git-svn: trunk@2814
aCaB authored on 2007/02/19 07:24:21... | ... |
@@ -534,14 +534,14 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
534 | 534 |
cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr64.NumberOfRvaAndSizes)); |
535 | 535 |
} |
536 | 536 |
|
537 |
- if (DETECT_BROKEN && (!(pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment)) || (pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment))%0x1000)) { |
|
537 |
+ if (DETECT_BROKEN && (pe_plus?EC16(optional_hdr64.Subsystem):EC16(optional_hdr32.Subsystem))!= 1 && (!(pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment)) || (pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment))%0x1000)) { |
|
538 | 538 |
cli_dbgmsg("Bad virtual alignemnt\n"); |
539 | 539 |
if(ctx->virname) |
540 | 540 |
*ctx->virname = "Broken.Executable"; |
541 | 541 |
return CL_VIRUS; |
542 | 542 |
} |
543 | 543 |
|
544 |
- if (DETECT_BROKEN && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) { |
|
544 |
+ if (DETECT_BROKEN && (pe_plus?EC16(optional_hdr64.Subsystem):EC16(optional_hdr32.Subsystem))!= 1 && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) { |
|
545 | 545 |
cli_dbgmsg("Bad file alignemnt\n"); |
546 | 546 |
if(ctx->virname) |
547 | 547 |
*ctx->virname = "Broken.Executable"; |
... | ... |
@@ -553,7 +553,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
553 | 553 |
cli_dbgmsg("Subsystem: Unknown\n"); |
554 | 554 |
break; |
555 | 555 |
case 1: |
556 |
- cli_dbgmsg("Subsystem: Native (a driver ?)\n"); |
|
556 |
+ cli_dbgmsg("Subsystem: Native (svc)\n"); |
|
557 | 557 |
break; |
558 | 558 |
case 2: |
559 | 559 |
cli_dbgmsg("Subsystem: Win32 GUI\n"); |
... | ... |
@@ -643,6 +643,10 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
643 | 643 |
exe_sections[i].raw = PEALIGN(EC32(section_hdr[i].PointerToRawData), falign); |
644 | 644 |
exe_sections[i].rsz = PESALIGN(EC32(section_hdr[i].SizeOfRawData), falign); |
645 | 645 |
exe_sections[i].ursz = EC32(section_hdr[i].SizeOfRawData); |
646 |
+ |
|
647 |
+ if (!exe_sections[i].vsz && exe_sections[i].rsz) |
|
648 |
+ exe_sections[i].vsz=PESALIGN(EC32(section_hdr[i].SizeOfRawData), valign); |
|
649 |
+ |
|
646 | 650 |
if (exe_sections[i].rsz && fsize>exe_sections[i].raw && !CLI_ISCONTAINED(0, (uint32_t) fsize, exe_sections[i].raw, exe_sections[i].rsz)) |
647 | 651 |
exe_sections[i].rsz = fsize - exe_sections[i].raw; |
648 | 652 |
|
... | ... |
@@ -726,7 +730,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
726 | 726 |
} |
727 | 727 |
|
728 | 728 |
if(!i) { |
729 |
- if (DETECT_BROKEN && EC32(section_hdr[i].VirtualAddress)!=valign) { /* Bad first section RVA */ |
|
729 |
+ if (DETECT_BROKEN && (pe_plus?EC16(optional_hdr64.Subsystem):EC16(optional_hdr32.Subsystem))!= 1 && EC32(section_hdr[i].VirtualAddress)!=valign) { /* Bad first section RVA */ |
|
730 | 730 |
cli_dbgmsg("First section is in the wrong place\n"); |
731 | 731 |
if(ctx->virname) |
732 | 732 |
*ctx->virname = "Broken.Executable"; |