Browse code
add support for CryptFF
- clamav-devel/ChangeLog
- clamav-devel/libclamav/filetypes.c
- clamav-devel/libclamav/filetypes.h
- clamav-devel/libclamav/scanners.c
| ... | ... |
@@ -1,3 +1,7 @@ |
| 1 |
+Mon Nov 14 21:59:56 CET 2005 (tk) |
|
| 2 |
+--------------------------------- |
|
| 3 |
+ * libclamav: add support for CryptFF, thanks to Arnaud Jacques |
|
| 4 |
+ |
|
| 1 | 5 |
Mon Nov 14 00:32:27 CET 2005 (tk) |
| 2 | 6 |
--------------------------------- |
| 3 | 7 |
* libclamav: add support for CL_DB_NOPHISHING (disables phishing signatures) |
| ... | ... |
@@ -52,6 +52,7 @@ static const struct cli_magic_s cli_magic[] = {
|
| 52 | 52 |
|
| 53 | 53 |
{0, "MZ", 2, "DOS/W32 executable/library/driver", CL_TYPE_MSEXE},
|
| 54 | 54 |
{0, "\177ELF", 4, "ELF", CL_TYPE_ELF},
|
| 55 |
+ |
|
| 55 | 56 |
/* Archives */ |
| 56 | 57 |
|
| 57 | 58 |
{0, "Rar!", 4, "RAR", CL_TYPE_RAR},
|
| ... | ... |
@@ -111,6 +112,7 @@ static const struct cli_magic_s cli_magic[] = {
|
| 111 | 111 |
|
| 112 | 112 |
{0, "\320\317\021\340\241\261\032\341", 8, "OLE2 container", CL_TYPE_MSOLE2},
|
| 113 | 113 |
{0, "\%PDF-", 5, "PDF document", CL_TYPE_PDF},
|
| 114 |
+ {0, "\266\271\254\256\376\377\377\377", 8, "CryptFF", CL_TYPE_CRYPTFF},
|
|
| 114 | 115 |
|
| 115 | 116 |
/* Ignored types */ |
| 116 | 117 |
|
| ... | ... |
@@ -1302,6 +1302,94 @@ static int cli_scanjpeg(int desc, const char **virname) |
| 1302 | 1302 |
return ret; |
| 1303 | 1303 |
} |
| 1304 | 1304 |
|
| 1305 |
+static int cli_scancryptff(int desc, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
|
| 1306 |
+{
|
|
| 1307 |
+ int ret = CL_CLEAN, i, ndesc; |
|
| 1308 |
+ unsigned int length; |
|
| 1309 |
+ unsigned char *src = NULL, *dest = NULL; |
|
| 1310 |
+ char *tempfile; |
|
| 1311 |
+ struct stat sb; |
|
| 1312 |
+ |
|
| 1313 |
+ |
|
| 1314 |
+ if(fstat(desc, &sb) == -1) {
|
|
| 1315 |
+ cli_errmsg("CryptFF: Can's fstat descriptor %d\n", desc);
|
|
| 1316 |
+ return CL_EIO; |
|
| 1317 |
+ } |
|
| 1318 |
+ |
|
| 1319 |
+ /* Skip the CryptFF file header */ |
|
| 1320 |
+ if(lseek(desc, 0x10, SEEK_SET) < 0) {
|
|
| 1321 |
+ cli_errmsg("CryptFF: Can's fstat descriptor %d\n", desc);
|
|
| 1322 |
+ return ret; |
|
| 1323 |
+ } |
|
| 1324 |
+ |
|
| 1325 |
+ length = sb.st_size - 0x10; |
|
| 1326 |
+ |
|
| 1327 |
+ if((dest = (char *) cli_malloc(length)) == NULL) {
|
|
| 1328 |
+ cli_dbgmsg("CryptFF: Can't allocate memory\n");
|
|
| 1329 |
+ return CL_EMEM; |
|
| 1330 |
+ } |
|
| 1331 |
+ |
|
| 1332 |
+ if((src = (char *) cli_malloc(length)) == NULL) {
|
|
| 1333 |
+ cli_dbgmsg("CryptFF: Can't allocate memory\n");
|
|
| 1334 |
+ free(dest); |
|
| 1335 |
+ return CL_EMEM; |
|
| 1336 |
+ } |
|
| 1337 |
+ |
|
| 1338 |
