret = cli_scancryptff(desc, virname, scanned, engine, limits, options, arec, mrec); |
|
1528 |
+ break; |
|
1529 |
+ |
|
1526 | 1530 |
case CL_TYPE_ELF: /* TODO: Add ScanELF option */ |
1527 | 1531 |
ret = cli_scanelf(desc, virname, scanned, engine, limits, options, arec, mrec); |
1528 | 1532 |
break; |