Browse code
imptbl: macroize similar code; add size based on hashed data
Kevin Lin authored on 2016/06/28 01:03:45Showing 1 changed files
| ... | ... |
@@ -2167,7 +2167,7 @@ static char *pe_ordinal(char *dll, uint16_t ord) |
| 2167 | 2167 |
return cli_strdup(name); |
| 2168 | 2168 |
} |
| 2169 | 2169 |
|
| 2170 |
-static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_import_descriptor *image, char *dllname, struct cli_exe_section *exe_sections, uint16_t nsections, uint32_t hdr_size, int pe_plus, int *first) {
|
|
| 2170 |
+static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, uint32_t *itsz, struct pe_image_import_descriptor *image, char *dllname, struct cli_exe_section *exe_sections, uint16_t nsections, uint32_t hdr_size, int pe_plus, int *first){
|
|
| 2171 | 2171 |
uint32_t toff, offset; |
| 2172 | 2172 |
fmap_t *map = *ctx->fmap; |
| 2173 | 2173 |
size_t dlllen = 0, fsize = map->len; |
| ... | ... |
@@ -2175,6 +2175,8 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i |
| 2175 | 2175 |
const char *buffer; |
| 2176 | 2176 |
#if HAVE_JSON |
| 2177 | 2177 |
json_object *imptbl = NULL; |
| 2178 |
+#else |
|
| 2179 |
+ void *imptbl = NULL; |
|
| 2178 | 2180 |
#endif |
| 2179 | 2181 |
|
| 2180 | 2182 |
toff = cli_rawaddr(image->u.OriginalFirstThunk, exe_sections, nsections, &err, fsize, hdr_size); |
| ... | ... |
@@ -2195,6 +2197,51 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i |
| 2195 | 2195 |
} |
| 2196 | 2196 |
#endif |
| 2197 | 2197 |
|
| 2198 |
+#define update_hash() \ |
|
| 2199 |
+ if (funcname) { \
|
|
| 2200 |
+ char *fname; \ |
|
| 2201 |
+ size_t funclen; \ |
|
| 2202 |
+ \ |
|
| 2203 |
+ if (dlllen == 0) { \
|
|
| 2204 |
+ char* ext = strstr(dllname, "."); \ |
|
| 2205 |
+ \ |
|
| 2206 |
+ if (ext && (strncasecmp(ext, ".ocx", 4) == 0 || \ |
|
| 2207 |
+ strncasecmp(ext, ".sys", 4) == 0 || \ |
|
| 2208 |
+ strncasecmp(ext, ".dll", 4) == 0)) \ |
|
| 2209 |
+ dlllen = ext - dllname; \ |
|
| 2210 |
+ else \ |
|
| 2211 |
+ dlllen = strlen(dllname); \ |
|
| 2212 |
+ } \ |
|
| 2213 |
+ \ |
|
| 2214 |
+ funclen = strlen(funcname); \ |
|
| 2215 |
+ \ |
|
| 2216 |
+ fname = cli_calloc(funclen + dlllen + 3, sizeof(char)); \ |
|
| 2217 |
+ if (fname == NULL) { \
|
|
| 2218 |
+ cli_dbgmsg("IMPTBL: cannot allocate memory for imphash string\n"); \
|
|
| 2219 |
+ return CL_EMEM; \ |
|
| 2220 |
+ } \ |
|
| 2221 |
+ j = 0; \ |
|
| 2222 |
+ if (!*first) \ |
|
| 2223 |
+ fname[j++] = ','; \ |
|
| 2224 |
+ for (i = 0; i < dlllen; i++, j++) \ |
|
| 2225 |
+ fname[j] = tolower(dllname[i]); \ |
|
| 2226 |
+ fname[j++] = '.'; \ |
|
| 2227 |
+ for (i = 0; i < funclen; i++, j++) \ |
|
| 2228 |
+ fname[j] = tolower(funcname[i]); \ |
|
| 2229 |
+ \ |
|
| 2230 |
+ if (imptbl) { \
|
|
| 2231 |
+ char *jname = *first ? fname : fname+1; \ |
|
| 2232 |
+ cli_jsonstr(imptbl, NULL, jname); \ |
|
| 2233 |
+ } \ |
|
| 2234 |
+ \ |
|
| 2235 |
+ cl_update_hash(md5ctx, fname, strlen(fname)); \ |
|
| 2236 |
+ *itsz += strlen(fname); \ |
|
| 2237 |
+ \ |
|
| 2238 |
+ *first = 0; \ |
|
| 2239 |
