@@ -86,6 +86,9 @@

 #define UPX_LZMA1 "\x56\x83\xc3\x04\x53\x50\xc7\x03\x03\x00\x02\x00\x90\x90\x90\x55\x57\x56\x53\x83"

 #define UPX_LZMA2 "\x56\x83\xc3\x04\x53\x50\xc7\x03\x03\x00\x02\x00\x90\x90\x90\x90\x90\x55\x57\x56"

+#define PE_MAXNAMESIZE 256

+#define PE_MAXIMPORTS  1024

+

 #define EC32(x) ((uint32_t)cli_readint32(&(x))) /* Convert little endian to host */

 #define EC16(x) ((uint16_t)cli_readint16(&(x)))

 /* lower and upper bondary alignment (size vs offset) */

@@ -2164,8 +2167,6 @@ static char *pe_ordinal(char *dll, uint16_t ord)

   return cli_strdup(name);    

 }

-#define PE_MAXIMPORTS  1024

-#define PE_MAXNAMESIZE 256

 static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_import_descriptor *image, char *dllname, struct cli_exe_section *exe_sections, uint16_t nsections, uint32_t hdr_size, int pe_plus, int *first) {

     uint32_t toff, offset;

     fmap_t *map = *ctx->fmap;

@@ -2228,8 +2229,6 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i

                 char *fname;

                 size_t funclen;

-                //cli_dbgmsg("IMPTBL: FUNC: %s\n", funcname);

-

                 if (dlllen == 0) {

                     char* ext = strstr(dllname, ".");

@@ -2257,7 +2256,6 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i

                 for (i = 0; i < funclen; i++, j++)

                     fname[j] = tolower(funcname[i]);

-                /* JSON TOMFOOLERY */

 #if HAVE_JSON

                 if (imptbl) {

                     char *jname = *first ? fname : fname+1;

@@ -2265,8 +2263,6 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i

                 }

 #endif

-                cli_dbgmsg("%u %s\n", strlen(fname), fname);

-

                 cl_update_hash(md5ctx, fname, strlen(fname));

                 *first = 0;

@@ -2308,9 +2304,6 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i

                 char *fname;

                 size_t funclen;

-                /* JSON TOMFOOLERY */

-                //cli_dbgmsg("IMPTBL: FUNC: %s\n", funcname);

-

                 if (dlllen == 0) {

                     char* ext = strstr(dllname, ".");

@@ -2332,18 +2325,22 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i

                 j = 0;

                 if (!*first)

                     fname[j++] = ',';

-                else

-                    *first = 0;

                 for (i = 0; i < dlllen; i++, j++)

                     fname[j] = tolower(dllname[i]);

                 fname[j++] = '.';

                 for (i = 0; i < funclen; i++, j++)

                     fname[j] = tolower(funcname[i]);

-                cli_dbgmsg("%u %s\n", strlen(fname), fname);

+#if HAVE_JSON

+                if (imptbl) {

+                    char *jname = *first ? fname : fname+1;

+                    cli_jsonstr(imptbl, NULL, jname);

+                }

+#endif

                 cl_update_hash(md5ctx, fname, strlen(fname));

+                *first = 0;

                 free(fname);

                 free(funcname);

             }

@@ -2363,7 +2360,6 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c

     const char *impdes, *buffer, *virname;

     void *md5ctx;

     uint8_t digest[16] = {0};

-    char *dstr;

     int i, err, ret = CL_SUCCESS, num_imports = 0, first = 1;

     if (datadir->VirtualAddress == 0 || datadir->Size == 0) {

@@ -2380,7 +2376,7 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c

     impdes = fmap_need_off(map, impoff, datadir->Size);

     if (impdes == NULL) {

         cli_dbgmsg("IMPTBL: failed to acquire fmap buffer\n");

-        return CL_SUCCESS; /* real error: CL_EMAP? */

+        return CL_EREAD;

     }

     left = datadir->Size;

