@@ -174,6 +174,7 @@ CLAMAV_PRIVATE {

     cli_scanbuff;

     cli_fmap_scandesc;

     cli_checkfp_pe;

+    cli_genhash_pe;

     html_screnc_decode;

     mpool_create;

     mpool_calloc;

@@ -5444,3 +5444,190 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

         return CL_VIRUS;

     }

 }

+

+int cli_genhash_pe(cli_ctx *ctx, unsigned int class, int type)

+{

+    uint16_t e_magic; /* DOS signature ("MZ") */

+    uint16_t nsections;

+    uint32_t e_lfanew; /* address of new exe header */

+    union {

+        struct pe_image_optional_hdr64 opt64;

+        struct pe_image_optional_hdr32 opt32;

+    } pe_opt;

+    const struct pe_image_section_hdr *section_hdr;

+    ssize_t at;

+    unsigned int i, j, pe_plus = 0;

+    size_t fsize;

+    uint32_t valign, falign, hdr_size;

+    struct pe_image_file_hdr file_hdr;

+    struct cli_exe_section *exe_sections;

+    struct pe_image_data_dir *dirs;

+    fmap_t *map = *ctx->fmap;

+

+    if (class >= CL_GENHASH_PE_CLASS_LAST)

+        return CL_EARG;

+

+    if(fmap_readn(map, &e_magic, 0, sizeof(e_magic)) != sizeof(e_magic))

+        return CL_EFORMAT;

+

+    if(EC16(e_magic) != PE_IMAGE_DOS_SIGNATURE && EC16(e_magic) != PE_IMAGE_DOS_SIGNATURE_OLD)

+        return CL_EFORMAT;

+

+    if(fmap_readn(map, &e_lfanew, 58 + sizeof(e_magic), sizeof(e_lfanew)) != sizeof(e_lfanew))

+        return CL_EFORMAT;

+

+    e_lfanew = EC32(e_lfanew);

+    if(!e_lfanew)

+        return CL_EFORMAT;

+

+    if(fmap_readn(map, &file_hdr, e_lfanew, sizeof(struct pe_image_file_hdr)) != sizeof(struct pe_image_file_hdr))

+        return CL_EFORMAT;

+

+    if(EC32(file_hdr.Magic) != PE_IMAGE_NT_SIGNATURE)

+        return CL_EFORMAT;

+

+    nsections = EC16(file_hdr.NumberOfSections);

+    if(nsections < 1 || nsections > 96)

+        return CL_EFORMAT;

+

+    if(EC16(file_hdr.SizeOfOptionalHeader) < sizeof(struct pe_image_optional_hdr32))

+        return CL_EFORMAT;

+

+    at = e_lfanew + sizeof(struct pe_image_file_hdr);

+    if(fmap_readn(map, &optional_hdr32, at, sizeof(struct pe_image_optional_hdr32)) != sizeof(struct pe_image_optional_hdr32))

+        return CL_EFORMAT;

+

+    at += sizeof(struct pe_image_optional_hdr32);

+

+    /* This will be a chicken and egg problem until we drop 9x */

+    if(EC16(optional_hdr64.Magic)==PE32P_SIGNATURE) {

+        if(EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr64))

+            return CL_EFORMAT;

+

+        pe_plus = 1;

+    }

+

+    if(!pe_plus) { /* PE */

+        if (EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr32)) {

+            /* Seek to the end of the long header */

+            at += EC16(file_hdr.SizeOfOptionalHeader)-sizeof(struct pe_image_optional_hdr32);

+        }

+

+        hdr_size = EC32(optional_hdr32.SizeOfHeaders);

+        dirs = optional_hdr32.DataDirectory;

+    } else { /* PE+ */

+        size_t readlen = sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32);

+        /* read the remaining part of the header */

+        if((size_t)fmap_readn(map, &optional_hdr32 + 1, at, readlen) != readlen)

+            return CL_EFORMAT;

+

+        at += sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32);

+        hdr_size = EC32(optional_hdr64.SizeOfHeaders);

+        dirs = optional_hdr64.DataDirectory;

