Browse code
initial IS overlay parser
aCaB authored on 2009/07/14 16:36:36Showing 3 changed files
| ... | ... |
@@ -24,6 +24,8 @@ |
| 24 | 24 |
#include "clamav-config.h" |
| 25 | 25 |
#endif |
| 26 | 26 |
|
| 27 |
+#define _XOPEN_SOURCE 500 |
|
| 28 |
+ |
|
| 27 | 29 |
#include <sys/types.h> |
| 28 | 30 |
#include <sys/stat.h> |
| 29 | 31 |
#include <fcntl.h> |
| ... | ... |
@@ -197,3 +199,53 @@ int cli_scanishield_msi(int desc, cli_ctx *ctx, off_t off) {
|
| 197 | 197 |
} |
| 198 | 198 |
return CL_CLEAN; |
| 199 | 199 |
} |
| 200 |
+ |
|
| 201 |
+ |
|
| 202 |
+int cli_scanishield(int desc, cli_ctx *ctx, off_t off, size_t sz) {
|
|
| 203 |
+ char *fname, *path, *version, *strsz, *eostr, *data; |
|
| 204 |
+ char buf[2048]; |
|
| 205 |
+ int rd; |
|
| 206 |
+ long int fsize; |
|
| 207 |
+ off_t coff = off; |
|
| 208 |
+ |
|
| 209 |
+ while(1) {
|
|
| 210 |
+ rd = pread(desc, buf, sizeof(buf), coff); |
|
| 211 |
+ if(rd <= 0) |
|
| 212 |
+ break; |
|
| 213 |
+ |
|
| 214 |
+ fname = buf; |
|
| 215 |
+ if(!*fname) break; |
|
| 216 |
+ path = memchr(fname, 0, rd); |
|
| 217 |
+ if(!path) |
|
| 218 |
+ break; |
|
| 219 |
+ |
|
| 220 |
+ path++; |
|
| 221 |
+ rd -= (path - buf); |
|
| 222 |
+ if(rd<=0 || !(version = memchr(path, 0, rd))) |
|
| 223 |
+ break; |
|
| 224 |
+ |
|
| 225 |
+ version++; |
|
| 226 |
+ rd -= (version - path); |
|
| 227 |
+ if(rd<=0 || !(strsz = memchr(version, 0, rd))) |
|
| 228 |
+ break; |
|
| 229 |
+ |
|
| 230 |
+ strsz++; |
|
| 231 |
+ rd -= (strsz - version); |
|
| 232 |
+ if(rd<=0 || !(data = memchr(strsz, 0, rd))) |
|
| 233 |
+ break; |
|
| 234 |
+ |
|
| 235 |
+ data++; |
|
| 236 |
+ fsize = strtol(strsz, &eostr, 10); |
|
| 237 |
+ if(fsize == LONG_MIN || fsize == LONG_MAX || !*strsz || !eostr || eostr == strsz || *eostr) |
|
| 238 |
+ break; |
|
| 239 |
+ |
|
| 240 |
+ if((data - buf) + fsize > sz) |
|
| 241 |
+ break; |
|
| 242 |
+ |
|
| 243 |
+ cli_errmsg("@%x: found file %s (%s) - version %s - size %u\n", coff, fname, path, version, fsize);
|
|
| 244 |
+ sz -= (data - buf) + fsize; |
|
| 245 |
+ coff += (data - buf) + fsize; |
|
| 246 |
+ |
|
| 247 |
+ } |
|
| 248 |
+ return CL_CLEAN; |
|
| 249 |
+} |
| ... | ... |
@@ -57,6 +57,7 @@ |
| 57 | 57 |
#include "matcher-bm.h" |
| 58 | 58 |
#include "disasm.h" |
| 59 | 59 |
#include "special.h" |
| 60 |
+#include "ishield.h" |
|
| 60 | 61 |
|
| 61 | 62 |
#ifndef O_BINARY |
| 62 | 63 |
#define O_BINARY 0 |
| ... | ... |
@@ -436,7 +437,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
| 436 | 436 |
char sname[9], buff[4096], epbuff[4096], *tempfile; |
| 437 | 437 |
uint32_t epsize; |
| 438 | 438 |
ssize_t bytes; |
| 439 |
- unsigned int i, found, upx_success = 0, min = 0, max = 0, err; |
|
| 439 |
+ unsigned int i, found, upx_success = 0, min = 0, max = 0, err, overlays = 0; |
|
| 440 | 440 |
unsigned int ssize = 0, dsize = 0, dll = 0, pe_plus = 0; |
| 441 | 441 |
int (*upxfn)(char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t) = NULL; |
| 442 | 442 |
char *src = NULL, *dest = NULL; |
| ... | ... |
@@ -976,8 +977,10 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
| 976 | 976 |
if(exe_sections[i].rva < min) |
| 977 | 977 |
min = exe_sections[i].rva; |
| 978 | 978 |
|
| 979 |
- if(exe_sections[i].rva + exe_sections[i].rsz > max) |
|
| 979 |
+ if(exe_sections[i].rva + exe_sections[i].rsz > max) {
|
|
| 980 | 980 |
max = exe_sections[i].rva + exe_sections[i].rsz; |
| 981 |
+ overlays = exe_sections[i].raw + exe_sections[i].rsz; |
|
| 982 |
+ } |
|
| 981 | 983 |
} |
| 982 | 984 |
} |
| 983 | 985 |
|
| ... | ... |
@@ -1016,6 +1019,12 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
| 1016 | 1016 |
return ret; |
| 1017 | 1017 |
} |
| 1018 | 1018 |
|
| 1019 |
+ if(overlays) {
|
|
| 1020 |
+ int overlays_sz = fsize - overlays; |
|
| 1021 |
+ if(overlays_sz > 0) |
|
| 1022 |
+ cli_scanishield(desc, ctx, overlays, overlays_sz); |
|
| 1023 |
+ } |
|
| 1024 |
+ |
|
| 1019 | 1025 |
/* Attempt to detect some popular polymorphic viruses */ |
| 1020 | 1026 |
|
| 1021 | 1027 |
/* W32.Parite.B */ |