+ free(fname); \ |
|
| 2240 |
+ free(funcname); \ |
|
| 2241 |
+ } |
|
| 2242 |
+ |
|
| 2198 | 2243 |
if (!pe_plus) {
|
| 2199 | 2244 |
struct pe_image_thunk32 thunk32; |
| 2200 | 2245 |
|
| ... | ... |
@@ -2225,50 +2272,7 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i |
| 2225 | 2225 |
} |
| 2226 | 2226 |
} |
| 2227 | 2227 |
|
| 2228 |
- if (funcname) {
|
|
| 2229 |
- char *fname; |
|
| 2230 |
- size_t funclen; |
|
| 2231 |
- |
|
| 2232 |
- if (dlllen == 0) {
|
|
| 2233 |
- char* ext = strstr(dllname, "."); |
|
| 2234 |
- |
|
| 2235 |
- if (ext && (strncasecmp(ext, ".ocx", 4) == 0 || |
|
| 2236 |
- strncasecmp(ext, ".sys", 4) == 0 || |
|
| 2237 |
- strncasecmp(ext, ".dll", 4) == 0)) |
|
| 2238 |
- dlllen = ext - dllname; |
|
| 2239 |
- else |
|
| 2240 |
- dlllen = strlen(dllname); |
|
| 2241 |
- } |
|
| 2242 |
- |
|
| 2243 |
- funclen = strlen(funcname); |
|
| 2244 |
- |
|
| 2245 |
- fname = cli_calloc(funclen + dlllen + 3, sizeof(char)); |
|
| 2246 |
- if (fname == NULL) {
|
|
| 2247 |
- cli_dbgmsg("IMPTBL: cannot allocate memory for imphash string\n");
|
|
| 2248 |
- return CL_EMEM; |
|
| 2249 |
- } |
|
| 2250 |
- j = 0; |
|
| 2251 |
- if (!*first) |
|
| 2252 |
- fname[j++] = ','; |
|
| 2253 |
- for (i = 0; i < dlllen; i++, j++) |
|
| 2254 |
- fname[j] = tolower(dllname[i]); |
|
| 2255 |
- fname[j++] = '.'; |
|
| 2256 |
- for (i = 0; i < funclen; i++, j++) |
|
| 2257 |
- fname[j] = tolower(funcname[i]); |
|
| 2258 |
- |
|
| 2259 |
-#if HAVE_JSON |
|
| 2260 |
- if (imptbl) {
|
|
| 2261 |
- char *jname = *first ? fname : fname+1; |
|
| 2262 |
- cli_jsonstr(imptbl, NULL, jname); |
|
| 2263 |
- } |
|
| 2264 |
-#endif |
|
| 2265 |
- |
|
| 2266 |
- cl_update_hash(md5ctx, fname, strlen(fname)); |
|
| 2267 |
- |
|
| 2268 |
- *first = 0; |
|
| 2269 |
- free(fname); |
|
| 2270 |
- free(funcname); |
|
| 2271 |
- } |
|
| 2228 |
+ update_hash(); |
|
| 2272 | 2229 |
} |
| 2273 | 2230 |
} else {
|
| 2274 | 2231 |
struct pe_image_thunk64 thunk64; |
| ... | ... |
@@ -2300,50 +2304,7 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i |
| 2300 | 2300 |
} |
| 2301 | 2301 |
} |
| 2302 | 2302 |
|
| 2303 |
- if (funcname) {
|
|
| 2304 |
- char *fname; |
|
| 2305 |
- size_t funclen; |
|
| 2306 |
- |
|
| 2307 |
- if (dlllen == 0) {
|
|
| 2308 |
- char* ext = strstr(dllname, "."); |
|
| 2309 |
- |
|
| 2310 |
- if (ext && (strncasecmp(ext, ".ocx", 4) == 0 || |
|
| 2311 |
- strncasecmp(ext, ".sys", 4) == 0 || |
|
| 2312 |
- strncasecmp(ext, ".dll", 4) == 0)) |
|
| 2313 |
- dlllen = ext - dllname; |
|
| 2314 |
- else |
|
| 2315 |
- dlllen = strlen(dllname); |
|
| 2316 |
- } |
|
| 2317 |
- |
|
| 2318 |
- funclen = strlen(funcname); |
|
| 2319 |
- |
|
| 2320 |
- fname = cli_calloc(funclen + dlllen + 3, sizeof(char)); |
|
| 2321 |
- if (fname == NULL) {
|
|
| 2322 |
- cli_dbgmsg("IMPTBL: cannot allocate memory for imphash string\n");
|
|
| 2323 |
- return CL_EMEM; |
|
| 2324 |
- } |
|
| 2325 |
- j = 0; |
|
| 2326 |
- if (!*first) |
|
| 2327 |
- fname[j++] = ','; |
|
| 2328 |
- for (i = 0; i < dlllen; i++, j++) |