+    }

+

+    fsize = map->len;

+

+    valign = (pe_plus)?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment);

+    falign = (pe_plus)?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment);

+

+    section_hdr = fmap_need_off_once(map, at, sizeof(*section_hdr) * nsections);

+    if(!section_hdr)

+        return CL_EFORMAT;

+

+    at += sizeof(*section_hdr) * nsections;

+

+    exe_sections = (struct cli_exe_section *) cli_calloc(nsections, sizeof(struct cli_exe_section));

+    if(!exe_sections)

+        return CL_EMEM;

+

+    for(i = 0; falign!=0x200 && i<nsections; i++) {

+        /* file alignment fallback mode - blah */

+        if (falign && section_hdr[i].SizeOfRawData && EC32(section_hdr[i].PointerToRawData)%falign && !(EC32(section_hdr[i].PointerToRawData)%0x200))

+            falign = 0x200;

+    }

+

+    hdr_size = PESALIGN(hdr_size, falign); /* Aligned headers virtual size */

+

+    for(i = 0; i < nsections; i++) {

+        exe_sections[i].rva = PEALIGN(EC32(section_hdr[i].VirtualAddress), valign);

+        exe_sections[i].vsz = PESALIGN(EC32(section_hdr[i].VirtualSize), valign);

+        exe_sections[i].raw = PEALIGN(EC32(section_hdr[i].PointerToRawData), falign);

+        exe_sections[i].rsz = PESALIGN(EC32(section_hdr[i].SizeOfRawData), falign);

+

+        if (!exe_sections[i].vsz && exe_sections[i].rsz)

+            exe_sections[i].vsz=PESALIGN(exe_sections[i].ursz, valign);

+

+        if (exe_sections[i].rsz && fsize>exe_sections[i].raw && !CLI_ISCONTAINED(0, (uint32_t) fsize, exe_sections[i].raw, exe_sections[i].rsz))

+            exe_sections[i].rsz = fsize - exe_sections[i].raw;

+

+        if (exe_sections[i].rsz && exe_sections[i].raw >= fsize) {

+            free(exe_sections);

+            return CL_EFORMAT;

+        }

+

+        if (exe_sections[i].urva>>31 || exe_sections[i].uvsz>>31 || (exe_sections[i].rsz && exe_sections[i].uraw>>31) || exe_sections[i].ursz>>31) {

+            free(exe_sections);

+            return CL_EFORMAT;

+        }

+    }

+

+    cli_qsort(exe_sections, nsections, sizeof(*exe_sections), sort_sects);

+

+    if (class == CL_GENHASH_PE_CLASS_SECTION) {

+        unsigned char *hash, *hashset[CLI_HASH_AVAIL_TYPES], hstr[2*CLI_HASHLEN_MAX+1];

+        int foundsize[CLI_HASH_AVAIL_TYPES];

+        int foundwild[CLI_HASH_AVAIL_TYPES];

+        int hlen = 0;

+        int ret = CL_CLEAN;

+

+        /* pick hashtypes to generate */

+        memset(foundsize, 0, sizeof(foundsize));

+        memset(foundwild, 0, sizeof(foundwild));

+        switch(type) {

+        case 1:

+            foundsize[CLI_HASH_MD5] = 1;

+            hash = hashset[CLI_HASH_MD5] = cli_malloc(hashlen[CLI_HASH_MD5]);

+            hlen = hashlen[CLI_HASH_MD5];

+            break;

+        case 2:

+            foundsize[CLI_HASH_SHA1] = 1;

+            hash = hashset[CLI_HASH_SHA1] = cli_malloc(hashlen[CLI_HASH_SHA1]);

+            hlen = hashlen[CLI_HASH_SHA1];

+            break;

+        default:

+            foundsize[CLI_HASH_SHA256] = 1;

+            hash = hashset[CLI_HASH_SHA256] = cli_malloc(hashlen[CLI_HASH_SHA256]);

+            hlen = hashlen[CLI_HASH_SHA256];

+            break;

