... | ... |
@@ -2167,7 +2167,7 @@ static char *pe_ordinal(char *dll, uint16_t ord) |
2167 | 2167 |
return cli_strdup(name); |
2168 | 2168 |
} |
2169 | 2169 |
|
2170 |
-static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_import_descriptor *image, char *dllname, struct cli_exe_section *exe_sections, uint16_t nsections, uint32_t hdr_size, int pe_plus, int *first) { |
|
2170 |
+static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, uint32_t *itsz, struct pe_image_import_descriptor *image, char *dllname, struct cli_exe_section *exe_sections, uint16_t nsections, uint32_t hdr_size, int pe_plus, int *first){ |
|
2171 | 2171 |
uint32_t toff, offset; |
2172 | 2172 |
fmap_t *map = *ctx->fmap; |
2173 | 2173 |
size_t dlllen = 0, fsize = map->len; |
... | ... |
@@ -2175,6 +2175,8 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i |
2175 | 2175 |
const char *buffer; |
2176 | 2176 |
#if HAVE_JSON |
2177 | 2177 |
json_object *imptbl = NULL; |
2178 |
+#else |
|
2179 |
+ void *imptbl = NULL; |
|
2178 | 2180 |
#endif |
2179 | 2181 |
|
2180 | 2182 |
toff = cli_rawaddr(image->u.OriginalFirstThunk, exe_sections, nsections, &err, fsize, hdr_size); |
... | ... |
@@ -2195,6 +2197,51 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i |
2195 | 2195 |
} |
2196 | 2196 |
#endif |
2197 | 2197 |
|
2198 |
+#define update_hash() \ |
|
2199 |
+ if (funcname) { \ |
|
2200 |
+ char *fname; \ |
|
2201 |
+ size_t funclen; \ |
|
2202 |
+ \ |
|
2203 |
+ if (dlllen == 0) { \ |
|
2204 |
+ char* ext = strstr(dllname, "."); \ |
|
2205 |
+ \ |
|
2206 |
+ if (ext && (strncasecmp(ext, ".ocx", 4) == 0 || \ |
|
2207 |
+ strncasecmp(ext, ".sys", 4) == 0 || \ |
|
2208 |
+ strncasecmp(ext, ".dll", 4) == 0)) \ |
|
2209 |
+ dlllen = ext - dllname; \ |
|
2210 |
+ else \ |
|
2211 |
+ dlllen = strlen(dllname); \ |
|
2212 |
+ } \ |
|
2213 |
+ \ |
|
2214 |
+ funclen = strlen(funcname); \ |
|
2215 |
+ \ |
|
2216 |
+ fname = cli_calloc(funclen + dlllen + 3, sizeof(char)); \ |
|
2217 |
+ if (fname == NULL) { \ |
|
2218 |
+ cli_dbgmsg("IMPTBL: cannot allocate memory for imphash string\n"); \ |
|
2219 |
+ return CL_EMEM; \ |
|
2220 |
+ } \ |
|
2221 |
+ j = 0; \ |
|
2222 |
+ if (!*first) \ |
|
2223 |
+ fname[j++] = ','; \ |
|
2224 |
+ for (i = 0; i < dlllen; i++, j++) \ |
|
2225 |
+ fname[j] = tolower(dllname[i]); \ |
|
2226 |
+ fname[j++] = '.'; \ |
|
2227 |
+ for (i = 0; i < funclen; i++, j++) \ |
|
2228 |
+ fname[j] = tolower(funcname[i]); \ |
|
2229 |
+ \ |
|
2230 |
+ if (imptbl) { \ |
|
2231 |
+ char *jname = *first ? fname : fname+1; \ |
|
2232 |
+ cli_jsonstr(imptbl, NULL, jname); \ |
|
2233 |
+ } \ |
|
2234 |
+ \ |
|
2235 |
+ cl_update_hash(md5ctx, fname, strlen(fname)); \ |
|
2236 |
+ *itsz += strlen(fname); \ |
|
2237 |
+ \ |
|
2238 |
+ *first = 0; \ |
|
2239 |
+ free(fname); \ |
|
2240 |
+ free(funcname); \ |
|
2241 |
+ } |
|
2242 |