|
| 2329 |
- fname[j] = tolower(dllname[i]); |
|
| 2330 |
- fname[j++] = '.'; |
|
| 2331 |
- for (i = 0; i < funclen; i++, j++) |
|
| 2332 |
- fname[j] = tolower(funcname[i]); |
|
| 2333 |
- |
|
| 2334 |
-#if HAVE_JSON |
|
| 2335 |
- if (imptbl) {
|
|
| 2336 |
- char *jname = *first ? fname : fname+1; |
|
| 2337 |
- cli_jsonstr(imptbl, NULL, jname); |
|
| 2338 |
- } |
|
| 2339 |
-#endif |
|
| 2340 |
- |
|
| 2341 |
- cl_update_hash(md5ctx, fname, strlen(fname)); |
|
| 2342 |
- |
|
| 2343 |
- *first = 0; |
|
| 2344 |
- free(fname); |
|
| 2345 |
- free(funcname); |
|
| 2346 |
- } |
|
| 2303 |
+ update_hash(); |
|
| 2347 | 2304 |
} |
| 2348 | 2305 |
} |
| 2349 | 2306 |
|
| ... | ... |
@@ -2356,7 +2317,7 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c |
| 2356 | 2356 |
struct pe_image_import_descriptor *image; |
| 2357 | 2357 |
fmap_t *map = *ctx->fmap; |
| 2358 | 2358 |
size_t left, fsize = map->len; |
| 2359 |
- uint32_t impoff, offset; |
|
| 2359 |
+ uint32_t impoff, offset, itsz = 0; |
|
| 2360 | 2360 |
const char *impdes, *buffer, *virname; |
| 2361 | 2361 |
void *md5ctx; |
| 2362 | 2362 |
uint8_t digest[16] = {0};
|
| ... | ... |
@@ -2415,7 +2376,7 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c |
| 2415 | 2415 |
} |
| 2416 | 2416 |
|
| 2417 | 2417 |
/* DLL function handling - inline function */ |
| 2418 |
- ret = scan_pe_impfuncs(ctx, md5ctx, image, dllname, exe_sections, nsections, hdr_size, pe_plus, &first); |
|
| 2418 |
+ ret = scan_pe_impfuncs(ctx, md5ctx, &itsz, image, dllname, exe_sections, nsections, hdr_size, pe_plus, &first); |
|
| 2419 | 2419 |
if (dllname) |
| 2420 | 2420 |
free(dllname); |
| 2421 | 2421 |
if (ret != CL_SUCCESS) {
|
| ... | ... |
@@ -2436,7 +2397,7 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c |
| 2436 | 2436 |
if (cli_debug_flag) {
|
| 2437 | 2437 |
#endif |
| 2438 | 2438 |
char *dstr = cli_str2hex(digest, sizeof(digest)); |
| 2439 |
- cli_dbgmsg("IMPHASH: %s\n", dstr ? (char *)dstr : "(NULL)");
|
|
| 2439 |
+ cli_dbgmsg("IMPHASH: %s(%u)\n", dstr ? (char *)dstr : "(NULL)", itsz);
|
|
| 2440 | 2440 |
#if HAVE_JSON |
| 2441 | 2441 |
if (ctx->wrkproperty) |
| 2442 | 2442 |
cli_jsonstr(ctx->wrkproperty, "Imphash", dstr ? dstr : "(NULL)"); |
| ... | ... |
@@ -2445,10 +2406,12 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c |
| 2445 | 2445 |
free(dstr); |
| 2446 | 2446 |
} |
| 2447 | 2447 |
|
| 2448 |
- /* TODO: size-dependent hash scans, what should the size value be? */ |
|
| 2449 |
- |
|
| 2450 |
- if (ith && (ret = cli_hm_scan_wild(digest, &virname, ith, CLI_HASH_MD5)) == CL_VIRUS) |
|
| 2451 |
- cli_append_virus(ctx, virname); |
|
| 2448 |
+ if (ith) {
|
|
| 2449 |
+ if ((ret = cli_hm_scan(digest, itsz, &virname, ith, CLI_HASH_MD5)) == CL_VIRUS) |
|
| 2450 |
+ cli_append_virus(ctx, virname); |
|
| 2451 |
+ else if ((ret = cli_hm_scan_wild(digest, &virname, ith, CLI_HASH_MD5)) == CL_VIRUS) |
|
| 2452 |
+ cli_append_virus(ctx, virname); |
|
| 2453 |
+ } |
|
| 2452 | 2454 |
|
| 2453 | 2455 |
return ret; |
| 2454 | 2456 |
} |