+        }

+

+        if(!hash) {

+            cli_errmsg("cli_genhash_pe: cli_malloc failed!\n");

+            free(exe_sections);

+            return CL_EMEM;

+        }

+

+        for (i = 0; i < nsections; i++) {

+            /* Generate hashes */

+            cli_hashsect(*ctx->fmap, &exe_sections[i], hashset, foundsize, foundwild);

+            for (j = 0; j < hlen; j++)

+                snprintf(hstr+(2*j), sizeof(hstr)-(2*j), "%02x", hash[j]);

+            hstr[j] = '\0';

+            cli_dbgmsg("Section{%u}: %u:%s\n", i, exe_sections[i].rsz, hstr);

+

+            cli_dbgmsg("Section{%u}: %u:%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",

+                       i, exe_sections[i].rsz, hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6], hash[7],

+                       hash[8], hash[9], hash[10], hash[11], hash[12], hash[13], hash[14], hash[15]);

+        }

+

+        free(hash);

+    } else if (class == CL_GENHASH_PE_CLASS_IMPTBL) {

+        /* TODO */

+    } else {

+        cli_dbgmsg("cli_genhash_pe: unknown pe genhash class: %u\n", class);

+    }

+

+    free(exe_sections);

+    return CL_SUCCESS;

+}

@@ -165,8 +165,16 @@ int cli_scanpe(cli_ctx *ctx);

 #define CL_CHECKFP_PE_FLAG_STATS            0x00000001

 #define CL_CHECKFP_PE_FLAG_AUTHENTICODE     0x00000002

+enum {

+    CL_GENHASH_PE_CLASS_SECTION,

+    CL_GENHASH_PE_CLASS_IMPTBL,

+    /* place new class types above this line */

+    CL_GENHASH_PE_CLASS_LAST

+};

+

 int cli_peheader(fmap_t *map, struct cli_exe_info *peinfo);

 int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uint32_t flags);

+int cli_genhash_pe(cli_ctx *ctx, unsigned int class, int type);

 uint32_t cli_rawaddr(uint32_t, const struct cli_exe_section *, uint16_t, unsigned int *, size_t, uint32_t);

 void findres(uint32_t, uint32_t, uint32_t, fmap_t *map, struct cli_exe_section *, uint16_t, uint32_t, int (*)(void *, uint32_t, uint32_t, uint32_t, uint32_t), void *);

@@ -164,7 +164,120 @@ static int hexdump(void)

     return 0;

 }

-static int hashsig(const struct optstruct *opts, unsigned int mdb, int type)

+static int hashpe(const char *filename, unsigned int class, int type)

+{

+    STATBUF sb;

+    const char *fmptr;

+    struct cl_engine *engine;

+    cli_ctx ctx;

+    int fd, ret;

+

+    /* build engine */

+    if(!(engine = cl_engine_new())) {

+	mprintf("!hashpe: Can't create new engine\n");

+	return -1;

+    }

+    cl_engine_set_num(engine, CL_ENGINE_AC_ONLY, 1);

+

+    if(cli_initroots(engine, 0) != CL_SUCCESS) {

+	mprintf("!hashpe: cli_initroots() failed\n");

+	cl_engine_free(engine);

+	return -1;

+    }

+

+    if(cli_parse_add(engine->root[0], "test", "deadbeef", 0, 0, 0, "*", 0, NULL, 0) != CL_SUCCESS) {

+	mprintf("!hashpe: Can't parse signature\n");

+	cl_engine_free(engine);

+	return -1;

+    }

+

+    if(cl_engine_compile(engine) != CL_SUCCESS) {

+	mprintf("!hashpe: Can't compile engine\n");

+	cl_engine_free(engine);

+	return -1;

+    }

+

+    /* prepare context */

+    memset(&ctx, '\0', sizeof(cli_ctx));

+    ctx.engine = engine;

+    ctx.options = CL_SCAN_STDOPT;

+    ctx.container_type = CL_TYPE_ANY;

+    ctx.dconf = (struct cli_dconf *) engine->dconf;

+    ctx.fmap = calloc(sizeof(fmap_t *), 1);