+ |
|
2198 | 2243 |
if (!pe_plus) { |
2199 | 2244 |
struct pe_image_thunk32 thunk32; |
2200 | 2245 |
|
... | ... |
@@ -2225,50 +2272,7 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i |
2225 | 2225 |
} |
2226 | 2226 |
} |
2227 | 2227 |
|
2228 |
- if (funcname) { |
|
2229 |
- char *fname; |
|
2230 |
- size_t funclen; |
|
2231 |
- |
|
2232 |
- if (dlllen == 0) { |
|
2233 |
- char* ext = strstr(dllname, "."); |
|
2234 |
- |
|
2235 |
- if (ext && (strncasecmp(ext, ".ocx", 4) == 0 || |
|
2236 |
- strncasecmp(ext, ".sys", 4) == 0 || |
|
2237 |
- strncasecmp(ext, ".dll", 4) == 0)) |
|
2238 |
- dlllen = ext - dllname; |
|
2239 |
- else |
|
2240 |
- dlllen = strlen(dllname); |
|
2241 |
- } |
|
2242 |
- |
|
2243 |
- funclen = strlen(funcname); |
|
2244 |
- |
|
2245 |
- fname = cli_calloc(funclen + dlllen + 3, sizeof(char)); |
|
2246 |
- if (fname == NULL) { |
|
2247 |
- cli_dbgmsg("IMPTBL: cannot allocate memory for imphash string\n"); |
|
2248 |
- return CL_EMEM; |
|
2249 |
- } |
|
2250 |
- j = 0; |
|
2251 |
- if (!*first) |
|
2252 |
- fname[j++] = ','; |
|
2253 |
- for (i = 0; i < dlllen; i++, j++) |
|
2254 |
- fname[j] = tolower(dllname[i]); |
|
2255 |
- fname[j++] = '.'; |
|
2256 |
- for (i = 0; i < funclen; i++, j++) |
|
2257 |
- fname[j] = tolower(funcname[i]); |
|
2258 |
- |
|
2259 |
-#if HAVE_JSON |
|
2260 |
- if (imptbl) { |
|
2261 |
- char *jname = *first ? fname : fname+1; |
|
2262 |
- cli_jsonstr(imptbl, NULL, jname); |
|
2263 |
- } |
|
2264 |
-#endif |
|
2265 |
- |
|
2266 |
- cl_update_hash(md5ctx, fname, strlen(fname)); |
|
2267 |
- |
|
2268 |
- *first = 0; |
|
2269 |
- free(fname); |
|
2270 |
- free(funcname); |
|
2271 |
- } |
|
2228 |
+ update_hash(); |
|
2272 | 2229 |
} |
2273 | 2230 |
} else { |
2274 | 2231 |
struct pe_image_thunk64 thunk64; |
... | ... |
@@ -2300,50 +2304,7 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i |
2300 | 2300 |
} |
2301 | 2301 |
} |
2302 | 2302 |
|
2303 |
- if (funcname) { |
|
2304 |
- char *fname; |
|
2305 |
- size_t funclen; |
|
2306 |
- |
|
2307 |
- if (dlllen == 0) { |
|
2308 |
- char* ext = strstr(dllname, "."); |
|
2309 |
- |
|
2310 |
- if (ext && (strncasecmp(ext, ".ocx", 4) == 0 || |
|
2311 |
- strncasecmp(ext, ".sys", 4) == 0 || |
|
2312 |
- strncasecmp(ext, ".dll", 4) == 0)) |
|
2313 |
- dlllen = ext - dllname; |
|
2314 |
- else |
|
2315 |
- dlllen = strlen(dllname); |
|
2316 |
- } |
|
2317 |
- |
|
2318 |
- funclen = strlen(funcname); |
|
2319 |
- |
|
2320 |
- fname = cli_calloc(funclen + dlllen + 3, sizeof(char)); |
|
2321 |
- if (fname == NULL) { |
|
2322 |
- cli_dbgmsg("IMPTBL: cannot allocate memory for imphash string\n"); |
|
2323 |
- return CL_EMEM; |
|
2324 |
- } |
|
2325 |
- j = 0; |
|
2326 |
- if (!*first) |
|
2327 |
- fname[j++] = ','; |
|
2328 |
- for (i = 0; i < dlllen; i++, j++) |
|
2329 |
- fname[j] = tolower(dllname[i]); |
|
2330 |
