1. clamav-devel
  2. Commit 4b4c98e09c0286d306ee67aba52f16d53c1acc7e
Browse code

Restore the correct OEP for aspack unpacked exes

For certain aspack versions, the code wasn't restoring the correct
entrypoint. This had ramifications for unpacked file scanning,
since now an EP that points outside of a file makes the PE not
have .MDB sigs evaluated against it (a change from earlier versions,
but one which the MRT is OK with).

Andrew authored on 2019/01/15 13:04:05
Showing 1 changed files
libclamav/aspack.c
History View file @ 4b4c98e
... ... 
@@ -43,6 +43,10 @@
43 43 
 #define ASPACK_WRKBUF_OFFSET_OTHER 0x13a
44 44 
 #define ASPACK_WRKBUF_OFFSET_242 0x148
45 45
46 
+#define ASPACK_OEP_OFFSET_212 0x39b
47 
+#define ASPACK_OEP_OFFSET_OTHER 0x401
48 
+#define ASPACK_OEP_OFFSET_242 0x40d
49 
+
46 50 
 struct DICT_HELPER {
47 51 
     uint32_t *starts;
48 52 
     uint8_t *ends;
... ... 
@@ -358,7 +362,7 @@ int unaspack(uint8_t *image, unsigned int size, struct cli_exe_section *sections
358 358 
     uint32_t block_rva = 1, block_size;
359 359 
     struct cli_exe_section *outsects;
360 360
361 
-    uint32_t blocks_offset, stream_init_multiplier_offset, comp_block_offset, wrkbuf_offset;
361 
+    uint32_t blocks_offset, stream_init_multiplier_offset, comp_block_offset, wrkbuf_offset, oep_offset;
362 362
363 363 
     switch (version) {
364 364 
         case ASPACK_VER_212:
... ... 
@@ -367,6 +371,7 @@ int unaspack(uint8_t *image, unsigned int size, struct cli_exe_section *sections
367 367 
             stream_init_multiplier_offset = ASPACK_STR_INIT_MLT_OFFSET_212;
368 368 
             comp_block_offset             = ASPACK_COMP_BLOCK_OFFSET_212;
369 369 
             wrkbuf_offset                 = ASPACK_WRKBUF_OFFSET_212;
370 
+            oep_offset                    = ASPACK_OEP_OFFSET_212;
370 371 
             break;
371 372 
         case ASPACK_VER_OTHER:
372 373 
             cli_dbgmsg("Aspack: Attempting to unpack Aspack >2.12, <2.42.\n");
... ... 
@@ -374,6 +379,7 @@ int unaspack(uint8_t *image, unsigned int size, struct cli_exe_section *sections
374 374 
             stream_init_multiplier_offset = ASPACK_STR_INIT_MLT_OFFSET_OTHER;
375 375 
             comp_block_offset             = ASPACK_COMP_BLOCK_OFFSET_OTHER;
376 376 
             wrkbuf_offset                 = ASPACK_WRKBUF_OFFSET_OTHER;
377 
+            oep_offset                    = ASPACK_OEP_OFFSET_OTHER;
377 378 
             break;
378 379 
         case ASPACK_VER_242:
379 380 
             cli_dbgmsg("Aspack: Attempting to unpack Aspack 2.42.\n");
... ... 
@@ -381,6 +387,7 @@ int unaspack(uint8_t *image, unsigned int size, struct cli_exe_section *sections
381 381 
             stream_init_multiplier_offset = ASPACK_STR_INIT_MLT_OFFSET_242;
382 382 
             comp_block_offset             = ASPACK_COMP_BLOCK_OFFSET_242;
383 383 
             wrkbuf_offset                 = ASPACK_WRKBUF_OFFSET_242;
384 
+            oep_offset                    = ASPACK_OEP_OFFSET_242;
384 385 
             break;
385 386 
         default:
386 387 
             cli_dbgmsg("Aspack: Unexpected/Unknown version number.\n");
... ... 
@@ -484,7 +491,8 @@ int unaspack(uint8_t *image, unsigned int size, struct cli_exe_section *sections
484 484 
         outsects[i].raw = outsects[i].rva;
485 485 
         outsects[i].rsz = outsects[i].vsz;
486 486 
     }
487 
-    if (!cli_rebuildpe((char *)image, outsects, sectcount, base, cli_readint32(image + ep + 0x39b), 0, 0, f)) {
487 
+
488 
+    if (!cli_rebuildpe((char *)image, outsects, sectcount, base, cli_readint32(image + ep + oep_offset), 0, 0, f)) {
488 489 
         cli_dbgmsg("Aspack: rebuild failed\n");
489 490 
         cli_writen(f, image, size);
490 491 
     } else {