+ if((unsigned int) read(desc, src, length) != length) {
|
|
| 1339 |
+ cli_dbgmsg("CryptFF: Can't read from descriptor %d\n", desc);
|
|
| 1340 |
+ free(dest); |
|
| 1341 |
+ free(src); |
|
| 1342 |
+ return CL_EIO; |
|
| 1343 |
+ } |
|
| 1344 |
+ |
|
| 1345 |
+ for(i = 0; i < length; i++) |
|
| 1346 |
+ dest[i] = src[i] ^ (unsigned char) 0xff; |
|
| 1347 |
+ |
|
| 1348 |
+ free(src); |
|
| 1349 |
+ |
|
| 1350 |
+ tempfile = cli_gentemp(NULL); |
|
| 1351 |
+ if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {
|
|
| 1352 |
+ cli_errmsg("CryptFF: Can't create file %s\n", tempfile);
|
|
| 1353 |
+ free(dest); |
|
| 1354 |
+ free(tempfile); |
|
| 1355 |
+ return CL_EIO; |
|
| 1356 |
+ } |
|
| 1357 |
+ |
|
| 1358 |
+ if(write(ndesc, dest, length) == -1) {
|
|
| 1359 |
+ cli_dbgmsg("CryptFF: Can't write to descriptor %d\n", ndesc);
|
|
| 1360 |
+ free(dest); |
|
| 1361 |
+ close(ndesc); |
|
| 1362 |
+ free(tempfile); |
|
| 1363 |
+ return CL_EIO; |
|
| 1364 |
+ } |
|
| 1365 |
+ |
|
| 1366 |
+ free(dest); |
|
| 1367 |
+ |
|
| 1368 |
+ if(fsync(ndesc) == -1) {
|
|
| 1369 |
+ cli_errmsg("CryptFF: Can't fsync descriptor %d\n", ndesc);
|
|
| 1370 |
+ close(ndesc); |
|
| 1371 |
+ free(tempfile); |
|
| 1372 |
+ return CL_EIO; |
|
| 1373 |
+ } |
|
| 1374 |
+ |
|
| 1375 |
+ lseek(ndesc, 0, SEEK_SET); |
|
| 1376 |
+ |
|
| 1377 |
+ cli_dbgmsg("CryptFF: Scanning decrypted data\n");
|
|
| 1378 |
+ |
|
| 1379 |
+ if((ret = cli_magic_scandesc(ndesc, virname, scanned, engine, limits, options, arec, mrec)) == CL_VIRUS) |
|
| 1380 |
+ cli_dbgmsg("CryptFF: Infected with %s\n", *virname);
|
|
| 1381 |
+ |
|
| 1382 |
+ close(ndesc); |
|
| 1383 |
+ |
|
| 1384 |
+ if(cli_leavetemps_flag) |
|
| 1385 |
+ cli_dbgmsg("CryptFF: Decompressed data saved in %s\n", tempfile);
|
|
| 1386 |
+ else |
|
| 1387 |
+ unlink(tempfile); |
|
| 1388 |
+ |
|
| 1389 |
+ free(tempfile); |
|
| 1390 |
+ return ret; |
|
| 1391 |
+} |
|
| 1392 |
+ |
|
| 1305 | 1393 |
static int cli_scanpdf(int desc, const char **virname, long int *scanned, const struct cl_engine *engine, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
| 1306 | 1394 |
{
|
| 1307 | 1395 |
int ret; |
| ... | ... |
@@ -1523,6 +1611,10 @@ int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const |
| 1523 | 1523 |
ret = cli_scanpdf(desc, virname, scanned, engine, limits, options, arec, mrec); |
| 1524 | 1524 |
break; |
| 1525 | 1525 |
|
| 1526 |
+ case CL_TYPE_CRYPTFF: |
|
| 1527 |
+ ret = cli_scancryptff(desc, virname, scanned, engine, limits, options, arec, mrec); |
|
| 1528 |
+ break; |
|
| 1529 |
+ |
|
| 1526 | 1530 |
case CL_TYPE_ELF: /* TODO: Add ScanELF option */ |
| 1527 | 1531 |
ret = cli_scanelf(desc, virname, scanned, engine, limits, options, arec, mrec); |
| 1528 | 1532 |
break; |