@@ -2399,29 +2395,26 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c

         offset = cli_rawaddr(image->Name, exe_sections, nsections, &err, fsize, hdr_size);

         if (err || offset > fsize) {

             cli_dbgmsg("IMPTBL: invalid rva for dll name\n");

-            /* ignore or return? */

+            /* TODO: ignore or return? */

             /*

               image++;

               continue;

              */

             cl_hash_destroy(md5ctx);

-            return CL_SUCCESS; /* error value? continue? */

+            return CL_SUCCESS; /* CL_EFORMAT? */

         }

         if ((buffer = fmap_need_off_once(map, offset, MIN(PE_MAXNAMESIZE, fsize-offset))) != NULL) {

-            /* sanitize dllname? */

+            /* TODO - sanitize dllname */

             dllname = strndup(buffer, MIN(PE_MAXNAMESIZE, fsize-offset));

             if (dllname == NULL) {

                 cli_dbgmsg("IMPTBL: cannot duplicate dll name\n");

                 cl_hash_destroy(md5ctx);

                 return CL_EMEM;

             }

-

-            //cli_dbgmsg("IMPTBL: DLL: %s\n", dllname);

-            /* JSON TOMFOOLERY */

         }

-        /* DLL function handling - inline function TODO - dconf this */

+        /* DLL function handling - inline function */

         ret = scan_pe_impfuncs(ctx, md5ctx, image, dllname, exe_sections, nsections, hdr_size, pe_plus, &first);

         if (dllname)

             free(dllname);

@@ -2435,15 +2428,24 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c

     fmap_unneed_off(map, impoff, datadir->Size);

-    /* send off for md5 comparison - use ret */

     cl_finish_hash(md5ctx, digest);

-    dstr = cli_str2hex(digest, sizeof(digest));

-    cli_dbgmsg("IMPHASH: %s\n", (char *)dstr);

+

+#if HAVE_JSON

+    if (cli_debug_flag || ctx->wrkproperty) {

+#else

+    if (cli_debug_flag) {

+#endif

+        char *dstr = cli_str2hex(digest, sizeof(digest));

+        cli_dbgmsg("IMPHASH: %s\n", dstr ? (char *)dstr : "(NULL)");

 #if HAVE_JSON

-    if (ctx->wrkproperty)

-        cli_jsonstr(ctx->wrkproperty, "Imphash", dstr);

+        if (ctx->wrkproperty)

+            cli_jsonstr(ctx->wrkproperty, "Imphash", dstr ? dstr : "(NULL)");

 #endif

-    free(dstr);

+        if (dstr)

+            free(dstr);

+    }

+

+    /* TODO: size-dependent hash scans, what should the size value be?  */

     if (ith && (ret = cli_hm_scan_wild(digest, &virname, ith, CLI_HASH_MD5)) == CL_VIRUS)

         cli_append_virus(ctx, virname);

@@ -3361,9 +3363,15 @@ int cli_scanpe(cli_ctx *ctx)

     /* Attempt to run scans on import table */

     /* Run if there are existing signatures and/or preclassing */

-    if (ctx->dconf->pe & PE_CONF_IMPTBL) {

+#if HAVE_JSON

+    if (DCONF & PE_CONF_IMPTBL && (ctx->engine->hm_ith || ctx->wrkproperty)) {

+#else

+    if (DCONF & PE_CONF_IMPTBL && ctx->engine->hm_ith) {

+#endif

         ret = scan_pe_imptbl(ctx, dirs, exe_sections, nsections, hdr_size, pe_plus);

         switch (ret) {

+            case CL_SUCCESS:

+                break;

             case CL_ENULLARG:

                 cli_warnmsg("cli_scanpe: NULL argument supplied\n");

                 break;

@@ -3374,6 +3382,9 @@ int cli_scanpe(cli_ctx *ctx)

             case CL_BREAK:

                 free(exe_sections);

                 return ret == CL_VIRUS ? CL_VIRUS : CL_CLEAN;

+            default:

+                free(exe_sections);

+                return ret;

         }

     }

     /* Attempt to detect some popular polymorphic viruses */