Browse code
improved broken detection
| ... | ... |
@@ -534,14 +534,14 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
| 534 | 534 |
cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr64.NumberOfRvaAndSizes));
|
| 535 | 535 |
} |
| 536 | 536 |
|
| 537 |
- if (DETECT_BROKEN && (!(pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment)) || (pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment))%0x1000)) {
|
|
| 537 |
+ if (DETECT_BROKEN && (pe_plus?EC16(optional_hdr64.Subsystem):EC16(optional_hdr32.Subsystem))!= 1 && (!(pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment)) || (pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment))%0x1000)) {
|
|
| 538 | 538 |
cli_dbgmsg("Bad virtual alignemnt\n");
|
| 539 | 539 |
if(ctx->virname) |
| 540 | 540 |
*ctx->virname = "Broken.Executable"; |
| 541 | 541 |
return CL_VIRUS; |
| 542 | 542 |
} |
| 543 | 543 |
|
| 544 |
- if (DETECT_BROKEN && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) {
|
|
| 544 |
+ if (DETECT_BROKEN && (pe_plus?EC16(optional_hdr64.Subsystem):EC16(optional_hdr32.Subsystem))!= 1 && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) {
|
|
| 545 | 545 |
cli_dbgmsg("Bad file alignemnt\n");
|
| 546 | 546 |
if(ctx->virname) |
| 547 | 547 |
*ctx->virname = "Broken.Executable"; |
| ... | ... |
@@ -553,7 +553,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
| 553 | 553 |
cli_dbgmsg("Subsystem: Unknown\n");
|
| 554 | 554 |
break; |
| 555 | 555 |
case 1: |
| 556 |
- cli_dbgmsg("Subsystem: Native (a driver ?)\n");
|
|
| 556 |
+ cli_dbgmsg("Subsystem: Native (svc)\n");
|
|
| 557 | 557 |
break; |
| 558 | 558 |
case 2: |
| 559 | 559 |
cli_dbgmsg("Subsystem: Win32 GUI\n");
|
| ... | ... |
@@ -643,6 +643,10 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
| 643 | 643 |
exe_sections[i].raw = PEALIGN(EC32(section_hdr[i].PointerToRawData), falign); |
| 644 | 644 |
exe_sections[i].rsz = PESALIGN(EC32(section_hdr[i].SizeOfRawData), falign); |
| 645 | 645 |
exe_sections[i].ursz = EC32(section_hdr[i].SizeOfRawData); |
| 646 |
+ |
|
| 647 |
+ if (!exe_sections[i].vsz && exe_sections[i].rsz) |
|
| 648 |
+ exe_sections[i].vsz=PESALIGN(EC32(section_hdr[i].SizeOfRawData), valign); |
|
| 649 |
+ |
|
| 646 | 650 |
if (exe_sections[i].rsz && fsize>exe_sections[i].raw && !CLI_ISCONTAINED(0, (uint32_t) fsize, exe_sections[i].raw, exe_sections[i].rsz)) |
| 647 | 651 |
exe_sections[i].rsz = fsize - exe_sections[i].raw; |
| 648 | 652 |
|
| ... | ... |
@@ -726,7 +730,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
| 726 | 726 |
} |
| 727 | 727 |
|
| 728 | 728 |
if(!i) {
|
| 729 |
- if (DETECT_BROKEN && EC32(section_hdr[i].VirtualAddress)!=valign) { /* Bad first section RVA */
|
|
| 729 |
+ if (DETECT_BROKEN && (pe_plus?EC16(optional_hdr64.Subsystem):EC16(optional_hdr32.Subsystem))!= 1 && EC32(section_hdr[i].VirtualAddress)!=valign) { /* Bad first section RVA */
|
|
| 730 | 730 |
cli_dbgmsg("First section is in the wrong place\n");
|
| 731 | 731 |
if(ctx->virname) |
| 732 | 732 |
*ctx->virname = "Broken.Executable"; |