+    if(!ctx.fmap) {

+	cl_engine_free(engine);

+	return -1;

+    }

+

+    /* Prepare file */

+    fd = open(filename, O_RDONLY);

+    if(fd < 0) {

+	mprintf("!hashpe: Can't open file %s!\n", filename);

+        cl_engine_free(engine);

+        return -1;

+    }

+

+    lseek(fd, 0, SEEK_SET);

+    FSTAT(fd, &sb);

+    if(!(*ctx.fmap = fmap(fd, 0, sb.st_size))) {

+	free(ctx.fmap);

+	close(fd);

+	cl_engine_free(engine);

+	return -1;

+    }

+

+    fmptr = fmap_need_off_once(*ctx.fmap, 0, sb.st_size);

+    if(!fmptr) {

+        mprintf("!hashpe: fmap_need_off_once failed!\n");

+        free(ctx.fmap);

+        close(fd);

+        cl_engine_free(engine);

+	return -1;

+    }

+

+    cl_debug();

+

+    /* Send to PE-specific hasher */

+    switch(class) {

+        case 1:

+	    ret = cli_genhash_pe(&ctx, CL_GENHASH_PE_CLASS_SECTION, type);

+	    break;

+        case 2:

+	    ret = cli_genhash_pe(&ctx, CL_GENHASH_PE_CLASS_IMPTBL, type);

+	    break;

+        default:

+	    mprintf("!hashpe: unknown classification(%u) for pe hash!\n", class);

+	    return -1;

+    }

+

+    cli_debug_flag = 0;

+

+    /* THIS MAY BE UNNECESSARY */

+    switch(ret) {

+        case CL_CLEAN:

+            break;

+        case CL_VIRUS:

+            mprintf("*hashpe: CL_VIRUS after cli_genhash_pe()!\n");

+            break;

+        case CL_BREAK:

+            mprintf("*hashpe: CL_BREAK after cli_genhash_pe()!\n");

+            break;

+        case CL_EFORMAT:

+            mprintf("!hashpe: Not a valid PE file!\n");

+            break;

+        default:

+            mprintf("!hashpe: Other error %d inside cli_genhash_pe.\n", ret);

+            break;

+    }

+

+    /* Cleanup */

+    free(ctx.fmap);

+    close(fd);

+    cl_engine_free(engine);

+    return 0;

+}

+

+static int hashsig(const struct optstruct *opts, unsigned int class, int type)

 {

 	char *hash;

 	unsigned int i;

@@ -179,12 +292,11 @@ static int hashsig(const struct optstruct *opts, unsigned int mdb, int type)

 		return -1;

 	    } else {

 		if((sb.st_mode & S_IFMT) == S_IFREG) {

-		    if((hash = cli_hashfile(opts->filename[i], type))) {

-			if(mdb)

-			    mprintf("%u:%s:%s\n", (unsigned int) sb.st_size, hash, basename(opts->filename[i]));

-			else

-			    mprintf("%s:%u:%s\n", hash, (unsigned int) sb.st_size, basename(opts->filename[i]));

+		    if((class == 0) && (hash = cli_hashfile(opts->filename[i], type))) {

+			mprintf("%s:%u:%s\n", hash, (unsigned int) sb.st_size, basename(opts->filename[i]));

 			free(hash);

+		    } else if((class > 0) && (hashpe(opts->filename[i], class, type) == 0)) {

+			/* intentionally empty - printed in cli_genhash_pe() */

 		    } else {

 			mprintf("!hashsig: Can't generate hash for %s\n", opts->filename[i]);

 			return -1;

@@ -194,6 +306,10 @@ static int hashsig(const struct optstruct *opts, unsigned int mdb, int type)

 	}

     } else { /* stream */

+	if (class > 0) {

+	    mprintf("!hashsig: Can't generate requested hash for input stream\n");

+	    return -1;

+	}

 	hash = cli_hashstream(stdin, NULL, type);

 	if(!hash) {

 	    mprintf("!hashsig: Can't generate hash for input stream\n");