- fname[j++] = '.'; |
|
2331 |
- for (i = 0; i < funclen; i++, j++) |
|
2332 |
- fname[j] = tolower(funcname[i]); |
|
2333 |
- |
|
2334 |
-#if HAVE_JSON |
|
2335 |
- if (imptbl) { |
|
2336 |
- char *jname = *first ? fname : fname+1; |
|
2337 |
- cli_jsonstr(imptbl, NULL, jname); |
|
2338 |
- } |
|
2339 |
-#endif |
|
2340 |
- |
|
2341 |
- cl_update_hash(md5ctx, fname, strlen(fname)); |
|
2342 |
- |
|
2343 |
- *first = 0; |
|
2344 |
- free(fname); |
|
2345 |
- free(funcname); |
|
2346 |
- } |
|
2303 |
+ update_hash(); |
|
2347 | 2304 |
} |
2348 | 2305 |
} |
2349 | 2306 |
|
... | ... |
@@ -2356,7 +2317,7 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c |
2356 | 2356 |
struct pe_image_import_descriptor *image; |
2357 | 2357 |
fmap_t *map = *ctx->fmap; |
2358 | 2358 |
size_t left, fsize = map->len; |
2359 |
- uint32_t impoff, offset; |
|
2359 |
+ uint32_t impoff, offset, itsz = 0; |
|
2360 | 2360 |
const char *impdes, *buffer, *virname; |
2361 | 2361 |
void *md5ctx; |
2362 | 2362 |
uint8_t digest[16] = {0}; |
... | ... |
@@ -2415,7 +2376,7 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c |
2415 | 2415 |
} |
2416 | 2416 |
|
2417 | 2417 |
/* DLL function handling - inline function */ |
2418 |
- ret = scan_pe_impfuncs(ctx, md5ctx, image, dllname, exe_sections, nsections, hdr_size, pe_plus, &first); |
|
2418 |
+ ret = scan_pe_impfuncs(ctx, md5ctx, &itsz, image, dllname, exe_sections, nsections, hdr_size, pe_plus, &first); |
|
2419 | 2419 |
if (dllname) |
2420 | 2420 |
free(dllname); |
2421 | 2421 |
if (ret != CL_SUCCESS) { |
... | ... |
@@ -2436,7 +2397,7 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c |
2436 | 2436 |
if (cli_debug_flag) { |
2437 | 2437 |
#endif |
2438 | 2438 |
char *dstr = cli_str2hex(digest, sizeof(digest)); |
2439 |
- cli_dbgmsg("IMPHASH: %s\n", dstr ? (char *)dstr : "(NULL)"); |
|
2439 |
+ cli_dbgmsg("IMPHASH: %s(%u)\n", dstr ? (char *)dstr : "(NULL)", itsz); |
|
2440 | 2440 |
#if HAVE_JSON |
2441 | 2441 |
if (ctx->wrkproperty) |
2442 | 2442 |
cli_jsonstr(ctx->wrkproperty, "Imphash", dstr ? dstr : "(NULL)"); |
... | ... |
@@ -2445,10 +2406,12 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c |
2445 | 2445 |
free(dstr); |
2446 | 2446 |
} |
2447 | 2447 |
|
2448 |
- /* TODO: size-dependent hash scans, what should the size value be? */ |
|
2449 |
- |
|
2450 |
- if (ith && (ret = cli_hm_scan_wild(digest, &virname, ith, CLI_HASH_MD5)) == CL_VIRUS) |
|
2451 |
- cli_append_virus(ctx, virname); |
|
2448 |
+ if (ith) { |
|
2449 |
+ if ((ret = cli_hm_scan(digest, itsz, &virname, ith, CLI_HASH_MD5)) == CL_VIRUS) |
|
2450 |
+ cli_append_virus(ctx, virname); |
|
2451 |
+ else if ((ret = cli_hm_scan_wild(digest, &virname, ith, CLI_HASH_MD5)) == CL_VIRUS) |
|
2452 |
+ cli_append_virus(ctx, virname); |
|
2453 |
+ } |
|
2452 | 2454 |
|
2453 | 2455 |
return ret; |
2454 | 2456 |
} |